Organisations in the healthcare industry face many challenges with regards to the safeguarding of data.
Firstly, there’s the nature of the kind of information they have access to. This isn’t just financial data that could effect a company’s bottom line, it’s individuals’ health records, sensitive intelligence that could seriously harm people’s personal lives if it were to get into the wrong hands.
In addition to this is the nature of how many healthcare organisations work. More often than not, we’re not talking about traditional office structures here. Doctors, nurses and other hospital staff aren’t likely to be tied to one workstation all day, moving about their place of work.
The necessary access
In data access regulation we often talk about operating on a ‘need to know’ basis. Restrictions based on the level of necessity of each individual to do their job. And when we’re talking about healthcare it’s of utmost importance to get this right, as often ‘need to know’ means literally a question of life or death. Consider the doctor who needs to check her patient’s allergies before administering urgent medication – having that information to hand at the right time and the right place is not just a matter of convenience.
So getting these restrictions right is crucial. On the one hand it is imperative that patient’s sensitive data is safeguarded, but on the other it’s of equal importance that the right people have the access necessary to do their job, when and where they need.
Compliance to protect patient data
This is why the healthcare industry is among the most regulated with regards to data security. In the US, healthcare providers must adhere to the federal law of the Health Insurance Portability and Accountability Act (HIPAA).
In the UK, private providers that operate in the US will need to adhere to HIPAA too, but in the public sector the National Health Service has security policies for England, Wales and Scotland. While not law, these policies are aimed at safeguarding patient data and ensuring organisations within the NHS adhere to the Data Protection Act (DPA). This has recently taken on greater significance since the Information Commissioner’s Office (ICO), which enforces the DPA, was given greater authority by the UK government earlier this year to audit NHS organisations’ data security.
This guide looks at the some of the key areas of HIPAA and the NHS security policies with relation to internal safeguards. It uses research among healthcare professionals in the US and the UK (250 in each) to identify areas where organisations may or may not be up to scratch, and offering guidance.
A failure to adequately protect patient data
However, we know that by the nature of industry or pan-industry wide regulations there must be an element of applicability to the lowest common denominator that makes compliance a minimum, not a high standard. Regulatory sets like the Data Protection Act are purposely wide open to interpretation, but this does not mean that interpretation should be simply be paying lip service.
Quite the opposite – if healthcare organisations truly want to ensure that not only are they complying with regulations, but are sufficiently protecting protecting patient data, they should be striving to do everything in their power. And unfortunately the results of the research uncovered in this guide indicate that for many organisations, that is not the case.
Going beyond compliance
For this reason, we have endeavoured to go a step beyond guidance to simply comply, as any industry wide set of regulations is going to be, by it’s nature, ‘the basics’. They must cover so many types of organisation that they have to be applicable to lowest common denominator within their remit. The DPA in the UK is particularly susceptible to this as it covers various industries, meaning that by it’s nature it cannot be particularly specific in its requirements. So this guide aims to present a guide not only to how to meet compliance, but to reach beyond it by implementing granular security practices that mitigate the risks pertaining to patient data and other sensitive information that healthcare organisations must safeguard.