Protecting patient data

Whether providing consultations or referrals, interventions or ongoing treatment plans; for all health professionals the prime consideration is to act in the best interests of their patients. Those best interests also extend out from the treatment rooms and into the day-to-day practice areas, from reception and administration to the security of patient data.

When carrying out duties such as booking appointments or providing follow-up information, the important part played by health practice administrators was illustrated recently in the 2023 National Cancer Patient Experience Survey. The cancer workforce plan acknowledges the key role played by administrators. And this is reflected in the survey, with 87% of patients commenting that the administration of their care, which the survey defines as “getting letters at the right time, doctors having the right notes/tests results, etc” was either very good or good.

So timely correspondence and the efficiency of patient notes management is important in helping to provide patients with the reassurance which they need when undergoing treatment. And the knowledge that their data is being kept in a secure environment also helps to provide additional reassurance. Particularly so in a time in which the National Crime Agency (NCA) has highlighted high levels of cyber-crime; in particular the danger of ransomware and supply chain attacks alongside compromised social media, business and personal e-mail accounts.

The NCA recommend an initial three step approach which consists of:

  • Protect your accounts by using a strong and different password for your email using three random words and by turning on 2-step verification.
  • Protect your information when using social media.
  • Select online providers and retailers which offer good protection for you and your data/information.

In addition, the NCA recommend that organisations follow the cyber aware advice and framework which can be found on the NCSC Cyber Aware Website. Recognising the importance of data security, on 3 September 2024 the National Data Guardian (NDG) and NHS England announced a plan to change the way in which health organisations assess their data protection and security capability and preparedness. This change will require the gradual phasing out of the current model in favour of the one promoted by the NCSC Cyber Awareness framework (CAF). Initially the change will only affect a few larger organisations but the intention is for all health providers to transition in due course.

According to the announcement, the CAF will benefit organisations in two ways. Firstly, it helps organisations to develop a long-term roadmap of yearly incremental improvements. And secondly, as the CAF focuses on achieving outcomes it enables organisations to apply strong governance and cyber security principles. As a result, health providers are empowered to implement flexible data protection measures which best serve their organisation, patients, and service users. This flexible approach also helps to change their model as new threats arise.

Commenting on the change Dr. Nicola Byrne, the National Data Guardian, said that the transition to the Cyber Awareness Framework: “represents a positive evolution, offering organisations a more current framework for evaluating and improving their data protection and cyber resilience.”