The context in which hospitals process personal data has changed with the requirements of the General Data Protection Regulation (GDPR) and advances in hacking and other cyber-attack capabilities. However, the pace of change in hospitals’ policies, procedures and practice has often not matched the external pace of change, and hospitals need more support to better protect their patients’ data and their institution. A key, recognised barrier for change in healthcare settings is a lack of sufficient funding. Despite this challenge, this article outlines five essential improvements that hospitals can make using their internal resources or with limited investment in external expertise to close known gaps in data protection and cyber-security.
- Improve employee training and awareness
Staff in hospitals and other healthcare settings prioritise effective and efficient patient care. Information governance or data protection policies and protocols can add extra steps to patient care, and employees need training and support to understand the reasons for and potential positive impacts of these new policies. For example, the number one cause of data breaches in hospital settings is human error (e.g., entering incorrect addresses). Providing training that integrates specific examples in the areas of speech privacy, patient record management or workstation security can generate better buy in from employees to support them to improve and cyber-security.
- Improve public-facing notices
Providing sufficient information to patients and other data subjects about the personal data to be collected, the purpose of the data processing and how the personal data will be stored and shared is a key requirement of data protection legislation. Improving privacy notices, consent forms and even cookie notices can support better transparency for data subjects in healthcare settings.
- Improve accountability mechanisms
The 2018 Data Protection Commission report on the Irish hospital sector found that improvements were need in hospitals’ policies, procedures and practices to bring them in line with data protection requirements. In some cases, the report found that although practice was not problematic, the lack of a recorded, and auditable, policy to govern that practice was a gap. Furthermore, sufficient policies are only one piece of the puzzle, in order to avoid negative consequences, organisations must create a monitoring framework to demonstrate that they confirm regularly, through audits, that established policies and procedures are being adhered to by staff.
- Improve physical security
Hospitals and other healthcare buildings are often older and suffer from a lack of sufficient investment in data security. For example, some hospitals’ record rooms are not fitted with electronic locks, and others are left unlocked all day to facilitate employees’ quick access to medical records throughout their shift. Furthermore, the transport of patient records within or between departments can also be insecure, for example using open trollies or tasking unauthorised individuals with record transfer. Both these practices can leave records exposed to potential unauthorised access. Simple improvements in physical security, access logging and record transport and removal can close many of these gaps and improve data protection compliance.
- IT System optimisation
The UK Information Commissioner’s office has established that healthcare organisations are a clear target for phishing, hacking and other cyber-security attacks. However, hospital IT systems are often outdated and unsuited to managing these dynamic threats. Nevertheless, optimising the capabilities of IT systems with access controls, “timing out” features, two-factor authentication and other protocols can provide better support in ensuring that only authorised individuals have access to electronic patient records. Confirmation message “pop-ups”, junk mail filters and other tools (alongside employee training) can also cut down on the success of phishing and other social engineering cyber-attacks. Reviewing SLAs and other agreements with third-party software suppliers and pointing out gaps can also encourage software vendors to provide complementary feature upgrades that support better information security.
Increases in funding for IT Security, data protection compliance and information governance are a key requirement for the healthcare sector. However, other support measures can be used to improve data governance and security mechanisms in the absence of large injections of funding. Our Data Protection and Cyber-risk team has significant experience helping hospitals and other healthcare organisations to improve their compliance in a cost-efficient manner. Contact us for more information on how we can help.