Opinion: Patient privacy requires urgent treatment

IT chiefs must put measures in place to monitor, detect and deter staff breaches of patient data

Dramatic changes are taking place that mean leaders in healthcare must rapidly become leaders in patient privacy. This is vital for the reputation of their organisations and the protection of patients and staff. The unfortunate reality, as senior executives will also be aware, is that the enormous mass of personal information they hold about citizens is highly vulnerable.

I am not referring to the regular, corrosive stories of lost laptops and memory sticks. The far greater threat comes from staff abusing their access rights to computerised records. The scale of the problem was underlined by the Guardian Healthcare Network’s use of the Freedom of Information Act to reveal that 30 London trusts had recorded 899 data breaches between 2008-11.

The current situation with staff data breaches is serious but it could get much worse. David Cameron’s tele-health scheme makes information more vulnerable because it is shared by ever-more diverse groups and organisations. Andrew Lansley’s proposed structural reforms will create a second area of vulnerability by introducing a range of new providers to the NHS.

These problems are no argument against the greater sharing of electronic information. The replacement of manual systems with electronic records, and the ability to exchange and update patient data in real time, is a fundamental necessity to the delivery of joined-up care. However, any obstacle to the free flow of data can hamper, even derail progress. Breaches by staff snooping represent a profound risk because they strike at the reputation of the NHS in general, and the hospital and its managers in particular.

The regulatory environment is becoming tougher. The Information Commissioner’s Office (ICO) has just published its new strategy to defend information rights in 2012. The EC is also toughening up measures on data protection. The proposals include a demand for explicit consent, greater rights to have information deleted and a duty to inform individuals and data controllers of breaches within 24 hours. Many UK hospitals will face major challenges in meeting new national and international requirements. More than that, they are often dependent on ineffective monitoring systems that show very clearly that they have a problem, but are too slow and to sort it out.

Fortunately, solutions are available that can put NHS healthcare providers back in charge, allowing them to monitor, detect and deter staff breaches of patient data. Scotland is leading the way, with Wales and some far-sighted English trusts not far behind. Yet many English NHS organisations have still not decided to confront the privacy issue, effectively hoping that regulators, police and lawyers never come knocking on their door.

The boards of every NHS organisation need to have security high on their agendas. Once this happens, NHS leaders will not only be able to meet their legal obligations but will have laid firm foundations on which to build ever-more sophisticated and effective forms of electronic patient care.

Kurt Long, CEO, FairWarning