• 0

Should you share data breach information?

Tags : 

Should you share data breach information? | Community

An interesting question put to two commercial CEO’s, which is a question of some relevance for the NHS.

One of the challenges I believe many organisations face is the fact that if they do anything to improve Information Governance capability, the process of doing so invariably exposes issues that have previously gone un-noticed or worse,  ignored.

The NHS policy currently states that anything constituting a breach above a certain level, must be disclosed as a Serious Untoward Incident (SUI), which is then made publically available through Strategic Health Authority (SHA) websites.

Flash Light OnWhen it comes to employing information governance technology, for example identity and access management, compliance management or privacy and confidentiality auditing solutions inevitably hidden and / or un-known issues are exposed, more often than not with a serious number that qualify as SUI’s.

Ironically a consequence of being forced to publish information in SUI’s creates a fairly significant disincentive for organisations to take positive action by investment in technologies that help improve compliance capability.

I wrote to the NHS Information Governance team at NHS Connecting for Health expressing this concern and ask whether organisations could be granted a SUI publication amnesty for a short defined period, providing consequently time to put the technology to good use. Despite chasing I unfortunately didn’t manage to secure any response from them on this idea.

As it is the SUI process is somewhat flawed, in that it is open to a wide range of interpretation, you only have to look at what has been published previously on SUI incidents to see that this is not a satisfactory process as it stands.

I am a supporter of greater transparency and openness in healthcare, but I think it has to be acknowledged that transparency and openness can sometimes be a problem, rather than a cure. Especially when the standard for what should be published is interpreted so differently.

  • 0

NHS Information Governance came of age in 2010?

Tags : 

The NHS Information Governance Toolkit (IGT), with more than seven years effort in refinement and implementation by end user organisations, it would be reasonable to assume that not much more could be done for the development of information governance capability across healthcare. However, the upgrade to version 8 in 2010, and assessment of the return from 158 acute trusts tells a different story.

With version 8 and for the first time in the seven year history of the NHS information governance toolkit, a requirement for trusts to support their capability claims with evidence was introduced. For those on the outside looking in, not a particularly remarkable development, albeit perhaps somewhat surprising to find that this was not already and element built into the formal assessment process.

Despite this, patients and the public with any interest in data protection and information governance, would no doubt have been somewhat reassured by the fact the NHS information governance standard existed, and that for the most part, it provided clear and easy to understand guidance on data protection measures.

Up until now, it would also have been natural for interested parties to assume, on the basis of there being a long-standing and well established annual review process, that trusts reassessed themselves on the basis of evidential qualification of capability.

flagWhilst this might have been the case, the dramatic effect of imposing the requirement for evidence into the annual return process, has produced some results that will no doubt raise a good deal of patient concern, and some questions from the regulatory authorities.

The v8 IGT Evidential Assessed Outcomes

Then initial and most obvious impact of the evidential requirements of v8, a significant and dramatic downgrading of assessed capability by virtually all of the 158 trusts reviewed, compared to previous year (v7) assessment, and notably previous assessments back to v4 (2006/2007).

The initial first three months of trust review of their overall assessment scores, the final v7 published state (Mar 2010), through to the initial baseline assessment of v8 (Jun 2011), the percentage of trusts that rated themselves with a score of “not satisfactory” rose from 1% to a staggering 97% (see table below).

IGT v7 to v8 Baseline Scores
In the subsequent three months Jun 2010 to Oct 2010 and the next publication of an assessment, referred to as the performance update, the situation did not change significantly, just 2% of the trusts reviewed managed to improve their overall status to a satisfactory rating.

GraphWhilst the last six months of the v8 assessment period, Oct 2010 to Mar 2011 did see much bigger improvement, with the satisfactory number increasing from the Jun 2010 level of 5% to final Mar 2011 assessment of 35%, the end result however, was that nearly two thirds 65% (103 trusts), were unable to re-establish overall compliance capability sufficiently to return a satisfactory rating.

Delving a Little Deeper

The reduction in capability occurred virtually across 5 of the six NHS information governance toolkit categories (see table below), with the one exception being Corporate Information Assurance, the only category that saw and increase in trusts achieving a satisfactory rating.

IGT v7 to v8 Satisfactory Rating

Of most concern to patients and the public will be the categories focusing on the management and use of private and confidential information in the delivery of care (clinical Information and secondary use assurance), as the standards and assurance of data quality activities of these elements have the more significant impact on the quality of care at the front line.

Critically nearly 22% (34 hospitals out of the 158 assessed), did not achieve a satisfactory rating for clinical information assurance, and 39% (61 hospitals) failed to achieve the required rating in the secondary use assurance category.

Additional concern will exist with regard to organisation capabilities to ensure that adequate protection and security measures in place addressing privacy and confidentiality. In the information security assurance category the most significant reduction occurred with 54% (86 trusts) falling short of the required standard. The confidentiality and data protection assurance category faired marginally better with 22% (35 trusts) falling short.Line Graph

Of some lesser importance but at least interesting, is the one area of positive improvement – in the Corporate Information Assurance category. This aspect focusing on how trusts address corporate information and records management as well as legal compliance with Freedom of Information Act, historically the category that stood out in previous year’s assessments to be the one trusts most struggled with.

However, this positive aside, the overall outcome after seven years of the NHS Information Governance standard, was the overall and no doubt unexpected drop in standards across the board, with the fact that there were fifteen NHS trusts that failed to achieve a satisfactory rating in any of the six categories, compared to that of just one trust missing all targets in the previous year.

Wind of Change

It is evident that the v8 requirement for supporting evidence instigated a process of re-assessment beyond anything undertaken in previous years. Resulting consequently in trusts increasing, the availability of resources and thus investment in information governance, especially between Oct 2010 and Mar 2011. This however was clearly not enough, given the fact that very few trusts met the required target, level 2 capabilities for all requirements.

In any assessment of what further investment still needs to be made, trusts should also take into consideration the use of the current returns by Care Quality Commission (CQC) and prospect of future change in the monitoring of this standard. Via the NHS Reform Bill, and proposal within for the assignment of responsibility for maintenance and development of the standard to CQC, the consequence perhaps being a more formally regulated information governance regime.

Paying due respect to the fact that NHS information governance assessment returns are already considered by the CQC in their independent assessment of trusts (essential standards of quality and safety). The CQC assessment (Outcome 21 – Records), contains 62 quality and risk profiles that are based on the current NHS IGT standard and assessment approach. Consequently the mechanism for formal NHS information governance regulation is already largely in place.

CloudTrusts would do well to assume that this is an element of the reform bill likely to secure a good level of support toward being accepted. Especially given the v8 capability assessment results and not least because it would provide the mechanism for addressing a great many of the Information Commissioners concerns regarding NHS failure to implement a consistent and adequately robust approach addressing data protection.

If by any (very) remote chance the NHS information governance standard does not become part of the CQC regulatory function, then trusts should consider the alternative option of the Information Commissioner being granted his request for having a greater range of powers to undertake unannounced inspections, this being the next most likely option to be considered and possibly implemented.

Going Forward

Unquestionably, the reaction of the majority, on seeing the very poor results of the v8 assessments, will initially have been one of great shock, followed quickly by disappointment. There is also likely to be a great deal of concern and frustration with trust Chief Executives, Senior Information Risk Owners and Caldicott Guardians. Concern given these positions are individually accountable for the validation and sign off of information governance and data protection assessments, and frustration born from the need, after all this time, for them to re-focus more of their valuable time and effort towards addressing the gaps in capability, instead of perhaps focusing on the delivery of the austerity measures.

Information Governance Managers on the other hand may actually be smiling, for a great many may now be getting budgets and support to make investment, which until now has been traditionally very hard to obtain.

Equally, the IG Managers compadre’s, the Information Asset Owners, may also now feel that they have the opportunity to secure investment and tools, that can actually help them to deliver on the obligations of this assigned role.

Going ForwardThe facts however are clear, that the majority of NHS information governance functions have not been supported adequately with budgets and funding to make any real difference to the level of compliance capability. This is additionally evidenced by how little investment has actually been made in information governance technology solutions, such as those addressing fundamental requirements of:

  • Identity and Access Management Assurance
  • Access and Compliance Audit
  • Policy Management and Dissemination (interactive solutions)

Employing technologies that are readily available and mature in addressing these requirements can transform an organisations compliance capability and ironically, it is possible for organisations to also secure demonstrable cost savings and efficiency gains and delivery of Quality, Innovation, Productivity and Prevention (QIPP) objectives.

Most importantly, it is only through the use of technologies such as these that will enable the NHS to demonstrate a robust, assured and reliable approach being take in addressing data protection requirements, necessary to secure patient confidence and engagement needed going forward.

In Conclusion

If the result of this poor outcome, is a re-prioritisation of attention and investment towards addressing this negative position, with senior management obtaining in the process, a better understanding of the wider business and austerity benefits, to be secured from investment, then this will represent a significant turning point in the data protection attitudes.

Consequently 2010, probably was “the year” for Information Governance, unfortunately the real benefit of any increase in resources and / or investment cannot be appreciated fully, until we see the outcomes from the IGT v9 assessments, currently being undertaken.

  • 0

NHS Identity Management – The importance of being!

Tags : 

NHS investment on Identity Management (IdM) technologies in recent years has not been as significant as one would expect, especially given that this very much underpins organisation Information Governance capability.

Paul White asks is this the time Identity Management in health comes of age!

Not Something for Everyone?

After the course of 2 years, and visits to over 200 trusts to promote the merits of identity and access management solutions, I had to take a step back and reflect on why it was proving so difficult to secure commitment, at least to progress exploration of requirements beyond a mild level of interest in what identity management technology had to offer.

It’s was not like I was the only one trying to encourage trusts to consider the merits of IdM solutions, in 2005 Connecting for Health invested nearly £20m in a Novell Enterprise Wide Agreement that incorporated Novell’s Identity Vault product licences.

Despite the Novell EWA underwriting a proportion of the solution costs, wide-scale adoption of the Identity Vault solution did not occur. Although in this case it appeared to be a reluctance to readopt Novell technology, given the majority of trusts had some years back migrated to standardise on Microsoft technology. Rather than any lack of appreciation of the merits of IdM.

Although I had greater success in securing trust adoption of an alternative Microsoft technology based solution, even managing to establish market leading status in health, despite not having the same central funding support that Novell benefited from. Achieving mainstream adoption across health of any IdM technology platform has proved too great a challenge for any single provider.

The reality was, that despite the business requirement and emphasis provided through the Information Governance toolkit for Identity Management, and ICT appreciation of what IdM could achieve, qualifying this into a business case to secure funds and commitment proved to be too a challenging piece of work in its own right.

Business Requirements Re-evaluated

Identity – the name or essential characteristics that identify somebody or something, in the case of information governance for example a role or function a person performs for the business forms an essential characteristic of a member of staff.

Technologies that the NHS largely already has in place, e.g. networking and data management systems have an evolved capability to store a great level of detail about the professional characteristics of staff. For the best example of this open your Microsoft Outlook message client and take a look at the address book entry or outlook contact form.

DirectoryDetails in addition to Forename, Surname email address, can include, employee ID’s, department, job title, place of work, contact details, line manager to name just a few of the more critical information governance elements.

Yet when you examine almost any directory service within an organisation you will be lucky to find anything more than the just a user name and email address, take a look at the NHSmail address book, 90% of the entries contain only a very basic set of details.

This may be for legacy reasons, older technologies that have since been migrated or upgraded never had the capacity to store more than basic details, and subsequent upgrade projects never took to opportunity to expand the level of information stored beyond what came from the legacy system.

One has to ask why, given the importance placed on the need for improved information governance, was the opportunity to increase the level of staff identity information stored in the system not a key deliverable of any technology upgrade or refresh projects?

Should identity information be added? Simply yes, it is an imperative element of information governance, without it, organisations and users cannot validate access rights if they cannot easily identify individuals, their roles, their relationships to departments and others within the organisation hierarchy and structure.

Case for Identity Management, a no Brainer!

With Just a focus on users such as Information Asset Owners and Heads of Departmental, people who are much closer to the change management requirement that needs to be implemented, such as staff changing roles, promotions, leavers and new starters.

This overworked staffs are engaged in what is quite often a convoluted paper based administration process, for which many of my of the organisations I have met with, readily admitted to be untimely, error prone and consequently very unreliable approach.

Many went further in acknowledging that their network, back office and clinical systems contained a disjointed and wide variation of information on end users, a consequence of which results in compliance audits either almost impossible, or at least extremely costly to achieve.

Yet modern network technologies provide mechanisms for greatly simplifying the assignment of user access controls and permissions, reliably and automatically. Through features such as group or role based policies which utilise information such as location of work, staff job functions or roles to determine and implement permissions and access controls accordingly and automatically.

CogsThe benefits of utilising these technology features are numerous and extend well beyond just those of good information governance practice, for example, automation of user account creation and administration will free up valuable technical and systems administration resource. That instead can be put to more productive and useful work, such as developing systems rather than just running them.

Information governance risk and likelihood of issues occurring through inappropriate access or misadventure are also greatly reduced, with the provision of the added benefit of being able to demonstrate that a robust and reliable approach taken on access control.

However, one of the initial root causes of the current state of affairs, is the fact that the native “out-of-the-box” systems administration tools provided are just not user friendly, nor easily implemented in a way that only provides access to functions and features that are relevant, they tend administratively to take and all or nothing approach when in comes to granting of administrative rights.

Resolving the Challenge

All is not lost, specialist identity and access assurance solution providers are in abundant supply, a great many with mature, proven and highly flexible set of solutions that resolve this NHS information governance dilemma.

From providing a business and user friendly administration interfaces, complimented with reliable and timely workflow services, information asset owners and heads of department can be properly engaged in the process of user account administration and access rights authorisation and revocation.

A huge tick-in-the-box for NHS Information Governance Toolkit (IGT) requirement:

  • eGovernment305 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems, and a significant contribution towards helping organisations better achieve the IGT audit requirement:
  • 206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information.

The fact is, with a well-qualified set of user identity metrics readily accessible to all staff, then a significant number of IGT level 2 requirements become consequentially much easier, and subsequently more cost effectively achieved.

Furthermore, the current cost of administration and management of the various systems can be greatly reduced, as a result of Identity Assurance technology’s comprehensive interface capabilities that automate integration of multiple identity data sources, provisioning of user accounts and access rights  management across all systems (network, business and clinical).

Providing organisations with the ability to demonstrate delivery of Quality, Innovation, Productivity and Prevention (QIPP) cost savings and efficiency gains, especially with regard to back office administration and management functions.

Everybody benefits

Having a solid identity management foundation is a information governance pre-requisite, it is possible to establish manual process and procedures to address this requirement, but not cost effectively nor efficiently, human frailties unfortunately prevail.

With modern Identity Assurance Solutions the human frailties are removed, to ensure a reliably, robust, timely and assured process for identity and access management assurance is established, delivering and consistent approach with staff identities on all systems to make assurance of rights and access activities easy to achieve.

Citizen CentricThe organisation also ends up with a better informed user community, with colleague information readily accessible through user friendly technologies such as the outlook address book, greatly enhancing opportunity for staff collaboration through increased understanding of colleague roles and functions, and most importantly, the opportunity for users to validate the appropriateness of information sharing.

Better yet, being able to demonstrate the reliable maintenance of identities and access rights for the entire organisation will secure the support of regulators, and most importantly the patients and public. A must if investment in electronic patient records and electronic health systems is to secure patient engagement and participation.

  • 1

NHS Information Governance Toolkit – Creating a false sense of data security?

Tags : 

Variation between the requirements of data protection law and provision of guidance on information governance contained within the NHS Information Governance Toolkit, is having a counter productive effect that undermines the value and benefit that should be derived from the application of good information governance and data protection practice.

Lock OpenThe NHS Information Governance Toolkit represents the Department of Health method of providing guidance on data protection and means of assessing information governance compliance capability of healthcare organisations, defined by a broad set of requirements:

  • Data Protection Act (1998).
  • Common Law Duty of Confidentiality.
  • Confidentiality NHS Code of Practice.
  • NHS Care Record Guarantee for England.
  • Social Care Record Guarantee for England.
  • International information security standard: ISO/IEC 27002: 2005.
  • Information Security NHS Code of Practice.
  • Records Management NHS Code of Practice.
  • Freedom of Information Act (2000).

The stated purpose of the NHS Information Governance Toolkit:

“The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.”

For a Primary Care Trust (PCT), the information governance obligations are described by forty one requirements broken down into six key themes:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance
  • Clinical Information Assurance
  • Secondary Use assurance
  • Corporate Information Assurance

(NHS Information Governance Requirements for different organisation types can be viewed here)

For smaller organisations supported by PCT’s such as General Practices, the information governance obligations are described by thirteen requirements broken down into just three key themes:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance

Line GraphThis variation is somewhat inexplicable; and importantly highlights that the NHS Information Governance Toolkit is not addressing entirely the statutory obligations defined by the acts of law! For example PCT requirements 110, 111, 112, 206, 300, 301, 305, 309, 310, 311, 313, 314, 323 and 406 make explicit reference to Data Protection legislation principle 7 as being a requirement origin:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Yet in the NHS Information Governance Toolkit version for general practice these requirements are not present. There are in fact thirteen requirements in the PCT version specifically identifying Data Protection legislation principle 7 as an origin, yet in the general practice version there are only seven, not a single one of any of the NHS Information Governance Toolkit requirements founded on principle 7 in either set, is the same for both organisations.

The shortcomings of the general practice requirements are not limited to just principle 7 of the Data Protection legislation, other PCT requirements make explicit references to other Data Protection legislation principles, 3, 4, 5 and 6, when the general practice requirements do not.

These shortcomings and variations in the guidance and measures allocated between organisations are not limited to those highlighted here; they occur between secondary care, health and social care and third party requirements too.

A Negative Outcome

Face FrownThe fact is the majority of healthcare organisations, since the inception of the NHS Information Governance Toolkit in 2002/03, have focused on implementing and maintaining compliance in accordance with these requirements, not surprisingly since that is what they have been targeted to do. Consequently, healthcare (and allied) organisations utilising the NHS Information Governance Toolkit as the only guide, will not be fully compliant from the perspective of law, in accordance with the Data Protection legislation.

The implication of on-going shortcomings in addressing adequately data protection, are far reaching. Beyond organisational failure to appreciate the value of investment in improving capability, and consequence of operating at a unsustainable level of risk that is periodically rewarded with a failure, and occasional fine and or sanction from the regulatory authorities (neither of which presently, commentators suggest is sufficient to instigate the required change in attitude, and appreciation in the need for better information governance and data protection).

The wider and more far reaching consequence of inadequate data protection, is the undermining and consequently “more costly to achieve” impact, this has on the important and valuable effort and investment in increasing patient and public confidence, with the objective of securing their more effective involvement. A fundamental and necessary deliverable required for the reform of the NHS.

A Positive Solution

face-smileMature and proven technologies addressing information governance requirements, that enable organisations to easily bridge the gap between the NHS Information Governance Toolkit and Data Protection legislation requirements are available, these same technologies used accordingly, deliver additional strategic support to business decision making on information capability investment, addressing the aims of effective patient and public involvement and underpin delivery of the “information revolution” requirements. At the core of the requirements for information governance compliance, there are three fundamental elements that must be addressed, these are:

  • Identity and Access Management (WHO), staff, their roles and relationships, functions, activities, locations of work, and place in the organisation’s hierarchy. Without this level of information on all staff (permanent and temporary) readily accessible (beyond organisational boundaries), then almost every aspect of the information governance process will be undermined on a regular basis.
  • Policy Management (HOW), data and service quality is founded on standards; policy is the method by which these standards are conveyed to staff. Unfortunately traditional methods of policy production and management are not dynamic or interactive enough to meet the modern day demands of busy environments dealing with critical needs. Policy and document management and workflow technology radically transforms static policy and standards systems, into an interactive and pro-active organisation development tool. Staff can be updated instantly on policy changes and new standards and organisations can track acceptance and validate implementation. Delivering consequently a much more assured process in the development of working practices and staff culture in standards and quality.
  • Audit (WHAT and WHEN), validating staff activities, both operationally and in an informatics context is vital, for both the delivery of the information governance and data protection assurance requirements, as well as providing data to support the prioritisation of investments in digital information capability.The validation of the use of information assets provides intelligence on what is not being used to the fullest of its capabilities, consequently helping to identify gaps in informatics capability and data quality that are undermining measures of productivity and assessment of service quality, and subsequently opportunities to identify and implement cost savings and efficiency gains.

eGovernmentThe right application of information governance solutions employed in the Who, What, When and How, provides a solid foundation upon which the strategic aims and objectives of the information revolution are better addressed, supporting the creation of improved measure of quality of service and operational performance, and an improved informatics capability with patient and public engagement.

Positive Outcomes

There are a significant range of business benefits to be gained from addressing these three fundamental elements of the information governance requirements. Benefits that are not just concerned with compliance to data protection law, but that also serve to support organisational efforts to improve operational capability and service quality:

  • Robust and assured approach in addressing requirements of the NHS Information Governance Toolkit and Data Protection Act, significantly reduced risks and likelihood of incurring a fine and consequential costs of a breach or failure in the governance process.
  • Significant cost savings and efficiency gains from existing information governance compliance management and administration activities.
  • Greatly improved ability to engage business managers and department heads and information asset owners in supporting the implementation of assured and robust information governance practices.
  • Significantly improved assurance on the reliability, timeliness and robustness of the information governance processes and procedures.
  • Ability to hand decision control to the better placed information asset owners and departmental management resources, delivering consequently QIPP cost savings and efficiency gains through reduction in the dependency and need to engage high cost back office technical resources.
  • Release of specialist technical resources from mundane administration and management tasks permitting reassignment to better support efforts to secure increased cost savings and efficiency gains though better use of technology.
  • Increased ability to support staff in meeting their individual compliance obligations with improved ability to develop and maintain information governance culture and awareness.
  • Increased ability to validate existing investment in digital information capability and prioritise / focus future investment at areas of most need / benefit.
  • Increase confidence and assurance on collaborate and data share activities within the organisation and between partners.
  • Ability to demonstrate a robust approach to privacy and confidentiality to secure confidence and increased patient and the public involvement in service delivery.

The Conclusion

The NHS whitepaper, “Liberating the NHS: An Information Revolution” promotes the need for further investment in technology and that information as key to the success of NHS reforms, and in particular, a critical element in ensuring the NHS can achieve £20bn of cost savings and efficiency gains in the coming years.

There are few that disagree with the need for a reformed NHS founded on the principles of choice, responsiveness and equity that designs and delivers health services around the needs of patients. Fewer still that would argue against greater patient and public engagement, it is imperative therefore, for all concerned to recognise the important and somewhat fundamental contribution of information governance.

Citizen CentricHowever, despite the increased support available to information governance managers. From the likes of board members assigned Caldicott Guardian and Senior Information Risk Owner roles, with the CEO or equivalent retaining final sign off responsibility of information governance assessments, the lack of any budget and commitment to exploit the advances in information governance technology, have the potential to make the strategic aims of a reformed NHS remain unreachable, or if not at least a more costly goal.

  • 0

Courion Selects eCulture Solutions as Key Solution Partner

Tags : 

NHS specialist will focus on providing Courion’s solutions to manage access governance across UK

London, UK 6th June 2011 — Courion Corporation, the leading provider of access risk management solutions that help organizations cost effectively deal with compliance and security risk, has selected eCulture Solutions as a Solution Partner in the UK to offer healthcare trusts the ability to improve their risk management strategies with automated identity and access governance (IAG) solutions.

eCulture Solutions specialises in providing IAG solutions to healthcare organisations and is an expert in serving NHS foundations in particular. The organisation is well-versed in the details of the Information Governance Toolkit — the NHS standard from Connecting for Health — which describes the required safeguards for, and appropriate use of, patient and personal information. By partnering with Courion to offer best-in-class user access management and compliance solutions, eCulture Solutions can help Trusts to define, assess, enforce and verify their access policies so that all user access is appropriate and compliant with policies.

“We’ve found that Courion’s Access Assurance Suite™ addresses the guidelines set out by the NHS Information Governance Toolkit to safeguard personal health information more comprehensively than any other provider,” said Paul White, managing director of eCulture Solutions. “Courion brings a wealth of expertise and understanding to the table. The company has been identified by Gartner as a Leader in this space for the past few years and has a very clear IAG focus. It is very refreshing for our customers to see a suite that is truly fit for this purpose.”

“As well as monitoring users for accidental or malicious use of data, Courion’s User Activity Manager integrates identity with reports and alerts, merging a unique identity profile to user activity information, so that managers are able to identify users who are not making full use of the systems at their disposal.” added White.

“Confidential data, and access to it, is of huge importance for all UK government departments,” said Marc Lee, EMEA sales director at Courion. “With eCulture Solutions, we have a partner that understands what NHS managers specifically need, and what the Information Governance Toolkit requires, at a very detailed level.”

Courion’s unique approach to identity, access and compliance management ensures that only the right people have the right access to the right resources and are doing the right things. Access Assurance unifies Access Governance, Access Compliance and Access Provisioning in the most complex, heterogeneous environments. This comprehensive approach increases operational efficiency and transparency, strengthens security, and improves compliance, while delivering the industry’s fastest time to value and lowest total cost of ownership.

About Courion

Courion’s award-winning Access Assurance Suite solutions are used by more than 450 organizations and over 12 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at, our blog at, or on Twitter at

  • 0

NHS Reform Bill 2012 and NHS Information Governance Toolkit

Tags : 

There is plenty for those involved in putting version 9 of the NHS Information Governance Toolkit together to consider, here are my thoughts:

We cannot ignore that the country is about to embark on the most significant health and social care reforms ever seen since the inception of the health service, this in itself has huge ramifications from an information governance perspective.

Not least the proposal for health and social care integration to result in the convergence of health services and local authority services, with consideration being given across the country to facilitated this new arrangement in the form of a Social Enterprise, a semi-commercial entity (the same consideration is also being given to public health).

Information Governance Toolkit

Presently the IG Toolkit only provides (on a non-mandated basis) a guidance framework for social care delivery, which for the above perhaps needs to become mandated and merged with the existing primary care toolkit standard?

The next question will then be who will have oversight responsibility for these new social enterprises from a quality standards and information governance perspective, is it Care Quality Commission (CQC)?

The data that will be managed by this new non-public sector organisations, adult services, child health etc. arguably represents some of the most sensitive of all public sector data, mandating a strong and robust information governance standard going forward, is I feel one of the most important considerations to be addressed by the reforms.

We also have additional informatics (information sharing) and subsequent information governance challenges arising from the opening up of the healthcare market to “any willing provider”.

NHS Reform Bill 2012 Regulatory Assignment

NHS trusts and their information governance returns are presently used by both Monitor (at least for foundation trusts) and CQC (for all trusts) in the measure of capability, quality etc. the assessment of which can result in a trust losing its foundation status or fitness to practice licence.

The current reform proposals suggest Monitor will take on a role in oversight of the commercial “willing providers”, but there is no mention (at least that I have found) of CQC having any part to play with the fitness to practice licences.

The key of course, will be whether the IG Toolkit is extended to make provision for returns from “any willing providers” and if this will be mandated as it is with public sector trusts.

Finally and not least, GP Consortia, the IG Toolkit is presumably going to contain a set of requirements (a merger of current PCT and GP requirements) and again a mandate for these organisations to comply with?


To end with, the semi-commercialisation of NHS service provision through social enterprises and any willing provider I feel change the landscape sufficiently for perhaps the UK to adopt a more robust approach.

It is perhaps (as some have been suggesting for several years), time for something like the US equivalent of the Health Insurance Portability and Accountability Act 1996 (HIPPA) and the subsequent Health Information Technology for Economic and Clinical Health Act 2009 (HITEC).

Especially given that we are likely as a result of the reforms, to see a significant increase in third party providers, health insurance and private healthcare adoption across the board.

Personally, I think HIPPA and HITEC equivalents in the UK are inevitable, and once the reform bill is passed then these will be next on the agenda, who knows we might even see elements of these appear in version 9 to start paving the way.

  • 0

Technology to end “NHS Privacy Invasion” headlines

Tags : 

In 1997 Computer Weekly(1) reported, Sir Bobby Robson’s electronic health records were viewed illicitly by NHS staff, in Dec 2008 The Daily Record(2) reported on a doctor working for NHS Fife who had snooped on the medical records of BBC celebrities and Celtic and Rangers football players. In Nov 2009 eHealth Insider(3) reported more than 350 patients in Hull had their electronic medical records accessed inappropriately and now in 2010 Computer World UK(4) reports an NHS data quality manager has pleaded guilty to illegally accessing female patient records on 431 occasions and records relating to family, friends and colleagues on an additional 336 occasions.

The latest NHS privacy invasion incidents from a patient perspective are all the more alarming, in the fact that these privacy breaches are reported to have occurred over a number of months before being detected, a total of 8 months in the last case.

Technological Approaches Available

It is accepted that manual forensic auditing of the wide range of health system hosts of patient medical information, is complex. There are some that suggest without the aid of technology, forensic auditing of the level mandated by the Information Governance toolkit, requires a commitment of resources well beyond that which is available.

However, technology capable of reducing complexity, resource effort and cost required to accomplish audits across all electronic health record instances is now available.

The immediate short term deliverable is that organisations become not just “forensically ready”, but instead “forensically capable”. Employing a technological approach enables organisations to more easily demonstrate a reliable and proactive approach being taken in their management of private and sensitive electronic information (addressing IG toolkit requirement 8-206).

Return on Investment

The business benefits and return on investment achieved can be significant, with information governance / privacy issues pro-actively detected, providing the opportunity for resolution quickly before they become a major issue for the individual and the trust concerned.

As well as freeing up resources to focus on other requirements that are less easily addressed, one of the primary and most important information governance requirements has just become the easiest to achieve and administer.

It does not end there, additional benefits and return on investment is achieved through the substantial support provided towards increasing attainment levels of other information governance requirements, as well as lending support to development of the organisational understanding of staff use, and value of existing information assets.

With a more thorough understanding of the use of information assets, organisations can quickly address information governance risk issues and requirements to facilitate better use of systems supporting the development of these assets, with an objective of securing future cost savings and efficiency gains.

This last point is all the more significant in these financially difficult times given that the recent publication of the “Information on the Quality of Services – Final Report”, released to the government by the National Quality Board, which highlighted;

“40% of health budgeting areas, representing £20bn of annual expenditure, are without any nationally collected quality information”.

This is a vast amount of annual public expenditure, within which, there will be significant opportunities for savings and efficiency gains within every trust.

This is a good example of a technology solution that delivers substantial benefits and return on investment that should be high up on the top of the list of investments being considered by all trusts going forward.






  • 0

We should be thanking social networking providers?

Tags : 

Staff and organisation culture has often been identified to be an inhibiting factor of efforts to develop public sector information governance capability ans standards.

Some suggest cultural issues stem from the fact that the majority of the workforce has had to adapt and learn to use computers and information systems, largely on evolved basis of trial and error?

Training historically has focused on addressing the “hands on” use of the technology only, it is only recently that a greater focus has given to developing a greater social understanding of the implications i.e. governance and privacy concerns.

Social Networking

Looking ahead the new social networking generation of school leavers coming into the workplace, is likely to have a profound and positive effect on culture, in regard to staff being more acutely aware of the social implications of technology, and thus the value of supporting development of information governance capability.

Equally this same generation of new service users, will likely challenge organisations like no other before it, to demonstrate that their data and privacy is being managed properly. We should expect an increase in Data Protection Act “subject access requests”, as this generation matures into concerning adults!

Education and Maturity

For this we have to thank those that have supported making investment to secure mainstream use of technology in our education system, leading to the subsequent production of this computer literate element of society.

But I think we should reserve our greatest thanks for the social networking sites that have arguably made the greatest contribution towards the development of concerns and awareness of privacy issues, taking this generation beyond computer literate, to perhaps becoming technology savvy.

However, should we not also be concerned that development of societies awareness and appreciation of information governance and privacy still appears to be on a trial and error basis?

  • 0

Information Governance – Key to achieving savings and efficiency gains

Tags : 

The recent publication of the “Information on the Quality of Services – Final Report” released to the government by the National Quality Board, highlighted “40% of health budgeting areas, representing £20bn of annual expenditure, are without any nationally collected quality information”.

Representing a significant amount of public expenditure, within which there will unquestionably be significant opportunities for savings and efficiency gains, information has therefore been acknowledged to be the key to NHS reform and at the heart of the new coalition government strategy (Equity and Excellence: Liberating the NHS), which promotes the need for an information revolution in health to deliver greater choice and control.

Staff use of operational clinical and administrative systems and the data inputs they make are therefore set to become increasingly important as organisations seek to increase operational analysis capability and improved measures of performance, with the objective of identifying ways to make the urgent and significant savings and efficiency gains required.

Time now for organisations to re-appraise their approach with information governance investment and capability development to exploit better the support this lends to the development of information assets and the immediate requirement to expose shortfalls or gaps in the use of operational systems.

Change of perception required first?

The range of technology solutions supporting greater efficiency and reliability in addressing information governance toolkit requirements is increasing rapidly. Most if implemented correctly deliver a significant range of benefits as well as very good returns on investment, in relatively short time scales. However, focus and priority on technology investment as the best option for addressing information governance requirements has yet to mature.

For example, the requirement to make improvements on data security leading to the wide scale adoption of portable device encryption, only became urgent in the wake of HMRC losing disks holding unencrypted records on 23m UK citizens.

Even this was only subsequent to the then Prime Minister calls for a Cabinet Office review of government data handling procedures, leading to the identification of serious weaknesses across health in the handling of sensitive, private information. At this time, the NHS Information Governance Toolkit was nearly six years old.

Within the toolkit were requirements and guidelines underpinning legal and statutory obligations on data security. Yet the wide scale use of device encryption technologies had not become the norm. Alongside the likes of operational investments in network operating systems, data backup, disaster recovery / fault tolerance and anti-virus. All that were accepted to be, not just one time procurements, but items (concerning data security) requiring regularly review and upgrade.

After twenty years of increased technology infrastructure investment, it has been naturally accepted that these back-office operational elements of the IT infrastructure warrant ongoing investment with high levels of oversight, and regular maintenance.

Because a failure of any of these can have an obvious and detrimental effect on the ability of the organisation to conduct its business, with the potential to adversely affect quality of care during any period of disruption. Yet the need for data encryption of mobile devices was not appreciated in the same way.

In another example the requirement 8-305 referenced earlier, represents a significant program of work if undertaken manually. It is not unusual for trusts to have anything up to 20 major operational systems in daily use, across the computing estate. Each with its own user account and access rights mechanism. Assessment and subsequent review of user account status for all staff, across these systems to support attainment of level 2, in the first instance, is not an insignificant amount of work.

Even with the gathering of user account data and associated access logs, and subsequent analysis of this data accomplished. Establishing a process of ongoing management review and control, commiserate with the commonly complex staffing arrangements and substantial rate of staff change that occurs within trusts, requires a considerable amount of management time and effort.

Addressed manually this translates to not only an inefficient use of resources and occurrence of avoidable costs, but an information governance function that is operating at an unnecessary high level of risk.

Despite the availability of proven technology and strong business benefits delivered through use of technology to meet and maintain standards for 8-305, very much more cost effectively and with considerably less risk. Few trusts have managed to succeed with a business case to secure support for the investment required.

Conversely, a good number of trusts have acknowledged the wider issue and complexity of staff having to manage multiple logins, resulting in positive investment into single sign-on technologies.

There is of course an acknowledged difference in regard to outcomes achieved by the investment in single sign-on, as opposed to that addressing the user account management and maintenance process.

The case for single sign-on technology is an easier one to make, given that proper implementation of these technologies delivers easily quantifiable and perceptible end-user benefits.

By comparison, encryption and identity and access management technologies are largely administrative tools that typically require a greater level of investment of resources at the requirements qualification stage. Despite there being some important and not insignificant downstream benefits to end users delivered with these technologies, these are perhaps not so easily recognised and qualified.

Information Governance Culture

What the previous examples serve to demonstrate is that currently business cases to support technology investments for information governance achieve greater priority, if the outcome involves deliverables that are materially beneficial to operational end users.

Negatively, this reflects there to be a gap in correlating the benefits of making technology investments to deliver improved information governance capability, with that of any consequential and positive effect delivered downstream. In particular service quality improvements, achieved through better use of operational systems and development of information services.

In addressing this, an organisation needs to perhaps first acknowledge that the burden of responsibility and accountability for compliance and good practice shared by all employees in any organisation. This can be a factor that consequently has the potential to undermine the organisations efforts to improve information quality.

  • Compliance requirements can be perceived s complex, daunting and presented in a manner that creates concern rather than assurance,
  • Staff consequently lack confidence to challenge ways of working and identify shortcomings in the use of systems, policy, process and / or procedure,
  • Information Governance becomes an information inhibitor, in the worse cases encouraging staff to limit the amount of information recorded on work activities.

The information on staff activities recorded across the various operational systems employed in the delivery of care, provides the organisation with a valuable profile that can help identify shortcomings in the use of systems, and importantly a baseline on the extent and range of information recorded.

The same information that can help identify where an organisation should be targeting efforts to make savings and efficiency gains, and in the not too distant future, the measures by which commissioners and patients will be making their choices for which service from which provider they use.

Organisations now need to consider staff culture and perception in regard to the role and value of information governance, to ensure information governance is not just considered a policing tool.

Instead, investment in capability should also be cultivating acknowledgement and support from staff in the capacity for information governance to assist in the identification of poorly maintained and supported information resources.

The past challenge in determining by what means or with what catalyst the change to an organisation information governance culture could be instigated, is now resolved thanks to recent advances in technology.

Organisations through exploitation of these technologies can create the environment within which development of staff culture and information resources are developed into the valuable business assets required for the “information revolution” to come.

The method to address the shortfall in information on the £20bn of annual health expenditure identified by the National Quality Board, inevitably set to become an aspect of intense focus and an area trusts will be required to address.

A significant governance technology example?

Privacy auditing technology solutions are a good example of a technology addressing key points raised in this paper:

  • Technology that delivers significant reductions in the level of resource effort and investment required, not just in validating the levels of compliance achieved across operational and information systems, but also in ensuring these are maintained going forward.
  • A solution by which organisations can identify poorly maintained / utilised information assets, and key areas of risk.
  • The method by which a measure of staff information governance culture, awareness and attitudes can be ascertained, identifying staff development and training needs.

With a thorough understanding of the use of information assets, organisations can quickly address information governance risk issues, and requirements to facilitate better use of systems supporting the development of information assets, that underpin future cost savings and efficiency gains.

In the first task of obtaining information on the use of the many disparate business and clinical applications, Privacy audit technology can provide the widest auditing support with turnkey solutions working with over 100 existing health applications, new applications are added very easily.

With the privacy audit centralised all required reports on operational systems access verification, with full details of user interactions with medical records can be more readily available, produced through either pre-built reports or if required, custom reports. Within a very short space of time organisations would not just be forensic ready, but instead forensically capable in the management and audit of electronic health data.

The solution can then be rapidly utilised to easily demonstrate a reliable and proactive approach being taken by trusts in the management of private and sensitive electronic information. It is also technology that serves the end user too, through the assurance on their activities working with electronic health systems, gaps in knowledge and capability can be identified, and then addressed through training and education, encouraging the workforce to become more accomplished and resourceful in their use of the information systems available.

The development of staff information governance culture is facilitated by the development of user confidence, with mistakes or inappropriate business practices being detected and corrected before becoming an issue for the user and the organisation concerned.

Business benefits to the organisation looking ahead are significant, with the ability to pro-actively detect and resolve electronic governance issues, significantly reducing the negative business impact and consequential costs incurred. At the same time developing a user community with a greater understanding and appreciate in the use and value of the information systems estate.


Utilised correctly information governance technologies like privacy audit deliver benefits that extend well beyond just assessment of toolkit requirements, even beyond the implementation of a reliable and robust sensitive patient data management solution.

Privacy audit represents arguably the best catalyst and mechanism by which change to organisation culture and better perceptions on the value of information assets and governance investments, underpinning development of service quality whilst the NHS grapples with the savings to be made, with:

  • Better information; 
  • A better informed organisation;
  • Better decision making capability;
  • Better outcomes for the patients.

The restoration and development of public confidence for the NHS handling of private and sensitive data very quickly put onto a positive footing.

Future investment in solutions increasing the availability of patient health information assured with public support delivered by the confidence that this data is managed properly by the NHS and utilised only on a need to know basis.

  • 0

NHS IG Toolkit v8 – A Coalition Mandate for Investment?

Tags : 

Paul White considers the impact of the new NHS Information Governance (IG) Toolkit v8 release and the mandate for further development of trusts information governance capability and standards.

ChecklistThe NHS IG Toolkit with version 8 has matured into a well conceived and clear set of standards and guidelines that is without precedence. With the trust board level role of Senior Information Risk Owner’s (SIRO’s) now very well established, additional investment and effort required to achieve the increased levels of compliance mandated within version 8, should now be happening as a matter of urgency.

Early milestones to be met

The first major milestone to be reached in the form of the Baseline and Performance Update submission is set for the 31st October 2010, to meet this deadline, assessment of the toolkit 8 requirements needs to be happening throughout the summer period. This paying due respect to the fact that having identified requirements to be addressed there is only five months remaining in the period up until March 2011, within which to take steps to achieve level 2 compliance across all requirements.

This need for urgency and arguably the justification for the setting of increased targets in version 8, is demonstrated by the results of analysis of previous years IG toolkit returns (version 4 through to version 7) from all acute trusts submitting returns in this period (161 in total).

With the exception of just 13 trusts from this group, all had achieved an “overall” GREEN rating with a score over 70%, which is an achievement; however, this in itself does not tell the full story, if we are to pay due respect to the fact that the Information governance toolkit and requirements are intended to provide the mechanism for continuous improvement, not just a snapshot in time.

In the four years 2006 through to 2010 the overall score average, across all trusts has not changed dramatically as can be seen in the table below, with the average variation in the annual scores achieved being just 2.46%.

Whilst there were significant enhancements in the standards achieved by some individual trusts, with the largest leap between two years by any single organisation being 32%, these are cancelled out across the board by reductions of similar sizes in scores at other trusts.

It has to be acknowledged that in considering past performance, the version 8 release of the toolkit contains quite significant changes, not least in the number of requirements to be met, which for acute trusts falls from 62 requirements in version 7 to 45 requirements in version 8. However it should also be noted that the reduction involves only 3 requirements being removed from the toolkit, the remaining difference is created by the merger of 14 requirements into new standards.

Also, new to version 8 is the additional classification of requirements as “Key”, for which the mapping of these against the version 7 submissions indicates that 97.84% of the key requirements have been met. This however does not take into account the need for these to be re-appraised, especially for those involving the merger and/or change requirements between version 7 and 8. Inevitably the changes will require adjustments and investment to realigning current business practices accordingly.

Evidence based approach

The mandate for attainment of level 2 on all requirements by March 2011 has an additional feature of note, in that the attainment level has to be supported with evidence for how attainment has been achieved.

Thumbs UpThis signals clear intent on the part of the new coalition government and the Department of Health, to seek further improvement in the handling and management of sensitive information across all departments and sections of the health service. Critically at this economically challenging time, it is a statement to the effect that information governance is not an area within which investment should be cut back or reduced.

With this in mind, the mandate for efficiency savings and better use of resources is a significant consideration, for how any further investment in development of information governance compliance levels is made.

Therefore with the additional challenge set by the economic conditions under which further investment is going to be scrutinised, progress on information governance beyond the present ‘status quo’, will require a greater level of collaboration between the customer and suppliers of technologies and specialist services.

Looking ahead

Information governance is the cornerstone of future technology investments. If solutions such as the Electronic Health Record are to deliver on the potentially significant contributions to the future efficiency and resource savings required across the NHS, then patient / public confidence in the NHS’s ability to handle sensitive and private information responsibly, is more than ever a primary information governance deliverable.

binocularsThe are many aspects of the IG Toolkit requirements that are very well served by technology that is readily available, most if implemented correctly deliver a significant range of benefits as well as very good returns on investment, in relatively short timescales. To date however, the NHS has not mobilised itself to using technology for the delivery of information governance on a wide scale

Information governance is certainly one area where technology can make a significant difference in reducing costs and helping to make the service more efficient.



Upcoming Events

  1. Smart Cities Connect Conference and Expo

    April 1 - April 4
  2. Big-Data.AI Summit

    April 10 - April 11

    April 10 - April 11
  4. Smart to Future Cities

    April 10 - April 11
  5. IEEE World Forum on Internet of Things

    April 15 - April 18

Have a digital project idea you would like help with, then check out our services available from eCulture Solutions