The National Health Service (NHS) has 1.7 million workers across the UK – with one million patients every 36 hours, generating vast amounts of sensitive data. They are the fifth largest employer in the world, behind McDonalds, Walmart the US Department of Defense and China’s People’s Liberation Army. One of its biggest issues is staff shortages and turnover with thousands of vacancies across clinical, nurse and admin roles at any one time.
This level of churn places a huge amount of strain on front line and back-office functions including the impact on both access control and data integrity. To maintain the integrity of the NHS, this needs to work effectively so that staff have the access to the right information at the right time, whilst keeping sensitive data and confidentiality a top priority.
The Integrated Care Systems bind the NHS with local authorities and social services. Together, more than 200 NHS Trusts need to work with many partners and agencies to ensure coordinated joined-up patient care. This adds to the complexities of data security and by 2025, the annual growth rate of data for healthcare is predicted to reach 36%. Having an effective identity and data security structure is crucial to providing the infrastructure to operate efficiently, especially in the unstructured data space.
How open source can help the NHS navigate tech regulations
Cyber threats in healthcare
The average healthcare breach costs £6.6 million and healthcare data breaches are likely to triple throughout 2021. Any breach within the NHS could potentially have a detrimental effect. Data security therefore needs to be the beating heart of the NHS structure.
NHS security leaders need to understand how information is being used and who has access. It is vital to ensure the NHS has control over information and data in its control. What’s more, it also needs to have measures in place to protect data from inappropriate use. It needs to know if and when there has been a data breach and how to act on it as soon as it becomes aware of an infringement.
Time is of the essence here. It can take weeks or months to detect if there has been an unauthorised data breach, with no way of knowing what information has been accessed, unless there are sufficient safeguards in place.
Regulations and governance
The NHS has some of the most stringent regulations in place to protect sensitive data. The Data Protection Security Toolkit (DPST) is just one element of control for access to NHS data. The online self-assessment tool allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS sensitive data and systems need this toolkit to provide the assurance that they are practicing good data security and that personal information is being handled correctly.
The National Data Guardian is in itself an independent body that oversees patient data and acts as a safeguard on the use of information. It allows patients to participate in the national patient opt-out, indicating that they don’t want their confidential patient information to be shared for purposes beyond their care across the health and care system in England. On top of that, the NHS has to comply with the general rules governing GDPR, which regulates how organisations gather, use and manages personal data. The seven Caldicott Principles also provide the overriding governance rules that dictate how the NHS gathers, stores and uses sensitive information. Of course, none of this is possible unless the NHS has a full and transparent understanding of what is happening to its data.
Data governance and the future of digital work
An NHS Trust has potentially millions of documents in hundreds of thousands of folders, and across multiple repositories – both on premises and in the cloud. This is typically “unstructured data” which accounts for around 80% of the total data that a trust holds – and which becomes impossible to manage. Some of the common themes we see are personally identifiable information and sensitive information being stored in the wrong place, over permissive access to sensitive data, no centralised identity governance process, no auditing on access, no monitoring of privileged account use and data being held outside of a retention policy.
The key is to ensure that the NHS can classify their data and put processes in place to manage access to it. An understanding of the types of data, knowing where it is, and providing adequate controls are all vital aspects of adhering to the DPST, Caldicott Principles and GDPR governance. This will allow organisations to know who has access to different levels and sensitivity of data, and enable organisations to build an up-to-date asset register. Visibility into where all of the sensitive data resides, who has access to it and the auditing in place is crucial to understanding where any vulnerabilities may lie, and subsequently being able to mitigate against inappropriate use or a cyber attack such as ransomware.
Data is key
Lost or stolen sensitive information can cause irreparable reputational harm, which is vital to patient welfare. That’s why data governance is at the heart of the NHS. Improperly used, the data can overwhelm a structure like the NHS. It becomes unwieldy and impossible to manage, especially with the vast growth in data that is only going to get larger.
Data is the heartbeat of the organisation – and it needs to be secured and monitored effectively. With everything aligned, streamlined and controlled, the data can ensure the NHS continues to provide such critical treatment and service, without disruption.