Integrated care systems need integrated security, says medical IT expert
Chief clinical information officers must be given more powers to tackle the risks of integrated care models to stop them being undermined by security breaches, writes Saif Abed, Imprivata's medical director for Europe, the Middle East and Africa.
Chief clinical information officers need to be empowered to tackle security issues - Photo credit: Pixabay
Imagine a perfect recipe for a new model of care.
A well thought out local digital roadmap to improve efficiency through IT, a forward thinking acute trust, collaborative partners across care settings and a novel, vanguard model, all combine to create a project with the potential to achieve local and national integrated care objectives.
But then a massive clinical data breach strikes, patient data is compromised and the project collapses. It misses the chance to help transform care for thousands or even millions of patients.
With Sustainability and Transformation Plans, the Five Year Forward View and ambitious local projects across the country leading the way for population based care, the NHS is on the brink of success for integrated health economies.
The country cannot let this hard work be undermined by avoidable security risks.
New security challenges of integrated care mobility
The realisation of genuine integrated care carries with it inherent data security challenges – and ones that have not before appeared in quite the same form.
Integrated care means more clinics moving from the hospital to the GP surgery. It means more specialist clinicians carrying out home visits, or moving between multiple hospitals. There will be more hybrid nursing, more community nursing and a much greater reliance on mobility, outside of the four walls of a clinic.
The only way we can manage the health of entire populations is if we have a more mobile workforce, but we still need to have the same elite standards of security, while providing professionals with the right information, at the right time, wherever they need it. So how can a balance be struck?
Mobility, clinical workflow and security are the three key elements to creating any integrated care strategy, whether that’s one at a local level or one being driven nationally.
A great deal of progress has already been made around clinical workflows in relation to technology since the end of the National Programme for IT. Similarly forward-thinking sites are now starting to tackle the challenge of mobility, so that more patients are managed in the community.
But security has received the least attention and is to date the most deficient area of the three pieces of the puzzle. We are only now seeing real security investment come into fashion as a result of threats seen in the US and some EU states recently and as a result of advice from bodies like GCHQ to improve security standards.
More recently there have been calls for action from the Care Quality Commission and Fiona Caldicott’s Office of the National Data Guardian. They have urged the NHS to take steps ahead of reviews of NHS organisations’ data security. And health secretary Jeremy Hunt has insisted that the NHS has “has not yet won the public’s trust”, when it comes to handling their data.
Humans and technology
Technology is not the biggest weakness in data security – the biggest weakness is the human factor. This is one of the main reasons we are still seeing data breaches and fines imposed on the NHS from the Information Commissioner’s Office.
It is true that more cumbersome technologies can lead to problems that effective IT in an integrated care chain would avoid.
Take, for instance, the slow log-on times that often frustrate clinicians when they insert their smartcard to access patient information. If they don’t have fast user-switching systems in place, doctors may leave smartcards in the system. This avoids slowing down clinical workflows, but creates security risks, with the potential for inappropriate access to information from colleagues and the loss of an audit trail.
But, in reality, the way people handle data, and how they access devices, is often the challenge. The vast majority of data breaches take place because of humans mishandling information, not because of a cyber hack.
Empowering leaders to tackle security challenges
Just as the human factor is the biggest weakness, it also offers the answer to data security risks, including the new challenges presented by integrated care. The NHS must now empower the right people to tackle security challenges.
At present, many parts of the NHS do not even have a chief information security officer or a senior information risk owner. This must change, and is a call that has been emphasised by calls for such a role at board level from the CQC and Caldicott’s office.
Chief clinical information officers can also play an extremely important role here, and are in many ways the most useful people in an NHS organisation to get major IT projects adopted, engaged and used in a way that is useful for patients.
But so often CCIOs are not given the executive powers needed to make the most difference – and this needs to change, and quickly.
CCIOs are simply not being invited to participate as effectively as possible. As someone who has worked in the NHS as a doctor, and who now works in the supplier community, I have seen from both sides how there is often a need to reach out to the CCIO for them to take part in a meeting.
Moreover, CCIOs need to be given the executive powers to lead. The same is needed for SIROs, so that clinical flows, mobility and security are not addressed in isolation.
The NHS must not pigeonhole clinicians and information security leads to clinical or security matters. Each deals with the whole picture from different angles. There must be collaboration between them. And, without executive powers, the train goes nowhere.
Those individuals can be key to ensuring these things happen, not only in the trust, but more widely across health and social care.
It must be remembered that, the more players in an integrated care setting, the more collaboration you need. Ideally, the same expertise would be reflected in each of the component organisations, to allow the security and workflow needs of acute, community, mental health, primary and social care to be tackled with cohesion.
But most importantly, health economies need to understand where they are deficient, where they are strong, where they need to invest, and where they don’t have enough resource.
The first step is for all the component organisations to come together and understand what they are capable of, and what they are not.
Only an integrated approach to security can work for the integrated care now about to happen.
Simon McDougall joins regulator in the role of executive director for technology policy and innovation
New national unit established to help forces mitigate impact of EU exit
London borough to work with NHS and other public agencies on development of platform
Government must protect consumers by regulating Bitcoin and others, the Treasury Select Committee has urged