Freelance medical journalist
Chief Biomedical Scientist
Wigan Royal Infirmary
Barry has worked within pathology for more than 30 years, and is a prolific writer of articles for a wide range of pathology, nursing and GP-based publications. Outside of work, Barry enjoys walking the beaches of Anglesey with his family, as well as playing guitar and harmonica
Recent news that personal data relating to more than 15,000 patients were lost after a thief stole unencrypted computer tapes from a GP surgery must have sent shockwaves through practice managers the length of the UK.(1) In what was just the latest in a series of high-profile data losses within the public sector, back-up tapes containing personal health information on patients were removed from a Winchester GP's safe during a weekend break-in by a thief probably in search of drugs, money or other valuables.
Although Hampshire Primary Care Trust (PCT), which manages GP care in the area, claimed that data were password protected and required specialised computer equipment to process the information, the incident nonetheless graphically highlights growing concerns relating to storage of patient data within the GP surgery and the potential for it to be compromised by theft from outside parties.
According to a recent IBM survey, however, 75% of threats to corporate security come from within their own organisations.(2) The GP environment is not immune to this behaviour. The practice computer system can contain many valuable assets, including staff and patient personal details, private medical records, business plans and other financial or payroll information, all of which must be kept secure from the risks of accidental loss and deliberate theft at all times.
Any general practice, big or small, is potentially at risk to data loss unless appropriate precautions are taken to prevent this happening. Most data security experts agree that data theft has now become relatively simple with the advent of new technology. Internet access and small portable storage devices, combined with patient information stored on computer networks, give individuals the opportunity to acquire large amounts of data almost instantaneously.
Determined individuals intent on acquiring this data, who in the past would not have risked the danger of bulk photocopying paperwork and the associated problems of removing it, could now be taking many times that information simply stored on the memory chip within a mobile phone.
More practices are now moving towards "paperless office" systems, with most of their sensitive data already existing in digital format. But with scanners and digital cameras being commonplace, anything not already available in digital format can soon be converted and then acquired. While this information could theoretically be removed in any form, the large quantities that can be copied electronically to small devices or transmitted out of the surgery over the internet, or even via short distances using WiFi systems, makes this now the most likely method of information loss.
Security experts consider that specific data is far more likely to be stolen by an individual who already has legitimate access to the organisation's network. Physical devices used to steal data can be memory sticks, portable hard disks or writeable CDs and DVDs.
Where an employee is legitimately allowed to take information out of the premises, such as taking the practice laptop away to work from home, this transfer can occur offsite. Transmission of information can occur over the internet by email or WiFi if a receiving computer is set up in close proximity – this could be a laptop in a car parked outside the practice premises.
Accidental loss of data stored on laptop computers and information stored on CDs going missing in the post seems to be a particularly common problem, as recent news reports have demonstrated.(3) This type of scenario can also occur where an employee is specifically targeted for the theft of their laptop or handheld device, often as they are leaving work. There is also the possibility of a totally random theft, whether by mugging, car or house theft, whereby information is lost on a stolen device, but hopefully the perpetrator will not realise the significance of the information and it will probably be deleted.
The best protection against these scenarios is to prevent practice staff removing information offsite in the first instance. If this is unavoidable, data encryption software should be employed to prevent third parties from accessing sensitive patient information if a device is subsequently lost or stolen.
Good housekeeping rules
For practices, the possibility of an accidental loss of a database containing many important patient data files or health records would not only be embarrassing but potentially catastrophic – a disaster that can all occur all too easily if the correct procedures are not followed.
Accidental loss can occur in two forms. One is "deletion", whereby files are either deleted by accident or become corrupted and unusable, for example a hard disc failure. Good regular back-up procedures, housekeeping and archiving offsite are therefore essential for important practice data files to prevent this kind of avoidable loss.
The second is "physical loss", where an employee loses the information or has it stolen in a random theft, as described earlier. A recent case of significant data loss occurred at Newham, when the PCT relocated its smoking cessation service. More than 6,000 records, containing patient names, addresses and in some cases national insurance and NHS numbers, were also lost in the move, many of which have yet to be recovered.
Departing employees also pose a threat to data loss or theft. A good policy is to have strict employment terms and signed confidentiality agreements from the start of their employment, and a policy of taking legal measures against any employees breaching these terms. If employees believe that there is a real risk of incurring financial loss rather than financial gain by data theft, they will hopefully think twice before taking the information in the first instance.
Another area to consider regarding all personal patient information and data entrusted to the practice is the responsibility to ensure it is not divulged to third parties. For instance, practice managers are often asked to provide patient information by PCTs and other organisations as part of statistical surveys or questionnaires.
Even when these data are anonymised, there is a possibility that divulging these details may be a breach of patient confidentiality under the terms of the Data Protection Act (DPA). The DPA is the main piece of legislation that governs the protection of personal data of all living persons in the UK and provides a way in which individuals such as GP patients can enforce the control of information held about themselves.
Organisations in the UK, including general practices, are therefore legally obliged to comply with the DPA, which states that any personal data held in computer systems or files may only be used for the specific purposes for which it was collected. It also states data must not be disclosed to other parties without the consent of the individual whom it relates to, unless there is a legitimate reason to share the information, such as the prevention or detection of crime. It is therefore an offence for other parties to obtain this personal data without authorisation.
Furthermore, all appropriate technical and organisational measures should be incorporated to prevent any unauthorised or unlawful access of personal data held – eg, by hacking – and to guard against any accidental loss or destruction that may occur to it.
In relation to the disclosure of patient information, the DPA is reinforced by the Caldicott Standards, which are concerned with the protection of personally identifiable patient information within the health services. The "Caldicott Principles" state that before any patient information is disclosed, there must first be warranted justification for the purpose in which the information is needed, with any personally identifiable details used only when absolutely necessary.
Most crucially, access to the information should be on a strict "need to know basis", with all involved made aware of their responsibilities to respect the patient's confidentiality at all times. For this reason, should a practice manager consider that their PCT or any other outside organisation is requesting what appears to be inappropriate or unnecessary requests for patient data, even in an anonymised format, then they should consider each request on its merits and, if necessary, insist on a full explanation as to what purposes the information will be put to.
To illustrate the point of how personal patient data can be misused, a recent example occurred in a practice within Devon PCT. An employee working at a GP surgery accessed a patient's medical record to obtain the patient's home telephone number, then later used it to contact the patient for "personal reasons not related to health".(4)
So what cost-effective measures can a practice take to protect itself from data loss, abuse or theft?
Minimum security should include restricting computer access to authorised persons in the surgery, incorporating technical safeguards such as password protection and antivirus software. Screens should also be hidden from public view and all wastepaper or printouts shredded prior to disposal.
Additionally, a firewall should be installed on all practice computers to prevent unauthorised access. Many software solutions are available that will monitor for unusual access of databases and files. However, practice managers should also remain vigilant against all forms of data leakage. Is an employee showing unusual behaviour, working late recently, or perhaps acting nervously around their computer for example? Is the practice secure against attempted break-ins and burglaries?
To prevent data theft, practice managers should consider consulting with data security experts regarding how all forms of loss can be minimised in the practice environment. Neither should patient information be easily disclosed to third-party inquiries without full justification as to the validity of its intended purposes, as practices have a responsibility to safeguard personal patient information in their care at all times.
Finally, the financial consequences of data to practices should not be underestimated. It should be recognised that the larger and more reliant the practice is on its computer system, the more potential data there are to lose.
Even if practice managers succeed in identifying the loss of data and how it occurred, the embarrassment to the reputation of the practice, as well as any ensuing potential litigation from third parties or action by the PCT, makes it imperative that data security within general practice is treated seriously from now on.
1. See http://www.managementinpractice.com/article_14744
2. See http://www-03.ibm.com/press/us/en/pressrelease/19367.wss
3. See http://www.managementinpractice.com/article_14744
4. Pulse report. Data security lapses endemic in NHS, investigation reveals. 29 September 2008. Available from: http://www.pulsetoday.co.uk/story.asp?sectioncode=35&storycode=4120769&c=2
5. See http://www.managementinpractice.com/article_14283