Health and care organisations must protect information systems against cyber security threats without compromising the quality of health and social care. All health and social care services are built on a foundation of trust and the understanding that sensitive information is shared only with individuals with authorised access. However, as healthcare organisations become increasingly digitised, it is becoming more challenging to maintain the integrity, confidentiality, and availability of sensitive patient data.
Consequently, all health and care companies are expected to implement the National Data Guardian (NDG) Data Security Standards. These standards are designed to safeguard sensitive data and critical services that can be affected by a disruption to vital IT systems, such as cyberattacks.
NDG Data Security Standards
The National Data Guardianis an independent advisory body in England sponsored by the Department of Health and Social Care. It guides the health and social care system on data confidentiality, security, and patient data choice.
Its role is to advise and challenge the health and social care system to help ensure that patients’ confidential information is securely kept and used appropriately to achieve better health and care service outcomes for patients. To achieve its goals effectively, NDG outlines data security standards the organisations should commit to, to implement satisfactory data security and protection.
The NDG’s (National Data Guardian’s) Data Security Standards apply to all companies that handle health and social care information. These companies must commit to ten NDG Data Security Standards, organised under three Leadership Obligations; People, Process, and Technology.
1. Leadership Obligation 1: People
Ensuring employees are equipped to handle information respectfully and safely.
i. Data Security Standard 1: Personal Confidential Data
All staff guarantee that personal confidential data is operated, stored, and transmitted securely, whether in electronic or paper form. Personal confidential data is strictly shared for lawful and appropriate purposes. Staffs understand how to balance protecting and sharing information, and they have skills on hand to help them make sensible judgments. Also, staff are trained in the relevant legislation and occasionally reminded of the consequences of mishandling personal confidential data to patients, service users, employers, and themselves.
ii. Data Security Standard 2: staff responsibilities
All employees understand their responsibilities under the NDG’s Data Security Standards, including handling information responsibly and personal accountability for avoidable or deliberate breaches.
This data security standard also explains that all staff understand what makes up deliberate, complacent, or negligent behaviour and the consequences for their employment. They are informed that their usage of IT systems is logged and attributable to them personally. Insecure behaviours are reported without fear of reproach, procedures that prompt insecure workarounds are reported, and action is taken.
iii. Data Security Standard 3: staff training
All employees must complete appropriate annual data security training. The training can be done online, and a mandatory test must be done. This data security training and test are provided through the revised Information Governance Toolkit.
2. Leadership obligation 2: Process
Ensuring the organisation prevents data security breaches proactively and responds appropriately to breaches or near misses.
I. Data Security Standard 4: managing data access
Here, the principle of ‘least privilege’ is applied. Therefore, personal confidential data is accessible to users who need it for their current roles, and access is removed when it is no longer required. Additionally, access to personal confidential data on IT systems can be accredited to individuals.
In identity and access management, user privileges are managed proactively so that there is a feasible forensic trail back to a specific user or user group. Companies can look to non-technical means of recording IT usages such as CCTTV, sign-in sheets, shift rosters, and correlation with other systems if necessary.
II. Data Security Standard 5: Process Reviews
Health and care organisations do reviews annually to identify and improve processes causing breaches and near misses or those forcing users to use workarounds that can compromise data security. Past security breaches and near misses should be recorded and used to inform periodic workshops to identify and manage processes causing problems. They also allow organisations to learn lessons and prevent future breaches.
Workshops should look at where high-risk behaviours are normally seen and consider actions to address them.
III. Data Security Standard 6: Responding to Incidents
Cyberattacks against systems are identified and resisted, and the Care Computer Emergency Response Team (CareCERT) security advice is responded to. The CareCERT provides proactive advice and guidance on digital threats and cybersecurity best practices. An organisation should identify the main point of contact to receive and coordinate its response to CareCERT security advisories. Action is taken immediately following a data breach or a near miss, and a report is made to senior management within 12 hours of detection.
All employees are trained to report an attack, and appreciation is expressed when they do so. The management understands that it’s accountable for the impact of security incidents and is responsible for making employees aware of their duties to report upwards. Basic precautions are put in place to prevent users from unsafe internet use. Anti-spam filters, anti-virus, and basic firewall protections are deployed to protect users from internet-borne threats.
IV. Data Security Standard 7: Continuity Planning
A continuity plan is in place to respond to data security threats, including significant data breaches or near misses. A business continuity plan is run every year with guidelines available from the toolkit, and a report is made to senior management.
Employees in key roles will receive dedicated training to make sensible use of the available materials, making sure that planning is modelled around the needs of their own business.
3. Leadership Obligation 3: Technology
Ensuring technology is secure and up to date.
I. Data Security Standard 8: Unsupported Systems
Unsupported operating systems, software, or internet browsers should not be used within the IT system. Organisations should identify unsupported systems, including hardware, software, and applications. They should also have a plan to remove, replace or mitigate the risks associated with unsupported systems.
National Health Service (NHS) Digital provides guidance and support, ensuring organisations understand how to prioritise their vulnerabilities. Meaning, not all unsupported systems can be upgraded, while finance and other constraints should be analysed to make informed decisions around priorities.
II. Data Security Standard 9: IT Protection
An appropriate strategy or framework is implemented to protect IT systems from cyber threats. These strategies are based on a proven cyber security framework such as Cyber Essentials and are reviewed at least annually.
NHS Digital can assist risk owners in understanding the roles of different national frameworks and the outcomes each component intends to achieve.
III. Data Security Standard 10 Accountable Suppliers
IT suppliers are held accountable via contracts to protect their processed personal confidential data and meet the National Data Guardian’s Data Security Standards.
IT suppliers understand their obligations as data processors under the General Data Protection Regulation and the necessity to educate and inform organisations working with them to combine security and usability in IT systems. Also, it’s their responsibility to ensure their software runs on supported operating systems and is compatible with supported internet browsers and plugins.
They service many similar companies and, thus, represent a large proportion of the ‘attack surface’. As a result, their duty to robust risk management is critical and should be built into contracts logically. Also, your company should ensure that any IT systems supplier and the systems provided have the appropriate certification.
NDG data security standards are a set of good practice guidelines that should be applied widely across the health and care information governance field. It helps organisations within NHS to benchmark their data security. Also, health and care organisations should review and implement cybersecurity practices in line with these data security standards. They ensure that patients’ data is kept safe and used correctly.
Featured Image Source: unsplash.com