Recently, the context in which hospitals process personal data has changed. On the one hand, the General Data Protection Regulation (GDPR) imposes new rules and regulations on personal data processing. On the other hand, advances in hacking and cyber-attacks constitute unprecedented threat. However, the pace of change in hospitals’ policies and procedures has often not matched the external pace of change, and hospitals require more support to better protect their patients’ data.
A key, recognised barrier for change in healthcare settings is a lack of sufficient funding. In light of this challenge, this article outlines five essential improvements hospitals can make using their internal resources or with limited investment in external expertise, in order to close known gaps in data protection and cyber-security.
- Improve employee training and awareness
Staff in hospitals and other healthcare settings prioritise effective and efficient patient care. However, data protection policies and protocols can add extra steps to patient care. As a result, employees require training and support to understand the reasons for and positive impacts of these new policies. At present, the number one cause of data breaches in hospital settings is human error (e.g., entering incorrect addresses). This demonstrates the need for training that integrates specific examples in the areas of speech privacy, patient record management and workstation security can generate better buy-in from employees to support and improve cyber-security practices.
- Improve public-facing notices
Providing sufficient information to patients and other data subjects that outlines what personal data will be collected, how it will be stored and/or shared, and the purpose of the data processing is a key requirement of data protection legislation. Improving privacy notices, consent forms and even cookie notices can support better transparency for data subjects in healthcare settings.
- Improve accountability mechanisms
The 2018 Data Protection Commission report on the Irish hospital sector found that improvements were needed in hospitals’ policies, procedures and practices to bring them in line with data protection requirements. In some cases, the report found that while practices themselves were not problematic, there was a lack of a recorded and auditable policy to govern those practices. Furthermore, sufficient policies are only one piece of the puzzle. In order to avoid negative consequences, organisations must create a monitoring framework to demonstrate that they confirm regularly, through audits, that established policies and procedures are adhered to by staff.
- Improve physical security
Hospitals and other healthcare buildings and infrastructure are often older and suffer from a lack of sufficient investment in data security. For example, some hospitals’ record rooms are not fitted with electronic locks, and others are left unlocked throughout the day to facilitate employees’ quick access to medical records for the duration of their shift. Furthermore, the transport of patient records within or between departments can also be insecure, for example, using open trollies or tasking unauthorised individuals with record transfer. Both these practices can leave records exposed to unauthorised access. Simple improvements in physical security, access logging and record transport and removal can close many of these gaps and improve data protection compliance.
- IT System optimisation
The UK Information Commissioner’s office has established that healthcare organisations are a frequent target for phishing, hacking and other cyber-security attacks. However, hospital IT systems are often outdated and unsuited to managing these dynamic threats. Nevertheless, optimising the capabilities of IT systems with access controls, “timing out” features, and two-factor authentication can provide better support in ensuring that only authorised individuals have access to electronic patient records. Confirmation message “pop-ups”, junk mail filters and other tools (alongside employee training) can also cut down on the success of phishing and cyber-attacks. Reviewing SLAs and other agreements with third-party software suppliers can also encourage software vendors to provide complementary feature upgrades that support better information security.
Increases in funding for IT Security, data protection compliance and information governance are a key requirement to ensure compliant records management in healthcare sector. However, other support measures can be used to improve data governance and security mechanisms in the absence of large injections of funding.
Trilateral’s Data Governance and Cyber-Risk Team has significant experience helping health care organisations implement measures to facilitate the needs of healthcare organisations and protect the rights of the patients they care for. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to facilitate ongoing compliance. Please feel free to contact our advisors, who would be more than happy to help.