The Care Quality Commission (CQC), an independent regulator of health and social care in the UK, recently completed a review of the data security standards at the NHS begun in 2015. The official review, which will include guidance on consent and opt-outs for patient data sharing, is due to be published after the upcoming EU referendum this summer. In advance of that, the CQC and National Data Guardian Dame Fiona Caldicott sent out letters to all NHS trusts to encourage them to begin improving their data security capabilities.
According to Computer Weekly’s Lis Evenstad, who has seen the letter, the standards have been designed to be “as relevant to GPs and smaller care providers as they are to large NHS trusts.” One of the key deficiencies identified by the CQC review is a lack of leadership on data security. As previous research has indicated, having C-level executives and the Board involved in data security, translating it to a business issue, can be a key differentiator in organizations being able to tackle security gaps.
The CQC assessment notes that “identifying the appropriate leaders in your organization with responsibility and accountability for data security is vital, just as it is for clinical and financial management and accountability,” with the recommendation that organizations appoint Senior Information Risk Owners (SIROs) and Caldicott Guardians to the board. The report indicates that “training” on data security needs to target all levels of the organization, including board-level leaders, SIROs, and Caldecott Guardians. In advance of the official review, the CQC also encourages that organizations develop a clear view of data flows in order to prepare for official requirements on consent and opt-outs for patients.
The CQC assessment will focus on three themes to improving data security in the NHS: people, process and technology. As you’ll know, this same approach of education, policy and layered technology solutions is one we advocate for here at Absolute. The CQC recommends that organizations move forward with processes and technologies that can prevent data breaches as well as to deal with “near misses,” which could be data security incidents that do not cause data breaches or attempted security incidents.
Visibility is key to preventing data breaches, early detection of security incidents and rapid response to data breaches. Absolute offers unraveled endpoint data security, providing you with a persistent connection to all of your devices to secure endpoints, assess risk and respond appropriately to security incidents. With the addition of our new Endpoint Data Discovery, you can pre-define and track the data that’s important to you (meeting the need to track your data flows), giving you the insight you need to enforce data security policies and to remotely delete data that may be at risk. Healthcare organizations around the world rely on Absolute to remotely secure and manage their endpoints, including some NHS trust organizations; learn more here.