Category Archives: Data Protection

  • 0
CyberSecurity

NHS CyberSecurity lessons makes you WannaCry?

Tags : 

NHS CyberSecurity lessons arising from the worldwide ransomware attack that occurred on the 14th of May is already prompting much debate for the NHS, much of which focuses on the failure of affected organisations to ensure adequate levels of investment on IT systems to mitigate the risk of this event.

The ransomware exploited a known issue with Windows XP, for which a patch had been issued earlier in the year. The biggest news headlines here in the UK concerned the impact this exploit had on the NHS, with a great many organisations appearing to have been caught out by the Windows XP vulnerability.

As is the case when the public sector suffers an adverse event, the call goes out for lessons to be learned, usually with an assumption that these are all new, but inevitably there will be those lessons that have already been learned, but just not put into practice.

Windows XP Legacy

Those that have been around NHS IT for a while will remember the last elected labour government’s implementation of the National Programme for IT (NPfIT) tasked to deliver a standard national NHS IT system. Regardless of what is thought about the success or failure of the programme, it did leave a lasting legacy long after it was cancelled.

Not least with those NHS organisations that had progressed to implementing NPfIT systems and solutions and in doing so, had tied themselves to technology standards defined by the program that could not be easily changed. In the commentary on following the ransomware event it has been highlighted that the legacy of NPfIT Windows XP implementations was the reason so many organisations were adversely affected.

In September 2011, the government announced the acceleration of the dismantling of the National Programme for IT*. Whilst at the time the impact of this decision was not significant, because NPfIT technology was still current and thus supported by providers, it should have perhaps been better recognised that this state was not sustainable in the long term. Especially for Windows XP, because the next version Windows 7 was already available (released Oct 2009) and being adopted across health in non NPfIT legacy environment.

Things finally came to a head for XP when Microsoft announced that it would be ending its patching and maintenance support for the platform in April 2014. Thankfully in acknowledging that there was still a dependency on this technology platform, the government took steps and signed an extra-ordinary deal with Microsoft** that secured continued support for XP across the UK public sector for another 12 months.

Critically, a condition of this agreement, was that any public sector body wishing to take advantage of this extended support arrangement, had to commit to development of a “robust plan” to move off Windows XP, Office 2003 and Exchange 2003 within the year.

Roll forward to 2015 and the next government decision on the matter was just as they had advised, that they would be closing down this extra-ordinary support arrangement ***, and is has to be said for good reason, on the basis that it was felt that continued central government funding of this deal was not consistent with the need to encourage organisations to urgently upgrade or migrate.

The question here however has to be, “was it reasonable to expect trusts to be able to find the funds for wholesale upgrade of unsupported operating systems in such a short time frame (this being equivalent to a single financial year)?

To further compound matters at the time, NHS organisations had been shielded from the full cost of wholesale systems upgrade throughout the time of NPfIT. A national licencing deal with major suppliers like Microsoft, removed the need for software costs to be met locally by NHS organisations ****.

Straight Out the PRINCE2 Textbook

It is accepted best practice that when a pre-existing programme or project is to be closed down, an impact assessment of the consequences should be undertaken. Not least so that the risk can be properly understood and adequate mitigations planned. If nothing else there is nearly always a financial consequence to closing programmes and projects and this is a very good example of one.

The NPfIT programme along with central licensing deals transformed the model of IT investment within the NHS for a decade. Switching these off and closing down the national deals the programme created was inevitably going to have consequences for participating organisations.

Some will argue that the implementation of the extra-ordinary support arrangements for legacy software was an act of risk mitigation. However, was it reasonable in 2014 to expect affected organisations to plan and implement an upgrade or migration of XP in a single financial year, without any additional financial support being provided?

The NHS had already been managing financial pressures for a good number of years before the decision to end XP support was taken. Certainly long enough for organisations to flag this to be a risk of significance, that without additional and extra-ordinary financial support, there was no way they were going to be able to take the steps needed to address the situation accordingly.

In summing up, it is clear that although the NPfIT national licencing deals themselves had been closed down some years earlier in 2010, the impact of this decision on local investment plans going forward, was never properly qualified or understood, and that further opportunities to address this in 2015 were missed and all the way up to 14th of May this year, 7 years on!

Shout to the Top

As an acknowledged risk, the XP issue should have been raised on the Information Governance (IG) Risk Register and flagged as a serious concern to the Senior Information Risk Owner (who by now and as a result of improvements to NHS IG standards) was a role assigned to a senior management representative on the board of the organisation.

Additionally, given the dependence on technology in meeting clinical outcomes, the risk should have also featured on the Clinical Risk Register, which would have flagged it up to the Chief Medical Officer, also a member of the board.

Just a cursory glance at most organisations annual reports and board papers will expose the fact that IT barely gets a mention, certainly any reviewer will be hard pressed to find any mention of XP specifically in the dealings of the boards in any one of the organisations affected, at any stage of the timeframe of this being an ongoing concern.

This therefore exposes a potentially bigger issue in that information technology investment and dependence is not a matter adequately represented at the board level, then or now.

This clearly is a matter of concern, given as the recent event exposed the criticality of the services dependence on the information technology in the performance of its primary function, delivery of treatment and care.

Frustratingly some of the commentary on the event included the phrase “IT is not the primary business of the NHS”, suggesting therefore it is not the NHS responsibility to ensure the reliability and safety of the tools it uses to deliver care, this is clearly nonsense.

It is perhaps partly this attitude that has excluded proper IT representation at the board level? Given the next stage of investment required and proposed by “paperless at the point of care” and “integrated digital health and care plans” and additional dependence on technology this will deliver, it is now time for IT to have a seat at the top table.

Information Governance STILL Maturing?

The NHS has an excellent online tool and system of guidance and assessment addressing information systems, security and good practice management standards (NHS Information Governance Toolkit). The tool is well established having been around and in use for more than 15 years with NHS organisations status reports openly published and available for review.

In April 2014 in a blog article entitled Patient Record Access – A Perspective 2 Years On I set out the more fundamental data protection and information governance challenges that the NHS needed to address to maximise the benefits potential of digital engagement. Not long after the original 2015 target for achieving patient record access was deferred to 2018 and linked to the “paperless at point of care” requirement.

Then and still today, technology innovation is widely acknowledged and accepted to be the primary method by which transformation of current health and social care models, and opportunities to deliver service effectiveness improvements and efficiencies at a substantial scale (£20bn+) going forward is to be achieved.

NHS 2020 digital roadmaps across the country outline ambitious plans addressing technology integration and innovations requirements needed to achieving “paperless at the point of care” and “integrated digital health and care record”. The levels of investment are significant, but then so is the benefits potential. For the first time in the history of health and social care, the technology to support transformation to a more pro-active and well-being orientated model is possible.

Success however will be heavily dependent on the digital engagement of patients and their carer’s and how effectively this is achieved. In this respect information governance will be a key deliverable and factor in how much and how quickly the benefits of patient digital engagement are secured and maintained going forward. Patients will need ongoing assurance that digital engagement is safe, and that their right to privacy is being properly protected.

Of the 33 major NHS organisations (community and acute hospitals) identified to have been affected, all have reported a “satisfactory” rating in the information governance self-assessments completed in March this year, in particular for the following requirements:

Information Security Assurance
14-301 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed
14-307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
14-309 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service – specific measures are in place
14-310 Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error
14-311 Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code
14-313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely

 

The recent CyberSecurity event serves to remind the NHS, that despite all the good work done in the development of the information security and governance standards and despite all the resources that have been provided to help organisations get good at this, there is so much more to be done, and this too is going to require additional investment at the local organisational level.

Links to Articles

* Gov Announces Dismantling of NHS National Programme for IT

** Government signs £5.5m Microsoft deal to extend Windows XP support

*** The UK government stopped funding Windows XP support to try and force people to upgrade

**** NHS loses massive Microsoft licensing rebate


  • 0
Digital Patient Engagement

Digital Patient Engagement or Participation?

Tags : 

By 2018 patients should have access to their medical records online. By 2020 this should have evolved into a digital patient engagement solution as health and social care achieves “paperless at the point of care” working practices. But is it just about engagement, or should we be preparing more for active participation and ownership of health concerns and issues.

Digital Transformation of Service Delivery

Most concern I have had shared with me is that the NHS 2020 Digital proposals are still not making adequate plans to exploit the opportunity provided by Internet of Things (IoT), Wearables and Assisted Living technologies at the earliest.

The current focus is being given to resolving internal data integration / flow issues which do need resolving. Acknowledging that there are clinical and information governance concerns as well as care benefits needing to be addressed. But whilst these in the main deliver service quality and improved workflow for people already in the system. Their support for delivery of a transformed and more sustainable service delivery model is limited.

Transformation of the service delivery model and improvement in future sustainability of any significance for health and social care, is largely dependent on the digital patient engagement (or better – participation) and capabilities delivered by technology innovation incorporated to support pro-active participation. The opportunity and benefits potential is significant, when the service delivery model evolves from one that is largely re-active and after the fact, to an alternative and more sustainable pro-active and well-being orientated model.

These benefits are only going to be enhanced by any ability to integrate and exploit technology innovations and automation delivered by IoT, wearables, assisted living and health and care / well-being monitoring innovations and solutions. Adoption of these technologies will increase as they become more capable and with this increase the range of proactive information and data supporting opportunities for further cost saving interventions and / or preventions will also increase.

Data Governance and Management

Consequently the long-term objective of any digital health and care engagement solution, should be about providing the means to help us to live well, and if we are unfortunate enough to have one or more long term chronic conditions or disability, to be empowered to manage our situation as much and as well as we can. It is never though just about us and individuals, we pretty much all care for or are cared by somebody else. So we should be able to gain access to others information too.

All of the above inevitably leads to an explosion of information becoming available, and of the most personal and sensitive kind! Consent, data ownership / management quickly become the most important considerations in any engagement solutions design that needs to be open to accommodate future technology innovations delivering on the pro-active health and well-being opportunity.

It is, however, widely acknowledged that local developments and deployments are not being guided by core common engagement and consent model or universal data flow / integration standards, of concern consequently, the progress to a better model of health and care continues to evolve with massive variations in capability delivered differently across regions.

Conclusion

Until the need for core common standards on data consent, governance and interoperability are fully addressed, then the participation of patients and citizens with the digital solutions will likely remain inhibited, subsequently the opportunity to achieve the £20b of universal benefits from a transformed service delivery model by 2020 will very likely remain an elusive and much less assured target that it could otherwise be.

References and Links

Article produced in response to news item Health wearables firm Fitbit holds talks with NHS published by Digital Health


  • 0
ICDPPC 2014

Mauritius Declaration on the Internet of Things


Jacob Kohnstamm – Chairman of the Executive Committee of the International Privacy Conference

Drudeisha Madhub – Chairwoman of the Mauritius Data Protection Office

Mauritius Declaration on the Internet of Things

The internet of things is here to stay. Ever more devices are connected to the internet and are able to communicate with each other, sometimes without the user being aware such communications take place. These devices can make our lives much easier. For example in healthcare, transportation and energy the connected devices can change the way we do things. The internet of things however, can also reveal intimate details about the doings and goings of their owners through the sensors they contain.

Self determination is an inalienable right for all human beings. Personal development should not be defined by what business and government know about you. The proliferation of the internet of things increases the risk that this will happen.

The assembled data protection and privacy commissioners have therefore discussed the possibilities of the internet of things and its consequences during the 36th International Privacy Conference held in Balaclava, Mauritius on 13 and 14 October 2014.

Four speakers representing both the private sector and academia presented the Commissioners with the positive changes the internet of things may bring to our daily lives as well as the risks. The speakers also took stock of what needs to be done in order to ensure the continued protection of our personal data as well as our private lives.

The subsequent discussion led to the following observations and conclusions:

  • Internet of things’ sensor data is high in quantity, quality and sensitivity. This means the inferences that can be drawn are much bigger and more sensitive, and identifiability becomes more likely than not. Considering that the identifiability and protection of big data already is a major challenge, it is clear that big data derived from internet of things devices makes this challenge many times larger. Therefore, such data should be regarded and treated as personal data.
  • Even though for many companies the business model is as yet unknown, it is clear that the value of the internet of things is not only in the devices themselves. The money is in the new services related to the internet of things and in the data.
  • Everyone who lives today will realize that connectivity is ubiquitous. This may apply even more strongly to the young and to future generations, who cannot imagine a world without being connected. It should not though solely be their concern as to whether or not their data is protected. It is a joint responsibility of all actors in society so that the trust in connected systems can be maintained. To this end, transparency is key: those who offer internet of things devices should be clear about what data they collect, for what purposes and how long this data is retained. They should eliminate the out-of context surprises for customers. When purchasing an internet of things device or application, proper, sufficient and understandable information should be provided. Current privacy policies do not always provide information in a clear, understandable
    manner. Consent on the basis of such policies can hardly be considered to be informed consent. Companies need a mind shift to ensure privacy policies are no longer primarily about protecting them from litigation.
  • Data processing starts from the moment the data are collected. All protective measures should be in place from the outset. We encourage the development of technologies that facilitate new ways to incorporate data protection and consumer privacy from the outset. Privacy by design and default should no longer be regarded as something peculiar. They should become a key selling point of innovative technologies.
  • The internet of things also poses significant security challenges that need to be addressed. A simple firewall is no longer sufficient. One way to minimize the risk to individuals is to ensure that data can be processed on the device itself (local processing). Where this is not an option, companies should ensure end-to-end encryption is in place to protect the data from unwarranted interference and/or tampering.
  • The data protection and privacy authorities will continue to monitor the developments in the internet of things. They undertake to ensure compliance with the data protection and privacy laws in their respective countries, as well as with the internationally agreed privacy principles. Where breaches of the law are discovered, they will seek appropriate enforcement action, either unilaterally or through means of international cooperation.
  • Taking into account the huge challenges faced by internet of things developers, data protection authorities and individuals, all actors should engage in a strong, active and constructive debate on the implications of the internet of things and its derived big data to raise awareness of the choices to be made.

Links to Original

Mauritius Declaration on the Internet of Things from the 36th International Conference of Data Protection and Privacy Commissioners


  • 0

Applaud Maude, for suggesting boardroom focus on IT security

Tags : 


Minister for the Cabinet Office, Francis Maude, has urged businesses to make IT security a boardroom issue.The minister warned that security was no longer just an issue for IT departments alone.

Is it still the case that modern day businesses still need encouragement to make IT security a top priority? Is data protection legislation in itself failing to impress upon organisations, the need to adoption of a more business orientated approach to IT Security investment and management?

perhaps it is that many can be forgiven for thinking that IT security in this modern age is not being addressed properly within the business community, especially give recent high profile issues experienced by some of the top technology providers in the world. If well known technology powerhouses are unable to implement security measures to prohibit cyber attacks on their business then a concern for what hope there is for the rest of the business world is possibly well founded?

It is possible however that a somewhat skewed perspective on matters concerning IT security is created by the penchant for only bad news to be reported in the more popular periodicals and on-line news services. With a little digging around it is possible to find some more positive news.

Investment in IT Security is improving

IT Security InvestmentAccording to a recent news and update bulletin posted on the ISO/IEC 27001 adoption rates of this international standard on IT security continue to improve on an ongoing upward trend basis, albeit in varying degrees in different countries around the world.

Here in the UK the trend is very positive, especially in comparison to that of our fellow members in the EU. According to the executive summary of the The ISO Survey of Management System Standard Certifications – 2013 the status of ISO/IEC 27001 gives the requirements for information security management systems, was:

At the end of December 2013, at least 22 293 ISO/IEC 27001 certificates, a growth of 14 % (+2 673), had been issued in 105 countries and economies, two more than in the previous year.

The top three countries for the total number of certificates issued were Japan, India and the United Kingdom, while the top three for growth in the number of certificates in 2013 were Italy, India and the UK.

Likely that in part, this growth is being driven by the emergence of new computing models, in particular transitioning to Cloud and outsourcing. However any increase in the application of recognised standards during what have been extremely taxing economic times must be something to be welcomed.

A More Positive Picture

ISO LogoSo with due respect t the very challenging economic times that we here in the UK are still yet to fully materialise, the news that in the last two years UK business investment in ISO accredited IT security standards has continued to increase, sufficient to maintain a UK top three ranking is very positive news indeed.

It should be pointed out that the difference in number of 27001 certificates awarded between the top ranking country Japan (7084), to that of India (1931) and the UK (1923) is quite significant, with Japanese businesses achieving more that twice that of the UK and India together in 2013.

So even whilst the UK is doing better than most, perhaps the answer to the questions posed above is “yes” and on both counts?

What else do you think could and should be done to increase focus and investment on improving the state of IT security where this is needed?

Article Links

Move security from IT up to boardroom, says Francis Maude.

World distribution of ISO27001 certifications displayed graphically


  • 0

Health records on your own Facebook-style page

Tags : 


AN ambitious hi-tech £11m plan to allow any doctor or nurse to access a patient’s information from anywhere in the country is being launched by Islington health chiefs.

Patients will have their own Facebook-style  health records page or app, detailing all of their information, which they will be able to invite other people to look at from anywhere from “Cornwall to Scotland”.

eCulture Thoughts on Electronic Health Records

As a proposed solution eCulture certainly thinks it is a good way to go in so far as providing a patient consent based interface solution. The key will be however in what platform they build this to integrate with from an existing social network perspective. Or if they decide to establish their own, what additional functionality they would proposed to include beyond that concerning health to keep prospective clients engaged.

Electronic Health RecordOther fundamental aspects of concern, build out of the core infrastructures, taking into account the information governance and cyber security requirements, with the need to build in capacity for growth, this is not cheap, even from a start-up perspective.

Opting for a predominantly open source approach will keep costs down, but there will always be an associated cost incurred on a user by user basis some from commercial off the shelf (COTS) technologies, that cannot be displaced by open source alternatives and, subject to what functionality is provided associated increases in platform costs.

Costs

There is potential to offer certain services to clients on a subscription basis to cover this, but this is most easily addressed when the offering is from a commercial third party, not so easily implemented when the solution is being offered from an NHS body?

Affiliate revenues are another potential but considerable care and attention in how this is achieved has to be taken, i.e. if the solution is going to have in time an advertising affiliate revenue based model, then great care has to be taken in what is advertised, again more so if it is presented as an “NHS” solution.

Perhaps the business case at the end of the day can justify the investment and running costs be met by central government, on the basis of strong returns on investment achieved.

Information Governance 

When they launch it will be interesting to see what fair processing notice comes with the launch, if it is developed correctly with the right approach in terms of implementing a patient consent / data access assurance model then the notice becomes much less of an issue.

It’s all doable so one to watch for sure….

Article Links

http://www.islingtontribune.com/news/2014/sep/%C2%A311m-plan-will-put-health-records-your-own-facebook-style-page


  • 0

“eCulture” A New Mission

Tags : 


With a recent refresh of the website and refocusing of what eCulture Solutions was about I thought it was would be good to try and define succinctly a mission, for which I have arrived at…

“To facilitate the exploitation of digital innovation, supporting delivery of positive and inclusive social and business transformation.”

 The pace of technology innovation and digital inclusion is increasing at a significant rate and societies the world over, are transitioning to an digitally orientated way of life as governments and institutions adopt digital ways of engaging in preference over existing methods. Societies are entering the “eCulture” digital age .

 The measure of success in the development of eCulture, will come down to how well society manages to establish “mutually supporting communities” in a digital context.

It is early days, and so as organisations and business start out on their respective eCulture transitions I thought it would be helpful to offer some guidance on what could be key considerations.

Transition

Government, public sector and allied third party service transformation delivered by preference for engagement between service providers and users to becoming wherever possible, a digital process, is presently focused by the premise that this will deliver much needed efficiency gains and cost savings.

UK Government business case estimates presently suggest that transactions online can already be 20 times cheaper than by phone, 30 times cheaper than postal, and as much as 50 times cheaper than face-to-face.

Success however, will not be achieved with this focus alone. Efficiency gains and savings can only be realised by wide scale adoption, that in turn will only be secured by service redesign that delivers mutual benefits to service users, largely recognised by them as improvements in efficiency, effectiveness and / or quality of the service.

Digital Exclusion

Face FrownThere is however something that is fundamentally new in this evolution to eCulture status, on the basis that until now, any digital project concerning the engagement of service users, with notably these being largely commercial ventures, has qualified requirements and measures of success in business plans / profit and loss forecasts, on the basis of focusing engagement on a digitally “included” demographic.

By contrast a key distinguishing factor in the transition to the ‘eCulture’ age, is the social development focus on digital – for example job adverts and applications and critically public services, such as benefits and health and social care services, which for those that remain digitally “excluded”, the prospect of social exclusion and increasing poverty are of serious concern.

Digital exclusion is defined as: 

  1. Access – the inability to actually go online and connect
  2. Skills –  inability to use online solutions
  3. Motivation – not having a personal reason making use a good thing
  4. Trust – loss of privacy, or victim of online crime

Consequently overcoming the digital exclusion challenges is of greater concern to government, public sector and allied third party provider projects. Because the target demographic for online public services is the poor, elderly, frail and socially excluded, these representing the greatest proportion of citizens making most use of public and allied third party services, that unfortunately are also the greatest proportion that are ‘individually’ digitally excluded.

Additional Missed Business Opportunity

In the UK, recent research published by the BBC has found that 21% of UK’s population lack the basic digital skills and capabilities required to realise the benefits of the Internet.

Around a third of small and medium enterprises (SMEs) don’t have a website, and voluntary, community and social enterprises (VCSEs), a great many of which represent the allied third parties supporting public service provision, this figure rises to 50%. Independent analysts estimate full digital take up could add £63 billion value to the UK economy alone!

Digital Inclusion

GraphOf 7 billion people, around 40% of the world population has an Internet connection. In 1995, it was less than 1%. The number of Internet users has increased tenfold from 1999 to 2013. The first billion was reached in 2005, the second in 2010, the third will be reached by the end of 2014.

In 2013 in the UK, 89% of young people now use a smartphone or tablet to go online, up from 43% in 2010. At the end of 2013, global smartphone penetration had exploded from 5% of the global population in 2009, to 22%. That’s an increase of nearly 1.3 billion smartphones in four years.

Tablets are showing faster adoption rates than smartphones. It took smartphones nearly four years to reach 6% penetration from when the devices first started to register on a global level. Tablets accomplished this in just two years.

eCulture on a Mission

face-smileSo in conclusion eCulture, is to help the organisations develop their digital skills and understanding of how technology innovation can be utilised operationally to increase the benefits they are able to deliver to their service users, and in the process of engagement help organisations to reach the digitally excluded through the many digitally included. 

After all almost everybody will have a family members, carers, friends or benevolent neighbours that are digitally included……

“their digital community”

A noble quest wouldn’t you agree?


  • 1

Patient Record Access – A Perspective 2 Years On

Tags : 


peopleIn May 2012 I wrote an article (Patient access to GP Records by 2015) and offered some immediate thoughts on who would be the primary beneficiaries of this Department of Health mandate, with some thought on identifying the primary element of the patient population, access to medical information should be targeted at.

A little over two years on and with the benefit of additional insight from consultancy engagements with some very innovative and forward thinking solution providers, there remains much to be resolved if the target is to be met, especially with anything like a solution that delivers on the range of benefits that should be secured.

Current Focus Remains Narrow

Technology choice for electronic patient records (EPR’s) and patient record access is wide and varied, from traditional operational patient administration system providers, with these largely focusing on improving visibility and accessibility of clinical patient information operationally, to the more expensive and challenging to implement solutions that can integrate patient data from a wide range of operational clinical systems, from independent solution providers.

For the most parts investment in EPR technologies are currently health sector and organisationally specific, with current early phases of delivery focusing on clinical operational needs (data quality) and business performance improvement (QIPP), largely it is felt because these tend to be business case qualifications (QIPP deliverables) that are easier to define, over alternatives concerning wider benefits of patient engagement.

The technology to enable patient record access exists, and certainly with the right approach and focus, the target for enabling citizen access to at least key parts of their record remains achievable. There are however, some fundamental considerations to be addressed to move thinking beyond current operational focus, and onto the service transformation potential citizen engagement would deliver.

Patient (Citizen) Centricity

Citizen CentricA citizen view servicing “meaningful use”, requires the assimilation from multiple organisations, e.g. primary care, community care, social care, acute care and mental health, as well as systems, such as appointment management solutions, prescribing management systems, patient management systems and healthcare contact systems etc., especially when giving due consideration to the touch points across health and social care for patients for example with long-term chronic conditions.

This means that the maximum benefit to be secured by access to medical information can only realistically be achieved by a strong commissioning lead, and one that is capable of resolving the conflicting interests and competing requirements individual information host organisations will bring to the table.

It remains the case that the greatest benefit to be secured from improving patient engagement through provision of better information will be derived from engaging with those that are suffering from one or more long-term chronic condition, with which engagement succeeds in enabling patients and their carers to better manage the condition(s), to the point of reducing the numbers of calls and escalations occurring that require direct engagement of health professionals and any associated service provision.

Data Ownership Becomes a Concern

However, it remains the case that for this engagement to be most useful, the solution should provide the citizen (owner) with a mechanism by which they can consent access to the information, to members of their personal care circle (friends and family), citizens should be able to refine access according to need, i.e. allow some carers to see more of the record that others.

Inclusiveness, accessibility and security subsequently still also remain primary concerns, given the largest proportion of patients that stand to gain from engagement supported with access to health and social care information are those with long-term chronic conditions, a large proportion of which presently have limited engagement with technology.

Data Protection

Along with the issue of ownership, a further information governance concern arises from delivery of a single unified patient record, built from the assimilation of information from a multitude of operational systems managed by different organisations (data controllers), in that data moved into a new host, creates new data controller obligations and information governance responsibilities that can be difficult to align operationally.

AlertCritically new patient identifiable systems are necessary, such as a “Master Patient Index” for example, that enable different patient coding systems and identification methods to be unified, thus ensuring that data assimilated and presented is relevant to the patient concerned.

Administering a master patient index sitting in between a multiplicity of systems in different organisations would need to involve resources across all organisations, and in the process, would likely lead to an increase the range of access to patient identifiable information above and beyond current organisational focused remits.

Looking ahead, the range of benefits for all concerned increase when integration with social care information is incorporated but as before, concerns for data protection and information governance also increase.

Key to Resolving Ownership and Data Protection

DirectoryEstablishing a maintainable Master Patient Index (Citizen Directory Service) within a safe secure framework capable of accommodating the administration and multiple access requirements with the ability for the citizen to understand and appreciate the range of identifiers associated to them, with an ability to self-maintain appropriate identification attributes would provide for a solid engagement foundation from which service and bi-directional data flows could be managed.

Additional benefits to be derived from a self-maintained citizen directory include:

  • A range of health and social care data management needs that are outside of the current health and social care systems, these include:
  • Details on their personal care circle, family and friends supporting them and what level of care they provide, mentors, and additional support they may have contracted or secured privately from third sector providers and charities, support groups etc.;
  • Extending data flows for care plans, end of life plans, life stories, coping strategies, self-prescribing / medicating information;
  • Scheduling of personal health and wellbeing activities such as keeping fit activities and appointments schedules with third sector providers etc.;
  • Ability to link data associations from assisted living devices, tele-health and tele-care devices and solutions to that again may be acquired by patients by private purchases or through personal engagement with third party service providers.

These representing just some of the additional information that could be sourced directly from the citizen and / or their personal care circle that by virtue of association being known in the “citizen directory service” potentially provided back to health and social care providers to further help inform and shape the care delivery process.

Importantly, at this level the citizen (or person assigned power of attorney) is the data controller and owner of their information, thus resolving a significant data protection cost and engagement challenge for health and social care.

So What’s Likely in 2015?

The country is certainly more than one year away from securing the very significant efficiency, effectiveness and quality service improvements that could be achieved from patient access to medical information.

Perhaps not surprising given that since the announcement on patient access to medical records was made, there has been (and needed to be) a significant focus on the re-organisation of health care, that at best, patients will only be provided in 2015, with fairly rudimentary (read only) level of access to information and likely, primarily from just one source, the GP.

There is consequently the potential for a real and very significant problem emerging ironically from the re-organisation, which materialises from the devolution of control and responsibility for delivery down to a local level.

QueryThis because if it is agreed that a unified master patient index (citizen directory service) is a key foundation to progressing onto and integrated citizen centrically focused and bidirectional process of engagement, then this ought to be implemented to a national standard, and perhaps once?

Concluding Thoughts

With current technology supporting mobility for the population and rapidly emerging to support assisted living, tele-health and tele-care, the very process of caring and engaging in a patients care pathway / process is set to change dramatically.

Care closer to home is set to become a reality, technologies are emerging that can enable patient carers to become more engaged in the ongoing care process and management of conditions, along with technologies that also have the ability to increase levels of confidence for patients to live more independently.

Subsequently care, supported by the technology innovations emerging today, has the potential to become a true joint venture that engages personal care circles of family members, friends and personally engaged third sector charities or private sector providers of services and solutions with public funded health and social care service provision.

It is this potential that delivers the much need reform of the current health and social care model, certainly at a scale with potential to exceed achievement of £20bn of efficiency gains and savings.

Whilst there are benefits to initiatives having a local focus, so that variation in needs across communities can be accommodated there are some core elements that if not delivered as a national hub, must at least be supported by appropriate nationally agreed standards, addressing requirements such as interoperability, data / care pathway workflows to support engagement functioning across localities, however these are defined.

With that said, the patient / citizen user experience is another area for concern. With the potential benefits to be secure from engagement being undermined by patients / citizens experiences being widely different across the country, as features and capabilities vary as a result of variations in approaches.

But see, now this represents a case for some sort of nationally coordinated approach, and we’ve been there with the National Programme for IT (NPfIT), and if you believe everything you read that was a total failure, with nothing of any real benefit delivered.

But then maybe, the NHS SPINE, Summary Care Record and need for unifying the interface to offer citizens consistency in the engagement experience, if only there was an appetite to even consider the potential use of some of the NPfIT investments that did deliver?

What do you think?


  • 0

Digital Citizen Centred Healthcare Critical for Reform

Tags : 


Citizen centred healthcare is part of a shift in focus which has drawn increasing interest in recent years, highlighting the importance of incorporating citizens’ needs and perspectives into care delivery. The citizen’s engagement with their care is now considered a key part of patient-centred healthcare.

Incorporation of health solutions addressing the Department of Health Digital First initiatives addressing patient engagement in particular, those identified initially with long-term chronic conditions as a first step, with delivery of health engagement solution that can reach the patients personal care circle, would provide a first significant foundation for service transformation to a patient centric service model.

As has been acknowledged in a recent Guardian article,

“Families are the biggest providers of care, yet carers can find themselves cut out of decision-making and bounced between bureaucracies.

If you care for someone and they need support, you don’t really care whether it is the NHS, a local council or nearby mental health services that provides it – all that matters is that it is the right support, on time, from a caring and well-trained professional

Better integration can solve that problem because it leads to the NHS, local councils and mental health services working better as a unit rather than as three separate entities. When services are integrated, all that matters is making sure that older, ill and disabled people and their families get continuous care regardless of their circumstances.”

The objective of integrated care is reflected in the NHS England mandate:

“An NHS for everyone, regardless of income, location, age, gender ethnicity or any other characteristic. Yet across these groups there are still too many long-standing and unjustifiable inequalities in access to services, in quality of care and in health outcomes. The NHS England Board has specific legal duties to tackle health inequalities and advance equality”.

“The Board’s objective is to achieve a significant increase in the use of technology to help people manage their health and care”.

Presently technology investments tend to be focused on filling gaps in operational information capability, electronic patient records investments being an example of note. Whilst these will make a positive impact on the operational efficiency of service providers, the focus of this investment is presently too narrow to facilitate radical transformation to a new service delivery model that better engages and supports citizens and importantly, those with long-term chronic conditions and their family members and friends operating in a carer role.

Engagement

There is a large body of evidence that highlights “care closer to home” delivered by the provision of better engagement of citizen with their family and friends (carers) is fundamental to service transformation, at a scale sufficient to make a significant and demonstrable contribution across the health and social care “Quality, Innovation, Productivity and Prevention (QIPP)” agenda.

The Guardian article goes on to highlight:

“That in the worst cases, failing to support families can push them to breaking point and result in hospitals admitting both the carer and the older or disabled person. This situation is unacceptable but it is also preventable”

in a recent Carers UK survey,

“almost two-thirds of carers supporting someone after a hospital discharge said they had either been consulted late or not at all, and one in three carers caring for someone recently admitted to hospital in an emergency said that it could have been prevented if they had had more support at home”

Making The Case

This highlights one of the more significant well-being benefits to be derived from better citizen / carer engagement that can also make a very significant contribution for reductions in the cost of healthcare, by reducing for example the number of avoidable hospital admissions, a theme explored in a King’s Fund paper on (Dec 2010), which exposed a number of factors that were found to be associated with increased rates of admission, and therefore important considerations when targeting interventions with the objective of reducing avoidable admissions.

The Kings Fund report classified the consideration into the following categories:

Age; Social Deprivation; Morbidity Levels; Area of Residence;
Ethnicity; and Environmental Factors

The report recommendations that,

“Policy-makers should consider the impact of socio-economic deprivation and other socio-demographic factors when designing policy around admission rates”

The fact is these factors are equally important considerations for citizen / carer engagement.

Suggested approaches put forward by the Kings Fund paper towards identifying high risk groups focus on internal business intelligence (BI) approaches utilising the clinical knowledge base, notable threshold modelling and predictive modelling.

BI technology and capability investments are making important contributions to the remodelling of service delivery models with demonstrable progress already achieved towards Evidence-Based Health Care (EBHC), Pay for Performance (P4P), Diagnosis-Related Groups (DRG) of note, some of which are positively impacting costs through reductions in things like hospital admission rates.

The addition of a citizen centric dimension, with additional socio-economic deprivation and socio-demographic data inputs derived from engagement of citizens, their care circle and other third sector providers, charities and special interest local and national groups would greatly enhance the value of BI investments to provide a much stronger platform upon which service transformation decision making would be established.

Digital Citizen Centred Healthcare

Emergence of web and mobile app based technologies has provided a wide range of options for securing patient / citizen engagement with public services. Today a search of the Apple App Store for “NHS” will return a listing of 176 apps for the iPhone, and 44 for the iPad device, the Google Play App Store returns 155 apps for the IOS platform, some are the same apps, and some are not, a search on either App Store for “healthcare” generates a less than helpful greater return of results.

It is unfortunate however that the range of apps is beguiling, some are location or service provider specific, some relate to general information on services, some are condition specific, some are provider specific etc. etc., and makes for quite a wide and varied experience for the end user, with a wide variation in approaches addressing accessibility, presentation and most importantly privacy.

On the Internet the experience is just as varied and beguiling, and from an engagement perspective, services such as mainstream social networking platforms (Facebook, Twitter, LinkedIn etc.) are not able to offer the assurances on privacy and data protection required to underpin and maintain engagement, sufficiently to be utilised as collaboration tools on healthcare, beyond generalised messaging.

Exploiting Technology for Better Engagement

Unquestionably technology, and in particular web and mobile services are key enablers for engagement, service transformation, and the ability to offer a “choice for method” for engagement has some value. There is however merit in the unification of approaches, if the full benefits of engagement via mobile, internet and social networking services are truly to be secured, and at scale, quickly and for the long-term.

For this to happen, a digital citizen centred focus needs to be incorporated into technology investment considerations. This is important not only from the perspective of ensuring technology investment decisions are appropriate and aligned where necessary to engagement aims, but that also requirements concerning data protection and information governance, necessary to secure and maintain citizen and carer engagement, are also addressed appropriately going forward.

To be successful, any technology solution must also be highly scalable, flexible enough to support multiple healthcare transformation initiatives across multiple organisations and communities, seamlessly integrate multiple partners (interoperable), low cost and leave the public health and care providers in control.


  • 0

UK GDS Identity Assurance

Tags : 


Identity and access management is one of the most challenging aspects of securing citizen, and from a National Health Service perspective patient, engagement on-line with services and information. This especially important when the engagement extends to on-line access to highly personalised information specific to individual citizens.

As the government digital service (GDS) makes progress on the digitisation of services it is pleasing to see that the team leading the development of services are engaging with experts to advice and guide on the development of key engagement protocols.

However whilst the current scope is concerned with the one to one relationship between citizens and government services, the real challenge to come for GDS identity assurance will be that of on-line engagement between citizens and healthcare service provision.

NHS Digital First

With the NHS Digital First initiative, on-line patient access to medical records, at least those hosted by the GP, are expected to be available by 2015. Other health initiatives such as the Delivery of Assisted Living and Lifestyles at Scale (DALLAS) is thinking beyond traditional health and social care, to consider how new ideas and technology can be used to improve the way people live.

From a healthcare perspective, it is widely acknowledged now that technology has significant potential to radically transform, and consequently improve the care delivery model, this especially so for the 15 million citizens in the UK presently living with one or more long-term chronic (LTC) conditions, and just as importantly the extraordinary individuals that provide care support to those suffering from LTC(s) that are typically family members and or friends.

And here is the catch, realistically the benefits to be derived from digital engagement with patients with LTC(s), encompassing tele-health, tele-care and assisted living technologies with access to medical information, will increase considerably if engagement becomes extended to the patients care circle, this largely taking the form of family and friends.

Extending Access

A patient’s personal care circle can often feature a wide number of different individuals, performing a range of different roles, for example:

A friend living close by might have a mentor role on diet and / or medication, a family member might be designated as the primary carer, and be the driver for GP and hospital appointments, another family member living further away might want access to assisted living device monitoring information and thus have an arm’s length role in care provision.

The biggest benefits subsequently and frequently argued to be so, are to derived from the provision of better support to the millions of citizens providing care, sufficient to enable them to more confidently undertake better informed interventions to head of negative escalations of a condition that can easily be avoided, and thus referral to a GP, or worse hospital.

Critically for these benefits to be realised quickly, Health and social care engagement needs to be capable of reaching the carer circle in the most appropriate way, identifying these individuals and the care roles they are undertaking is a key first step, with the capability to support citizen / patient consent to access appropriate health and social care information to their personal care circle, a vital second step.

Bigger Brief for Identity and privacy Management

Consequently, Identity and Access Management investment in solutions for the digital agenda needs to be capable of addressing more than just the requirements on the basis of a single citizen or patient. It needs to be capable of accommodating and managing information on relationships between citizens and their family / friends and from a health perspective, the roles that these additional individuals may be undertaken on behalf of the patient, and of course patient consent to access their information, to whomever they choose!

Article Link

Computer Weekly Article


  • 0

Communications Data Bill published

Tags : 


The UK Government has just published is proposed Communications Data Bill, a new regulatory framework refreshing the old Regulation of Investigatory Powers Act (RIPA) to ensure law enforcement agencies maintain the ability to tackle crime and terrorism as criminals use modern technology and new ways of communicating to plan and commit crime.

The main point of concern already being raised is that the powers will ensure that all data communication sent via mobile phones, emails and other Internet based means will be recorded for all citizens, and stored for a period of time.

Whilst tracking and storage of all communications might actually be necessary to identify those elements of society undertaking or planning to undertake criminal or terrorist activity, the safeguards that are to be in place to ensure the privacy of the law abiding citizen is protected, are not detailed enough to close this debate.

The publication website offers the following summary on the proposed bill, that new legislation will help ensure police can stay a step ahead of the criminals. But it will not:

  • enable unfettered access by the police to data about everyone’s communications
  • provide the police and others with powers to intercept and read your emails, phone calls or check your contacts lists
  • create a single government database containing your emails and phone calls to which the police and agencies can get unlimited and unregulated access
  • weaken current safeguards or checks in place to protect communications data
  • allow local authorities greater powers

The site goes on to provide commentary from a number of senior law enforcement professionals under the heading “protecting the public”, including:

  • Association of Chief Police Officers crime head Jon Murphy chief constable of Merseyside Police
  • Child Exploitation & Online Protection Chief Executive Peter Davies
  • SOCA Director General Trevor Pearce

One cannot help that an additional heading entitled “Protecting the Publics Privacy” with statement from the likes of the Information Commissioner and perhaps one or two privacy pressure groups on the basis of their being briefed and satisfied that privacy controls being implemented in support of the bill would do a lot to head of concern.

Whilst there can be little doubt of the need to ensure investigation and intelligence capabilities need to be able to keep pace with technology developments, however the lack of up-front assurance aimed at addressing what should be reasonably anticipated, specifically concerns on privacy, is somewhat perplexing?

Article Link

UK Gov Communications Data Bill publication


Archives

Categories

Have a digital project idea you would like help with, then check out our services available from eCulture Solutions