Category Archives: Information Governance

  • 0

NHS CyberSecurity lessons makes you WannaCry?

Tags : 

NHS CyberSecurity lessons arising from the worldwide ransomware attack that occurred on the 14th of May is already prompting much debate for the NHS, much of which focuses on the failure of affected organisations to ensure adequate levels of investment on IT systems to mitigate the risk of this event.

The ransomware exploited a known issue with Windows XP, for which a patch had been issued earlier in the year. The biggest news headlines here in the UK concerned the impact this exploit had on the NHS, with a great many organisations appearing to have been caught out by the Windows XP vulnerability.

As is the case when the public sector suffers an adverse event, the call goes out for lessons to be learned, usually with an assumption that these are all new, but inevitably there will be those lessons that have already been learned, but just not put into practice.

Windows XP Legacy

Those that have been around NHS IT for a while will remember the last elected labour government’s implementation of the National Programme for IT (NPfIT) tasked to deliver a standard national NHS IT system. Regardless of what is thought about the success or failure of the programme, it did leave a lasting legacy long after it was cancelled.

Not least with those NHS organisations that had progressed to implementing NPfIT systems and solutions and in doing so, had tied themselves to technology standards defined by the program that could not be easily changed. In the commentary on following the ransomware event it has been highlighted that the legacy of NPfIT Windows XP implementations was the reason so many organisations were adversely affected.

In September 2011, the government announced the acceleration of the dismantling of the National Programme for IT*. Whilst at the time the impact of this decision was not significant, because NPfIT technology was still current and thus supported by providers, it should have perhaps been better recognised that this state was not sustainable in the long term. Especially for Windows XP, because the next version Windows 7 was already available (released Oct 2009) and being adopted across health in non NPfIT legacy environment.

Things finally came to a head for XP when Microsoft announced that it would be ending its patching and maintenance support for the platform in April 2014. Thankfully in acknowledging that there was still a dependency on this technology platform, the government took steps and signed an extra-ordinary deal with Microsoft** that secured continued support for XP across the UK public sector for another 12 months.

Critically, a condition of this agreement, was that any public sector body wishing to take advantage of this extended support arrangement, had to commit to development of a “robust plan” to move off Windows XP, Office 2003 and Exchange 2003 within the year.

Roll forward to 2015 and the next government decision on the matter was just as they had advised, that they would be closing down this extra-ordinary support arrangement ***, and is has to be said for good reason, on the basis that it was felt that continued central government funding of this deal was not consistent with the need to encourage organisations to urgently upgrade or migrate.

The question here however has to be, “was it reasonable to expect trusts to be able to find the funds for wholesale upgrade of unsupported operating systems in such a short time frame (this being equivalent to a single financial year)?

To further compound matters at the time, NHS organisations had been shielded from the full cost of wholesale systems upgrade throughout the time of NPfIT. A national licencing deal with major suppliers like Microsoft, removed the need for software costs to be met locally by NHS organisations ****.

Straight Out the PRINCE2 Textbook

It is accepted best practice that when a pre-existing programme or project is to be closed down, an impact assessment of the consequences should be undertaken. Not least so that the risk can be properly understood and adequate mitigations planned. If nothing else there is nearly always a financial consequence to closing programmes and projects and this is a very good example of one.

The NPfIT programme along with central licensing deals transformed the model of IT investment within the NHS for a decade. Switching these off and closing down the national deals the programme created was inevitably going to have consequences for participating organisations.

Some will argue that the implementation of the extra-ordinary support arrangements for legacy software was an act of risk mitigation. However, was it reasonable in 2014 to expect affected organisations to plan and implement an upgrade or migration of XP in a single financial year, without any additional financial support being provided?

The NHS had already been managing financial pressures for a good number of years before the decision to end XP support was taken. Certainly long enough for organisations to flag this to be a risk of significance, that without additional and extra-ordinary financial support, there was no way they were going to be able to take the steps needed to address the situation accordingly.

In summing up, it is clear that although the NPfIT national licencing deals themselves had been closed down some years earlier in 2010, the impact of this decision on local investment plans going forward, was never properly qualified or understood, and that further opportunities to address this in 2015 were missed and all the way up to 14th of May this year, 7 years on!

Shout to the Top

As an acknowledged risk, the XP issue should have been raised on the Information Governance (IG) Risk Register and flagged as a serious concern to the Senior Information Risk Owner (who by now and as a result of improvements to NHS IG standards) was a role assigned to a senior management representative on the board of the organisation.

Additionally, given the dependence on technology in meeting clinical outcomes, the risk should have also featured on the Clinical Risk Register, which would have flagged it up to the Chief Medical Officer, also a member of the board.

Just a cursory glance at most organisations annual reports and board papers will expose the fact that IT barely gets a mention, certainly any reviewer will be hard pressed to find any mention of XP specifically in the dealings of the boards in any one of the organisations affected, at any stage of the timeframe of this being an ongoing concern.

This therefore exposes a potentially bigger issue in that information technology investment and dependence is not a matter adequately represented at the board level, then or now.

This clearly is a matter of concern, given as the recent event exposed the criticality of the services dependence on the information technology in the performance of its primary function, delivery of treatment and care.

Frustratingly some of the commentary on the event included the phrase “IT is not the primary business of the NHS”, suggesting therefore it is not the NHS responsibility to ensure the reliability and safety of the tools it uses to deliver care, this is clearly nonsense.

It is perhaps partly this attitude that has excluded proper IT representation at the board level? Given the next stage of investment required and proposed by “paperless at the point of care” and “integrated digital health and care plans” and additional dependence on technology this will deliver, it is now time for IT to have a seat at the top table.

Information Governance STILL Maturing?

The NHS has an excellent online tool and system of guidance and assessment addressing information systems, security and good practice management standards (NHS Information Governance Toolkit). The tool is well established having been around and in use for more than 15 years with NHS organisations status reports openly published and available for review.

In April 2014 in a blog article entitled Patient Record Access – A Perspective 2 Years On I set out the more fundamental data protection and information governance challenges that the NHS needed to address to maximise the benefits potential of digital engagement. Not long after the original 2015 target for achieving patient record access was deferred to 2018 and linked to the “paperless at point of care” requirement.

Then and still today, technology innovation is widely acknowledged and accepted to be the primary method by which transformation of current health and social care models, and opportunities to deliver service effectiveness improvements and efficiencies at a substantial scale (£20bn+) going forward is to be achieved.

NHS 2020 digital roadmaps across the country outline ambitious plans addressing technology integration and innovations requirements needed to achieving “paperless at the point of care” and “integrated digital health and care record”. The levels of investment are significant, but then so is the benefits potential. For the first time in the history of health and social care, the technology to support transformation to a more pro-active and well-being orientated model is possible.

Success however will be heavily dependent on the digital engagement of patients and their carer’s and how effectively this is achieved. In this respect information governance will be a key deliverable and factor in how much and how quickly the benefits of patient digital engagement are secured and maintained going forward. Patients will need ongoing assurance that digital engagement is safe, and that their right to privacy is being properly protected.

Of the 33 major NHS organisations (community and acute hospitals) identified to have been affected, all have reported a “satisfactory” rating in the information governance self-assessments completed in March this year, in particular for the following requirements:

Information Security Assurance
14-301 A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed
14-307 An effectively supported Senior Information Risk Owner takes ownership of the organisation’s information risk policy and information risk management strategy
14-309 Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service – specific measures are in place
14-310 Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error
14-311 Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code
14-313 Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely


The recent CyberSecurity event serves to remind the NHS, that despite all the good work done in the development of the information security and governance standards and despite all the resources that have been provided to help organisations get good at this, there is so much more to be done, and this too is going to require additional investment at the local organisational level.

Links to Articles

* Gov Announces Dismantling of NHS National Programme for IT

** Government signs £5.5m Microsoft deal to extend Windows XP support

*** The UK government stopped funding Windows XP support to try and force people to upgrade

**** NHS loses massive Microsoft licensing rebate

  • 0
Digital Patient Engagement

Digital Patient Engagement or Participation?

Tags : 

By 2018 patients should have access to their medical records online. By 2020 this should have evolved into a digital patient engagement solution as health and social care achieves “paperless at the point of care” working practices. But is it just about engagement, or should we be preparing more for active participation and ownership of health concerns and issues.

Digital Transformation of Service Delivery

Most concern I have had shared with me is that the NHS 2020 Digital proposals are still not making adequate plans to exploit the opportunity provided by Internet of Things (IoT), Wearables and Assisted Living technologies at the earliest.

The current focus is being given to resolving internal data integration / flow issues which do need resolving. Acknowledging that there are clinical and information governance concerns as well as care benefits needing to be addressed. But whilst these in the main deliver service quality and improved workflow for people already in the system. Their support for delivery of a transformed and more sustainable service delivery model is limited.

Transformation of the service delivery model and improvement in future sustainability of any significance for health and social care, is largely dependent on the digital patient engagement (or better – participation) and capabilities delivered by technology innovation incorporated to support pro-active participation. The opportunity and benefits potential is significant, when the service delivery model evolves from one that is largely re-active and after the fact, to an alternative and more sustainable pro-active and well-being orientated model.

These benefits are only going to be enhanced by any ability to integrate and exploit technology innovations and automation delivered by IoT, wearables, assisted living and health and care / well-being monitoring innovations and solutions. Adoption of these technologies will increase as they become more capable and with this increase the range of proactive information and data supporting opportunities for further cost saving interventions and / or preventions will also increase.

Data Governance and Management

Consequently the long-term objective of any digital health and care engagement solution, should be about providing the means to help us to live well, and if we are unfortunate enough to have one or more long term chronic conditions or disability, to be empowered to manage our situation as much and as well as we can. It is never though just about us and individuals, we pretty much all care for or are cared by somebody else. So we should be able to gain access to others information too.

All of the above inevitably leads to an explosion of information becoming available, and of the most personal and sensitive kind! Consent, data ownership / management quickly become the most important considerations in any engagement solutions design that needs to be open to accommodate future technology innovations delivering on the pro-active health and well-being opportunity.

It is, however, widely acknowledged that local developments and deployments are not being guided by core common engagement and consent model or universal data flow / integration standards, of concern consequently, the progress to a better model of health and care continues to evolve with massive variations in capability delivered differently across regions.


Until the need for core common standards on data consent, governance and interoperability are fully addressed, then the participation of patients and citizens with the digital solutions will likely remain inhibited, subsequently the opportunity to achieve the £20b of universal benefits from a transformed service delivery model by 2020 will very likely remain an elusive and much less assured target that it could otherwise be.

References and Links

Article produced in response to news item Health wearables firm Fitbit holds talks with NHS published by Digital Health

  • 0

Health records on your own Facebook-style page

Tags : 

AN ambitious hi-tech £11m plan to allow any doctor or nurse to access a patient’s information from anywhere in the country is being launched by Islington health chiefs.

Patients will have their own Facebook-style  health records page or app, detailing all of their information, which they will be able to invite other people to look at from anywhere from “Cornwall to Scotland”.

eCulture Thoughts on Electronic Health Records

As a proposed solution eCulture certainly thinks it is a good way to go in so far as providing a patient consent based interface solution. The key will be however in what platform they build this to integrate with from an existing social network perspective. Or if they decide to establish their own, what additional functionality they would proposed to include beyond that concerning health to keep prospective clients engaged.

Electronic Health RecordOther fundamental aspects of concern, build out of the core infrastructures, taking into account the information governance and cyber security requirements, with the need to build in capacity for growth, this is not cheap, even from a start-up perspective.

Opting for a predominantly open source approach will keep costs down, but there will always be an associated cost incurred on a user by user basis some from commercial off the shelf (COTS) technologies, that cannot be displaced by open source alternatives and, subject to what functionality is provided associated increases in platform costs.


There is potential to offer certain services to clients on a subscription basis to cover this, but this is most easily addressed when the offering is from a commercial third party, not so easily implemented when the solution is being offered from an NHS body?

Affiliate revenues are another potential but considerable care and attention in how this is achieved has to be taken, i.e. if the solution is going to have in time an advertising affiliate revenue based model, then great care has to be taken in what is advertised, again more so if it is presented as an “NHS” solution.

Perhaps the business case at the end of the day can justify the investment and running costs be met by central government, on the basis of strong returns on investment achieved.

Information Governance 

When they launch it will be interesting to see what fair processing notice comes with the launch, if it is developed correctly with the right approach in terms of implementing a patient consent / data access assurance model then the notice becomes much less of an issue.

It’s all doable so one to watch for sure….

Article Links

  • 1

Patient Record Access – A Perspective 2 Years On

Tags : 

peopleIn May 2012 I wrote an article (Patient access to GP Records by 2015) and offered some immediate thoughts on who would be the primary beneficiaries of this Department of Health mandate, with some thought on identifying the primary element of the patient population, access to medical information should be targeted at.

A little over two years on and with the benefit of additional insight from consultancy engagements with some very innovative and forward thinking solution providers, there remains much to be resolved if the target is to be met, especially with anything like a solution that delivers on the range of benefits that should be secured.

Current Focus Remains Narrow

Technology choice for electronic patient records (EPR’s) and patient record access is wide and varied, from traditional operational patient administration system providers, with these largely focusing on improving visibility and accessibility of clinical patient information operationally, to the more expensive and challenging to implement solutions that can integrate patient data from a wide range of operational clinical systems, from independent solution providers.

For the most parts investment in EPR technologies are currently health sector and organisationally specific, with current early phases of delivery focusing on clinical operational needs (data quality) and business performance improvement (QIPP), largely it is felt because these tend to be business case qualifications (QIPP deliverables) that are easier to define, over alternatives concerning wider benefits of patient engagement.

The technology to enable patient record access exists, and certainly with the right approach and focus, the target for enabling citizen access to at least key parts of their record remains achievable. There are however, some fundamental considerations to be addressed to move thinking beyond current operational focus, and onto the service transformation potential citizen engagement would deliver.

Patient (Citizen) Centricity

Citizen CentricA citizen view servicing “meaningful use”, requires the assimilation from multiple organisations, e.g. primary care, community care, social care, acute care and mental health, as well as systems, such as appointment management solutions, prescribing management systems, patient management systems and healthcare contact systems etc., especially when giving due consideration to the touch points across health and social care for patients for example with long-term chronic conditions.

This means that the maximum benefit to be secured by access to medical information can only realistically be achieved by a strong commissioning lead, and one that is capable of resolving the conflicting interests and competing requirements individual information host organisations will bring to the table.

It remains the case that the greatest benefit to be secured from improving patient engagement through provision of better information will be derived from engaging with those that are suffering from one or more long-term chronic condition, with which engagement succeeds in enabling patients and their carers to better manage the condition(s), to the point of reducing the numbers of calls and escalations occurring that require direct engagement of health professionals and any associated service provision.

Data Ownership Becomes a Concern

However, it remains the case that for this engagement to be most useful, the solution should provide the citizen (owner) with a mechanism by which they can consent access to the information, to members of their personal care circle (friends and family), citizens should be able to refine access according to need, i.e. allow some carers to see more of the record that others.

Inclusiveness, accessibility and security subsequently still also remain primary concerns, given the largest proportion of patients that stand to gain from engagement supported with access to health and social care information are those with long-term chronic conditions, a large proportion of which presently have limited engagement with technology.

Data Protection

Along with the issue of ownership, a further information governance concern arises from delivery of a single unified patient record, built from the assimilation of information from a multitude of operational systems managed by different organisations (data controllers), in that data moved into a new host, creates new data controller obligations and information governance responsibilities that can be difficult to align operationally.

AlertCritically new patient identifiable systems are necessary, such as a “Master Patient Index” for example, that enable different patient coding systems and identification methods to be unified, thus ensuring that data assimilated and presented is relevant to the patient concerned.

Administering a master patient index sitting in between a multiplicity of systems in different organisations would need to involve resources across all organisations, and in the process, would likely lead to an increase the range of access to patient identifiable information above and beyond current organisational focused remits.

Looking ahead, the range of benefits for all concerned increase when integration with social care information is incorporated but as before, concerns for data protection and information governance also increase.

Key to Resolving Ownership and Data Protection

DirectoryEstablishing a maintainable Master Patient Index (Citizen Directory Service) within a safe secure framework capable of accommodating the administration and multiple access requirements with the ability for the citizen to understand and appreciate the range of identifiers associated to them, with an ability to self-maintain appropriate identification attributes would provide for a solid engagement foundation from which service and bi-directional data flows could be managed.

Additional benefits to be derived from a self-maintained citizen directory include:

  • A range of health and social care data management needs that are outside of the current health and social care systems, these include:
  • Details on their personal care circle, family and friends supporting them and what level of care they provide, mentors, and additional support they may have contracted or secured privately from third sector providers and charities, support groups etc.;
  • Extending data flows for care plans, end of life plans, life stories, coping strategies, self-prescribing / medicating information;
  • Scheduling of personal health and wellbeing activities such as keeping fit activities and appointments schedules with third sector providers etc.;
  • Ability to link data associations from assisted living devices, tele-health and tele-care devices and solutions to that again may be acquired by patients by private purchases or through personal engagement with third party service providers.

These representing just some of the additional information that could be sourced directly from the citizen and / or their personal care circle that by virtue of association being known in the “citizen directory service” potentially provided back to health and social care providers to further help inform and shape the care delivery process.

Importantly, at this level the citizen (or person assigned power of attorney) is the data controller and owner of their information, thus resolving a significant data protection cost and engagement challenge for health and social care.

So What’s Likely in 2015?

The country is certainly more than one year away from securing the very significant efficiency, effectiveness and quality service improvements that could be achieved from patient access to medical information.

Perhaps not surprising given that since the announcement on patient access to medical records was made, there has been (and needed to be) a significant focus on the re-organisation of health care, that at best, patients will only be provided in 2015, with fairly rudimentary (read only) level of access to information and likely, primarily from just one source, the GP.

There is consequently the potential for a real and very significant problem emerging ironically from the re-organisation, which materialises from the devolution of control and responsibility for delivery down to a local level.

QueryThis because if it is agreed that a unified master patient index (citizen directory service) is a key foundation to progressing onto and integrated citizen centrically focused and bidirectional process of engagement, then this ought to be implemented to a national standard, and perhaps once?

Concluding Thoughts

With current technology supporting mobility for the population and rapidly emerging to support assisted living, tele-health and tele-care, the very process of caring and engaging in a patients care pathway / process is set to change dramatically.

Care closer to home is set to become a reality, technologies are emerging that can enable patient carers to become more engaged in the ongoing care process and management of conditions, along with technologies that also have the ability to increase levels of confidence for patients to live more independently.

Subsequently care, supported by the technology innovations emerging today, has the potential to become a true joint venture that engages personal care circles of family members, friends and personally engaged third sector charities or private sector providers of services and solutions with public funded health and social care service provision.

It is this potential that delivers the much need reform of the current health and social care model, certainly at a scale with potential to exceed achievement of £20bn of efficiency gains and savings.

Whilst there are benefits to initiatives having a local focus, so that variation in needs across communities can be accommodated there are some core elements that if not delivered as a national hub, must at least be supported by appropriate nationally agreed standards, addressing requirements such as interoperability, data / care pathway workflows to support engagement functioning across localities, however these are defined.

With that said, the patient / citizen user experience is another area for concern. With the potential benefits to be secure from engagement being undermined by patients / citizens experiences being widely different across the country, as features and capabilities vary as a result of variations in approaches.

But see, now this represents a case for some sort of nationally coordinated approach, and we’ve been there with the National Programme for IT (NPfIT), and if you believe everything you read that was a total failure, with nothing of any real benefit delivered.

But then maybe, the NHS SPINE, Summary Care Record and need for unifying the interface to offer citizens consistency in the engagement experience, if only there was an appetite to even consider the potential use of some of the NPfIT investments that did deliver?

What do you think?

  • 0

eMail Highlights a Data Protection Conundrum

Tags : 

eMail poses some interesting challenges from the information governance perspective, challenges that have been carried forth since the birth of personal computing and early misjudgements made in establishing this new computing concept.


Personal, or moreover the personalisation of user access and assignment of rights in a corporate setting being the issue, that has become an challenge for organisations trying to wrestle back ownership of corporate data, through the introduction of identity and access management solutions, and most importantly role based access control models (RBAC).

It is a fact that a great many users perceive the allocation of a user logon ID (usually some representation of their name) and the subsequent allocation of email, as something that is personal to them, and not just the means and tools provided by the corporation to help them perform their duties.

This is not helped in some respect by the right to privacy in the corporate setting automatically assigned by law, when in truth (ignoring personal use for the moment) the first claim on the corporate data contained within an email is surely with the employing organisation?

Data Protection Conundrum

eMailThis conundrum is perhaps best illustrated by the NHS own provision of a national (cloud type) email offering (NHSmail), founded on the principle of the NHS staff being allocated and email address for life! A concept that creates some potentially major information governance challenges and issues.

e.g. nurse A, works for a trust in the GNU clinic, and routinely handles sensitive and private information, not all granted necessarily in a patient identifiable form via email, but for the sake of argument assume that she has a function that warrants the use of email in this way.

Nurse A leaves the trust, and takes up post in another trust, in a difference less sensitive business function, she according to the policy for NHSmail takes her mail account with her. Unless the first trust has a very robust starters and leavers admin and management process (a great many do not), any data (unless archived off by the user), goes with her to her new post, that’s information governance issue one.

The second information governance issue concerns the loss of continuity, that arises is the fact that her replacement (and this is largely true of any mail system) will most likely never get sight of their predecessors communications.eMail Open

Many staff, because they use email for personal purposes as well as business purposes, will typically clean their mailbox down, this being more about protecting their personal privacy, as opposed to protecting those individuals information they may have been privy too.

Even is a user bothers to sort and sift in deletion, to subsequently leave behind relevant info for the person following into the role, the second information governance issue of disconnection still occurs, because likely as not the mailbox never gets reassigned, instead the new user gets a new mailbox.

Of course email is just one example of a number of personalisation issues that came into existence, personal file shares, user based permissions, are other significant information governance concerns affected by the starters and leavers process.

Identity Assurance

Until identity and access management, and importantly the evolution toward RBAC takes a hold, organisations will continue to experience these issues and more that are less about breaches of privacy, and more about the perhaps less tangible aspect of discontinuity, that results in inefficient and costly working practices, of learn it all again, every time a staff role change occurs.

eMail ForwardThe commercial corporate world is moving fast with the adoption of identity assurance and RBAC solutions, because they recognise the cost and downside of not doing so, and in health of course the sterling work of the CfH Identity Management Team and NHS Spine implementation of RBAC to national apps provides a model for health, time now for this to be adopted at the local level.

  • 0

Should you share data breach information?

Tags : 

Should you share data breach information? | Community

An interesting question put to two commercial CEO’s, which is a question of some relevance for the NHS.

One of the challenges I believe many organisations face is the fact that if they do anything to improve Information Governance capability, the process of doing so invariably exposes issues that have previously gone un-noticed or worse,  ignored.

The NHS policy currently states that anything constituting a breach above a certain level, must be disclosed as a Serious Untoward Incident (SUI), which is then made publically available through Strategic Health Authority (SHA) websites.

Flash Light OnWhen it comes to employing information governance technology, for example identity and access management, compliance management or privacy and confidentiality auditing solutions inevitably hidden and / or un-known issues are exposed, more often than not with a serious number that qualify as SUI’s.

Ironically a consequence of being forced to publish information in SUI’s creates a fairly significant disincentive for organisations to take positive action by investment in technologies that help improve compliance capability.

I wrote to the NHS Information Governance team at NHS Connecting for Health expressing this concern and ask whether organisations could be granted a SUI publication amnesty for a short defined period, providing consequently time to put the technology to good use. Despite chasing I unfortunately didn’t manage to secure any response from them on this idea.

As it is the SUI process is somewhat flawed, in that it is open to a wide range of interpretation, you only have to look at what has been published previously on SUI incidents to see that this is not a satisfactory process as it stands.

I am a supporter of greater transparency and openness in healthcare, but I think it has to be acknowledged that transparency and openness can sometimes be a problem, rather than a cure. Especially when the standard for what should be published is interpreted so differently.

  • 0

NHS Information Governance came of age in 2010?

Tags : 

The NHS Information Governance Toolkit (IGT), with more than seven years effort in refinement and implementation by end user organisations, it would be reasonable to assume that not much more could be done for the development of information governance capability across healthcare. However, the upgrade to version 8 in 2010, and assessment of the return from 158 acute trusts tells a different story.

With version 8 and for the first time in the seven year history of the NHS information governance toolkit, a requirement for trusts to support their capability claims with evidence was introduced. For those on the outside looking in, not a particularly remarkable development, albeit perhaps somewhat surprising to find that this was not already and element built into the formal assessment process.

Despite this, patients and the public with any interest in data protection and information governance, would no doubt have been somewhat reassured by the fact the NHS information governance standard existed, and that for the most part, it provided clear and easy to understand guidance on data protection measures.

Up until now, it would also have been natural for interested parties to assume, on the basis of there being a long-standing and well established annual review process, that trusts reassessed themselves on the basis of evidential qualification of capability.

flagWhilst this might have been the case, the dramatic effect of imposing the requirement for evidence into the annual return process, has produced some results that will no doubt raise a good deal of patient concern, and some questions from the regulatory authorities.

The v8 IGT Evidential Assessed Outcomes

Then initial and most obvious impact of the evidential requirements of v8, a significant and dramatic downgrading of assessed capability by virtually all of the 158 trusts reviewed, compared to previous year (v7) assessment, and notably previous assessments back to v4 (2006/2007).

The initial first three months of trust review of their overall assessment scores, the final v7 published state (Mar 2010), through to the initial baseline assessment of v8 (Jun 2011), the percentage of trusts that rated themselves with a score of “not satisfactory” rose from 1% to a staggering 97% (see table below).

IGT v7 to v8 Baseline Scores
In the subsequent three months Jun 2010 to Oct 2010 and the next publication of an assessment, referred to as the performance update, the situation did not change significantly, just 2% of the trusts reviewed managed to improve their overall status to a satisfactory rating.

GraphWhilst the last six months of the v8 assessment period, Oct 2010 to Mar 2011 did see much bigger improvement, with the satisfactory number increasing from the Jun 2010 level of 5% to final Mar 2011 assessment of 35%, the end result however, was that nearly two thirds 65% (103 trusts), were unable to re-establish overall compliance capability sufficiently to return a satisfactory rating.

Delving a Little Deeper

The reduction in capability occurred virtually across 5 of the six NHS information governance toolkit categories (see table below), with the one exception being Corporate Information Assurance, the only category that saw and increase in trusts achieving a satisfactory rating.

IGT v7 to v8 Satisfactory Rating

Of most concern to patients and the public will be the categories focusing on the management and use of private and confidential information in the delivery of care (clinical Information and secondary use assurance), as the standards and assurance of data quality activities of these elements have the more significant impact on the quality of care at the front line.

Critically nearly 22% (34 hospitals out of the 158 assessed), did not achieve a satisfactory rating for clinical information assurance, and 39% (61 hospitals) failed to achieve the required rating in the secondary use assurance category.

Additional concern will exist with regard to organisation capabilities to ensure that adequate protection and security measures in place addressing privacy and confidentiality. In the information security assurance category the most significant reduction occurred with 54% (86 trusts) falling short of the required standard. The confidentiality and data protection assurance category faired marginally better with 22% (35 trusts) falling short.Line Graph

Of some lesser importance but at least interesting, is the one area of positive improvement – in the Corporate Information Assurance category. This aspect focusing on how trusts address corporate information and records management as well as legal compliance with Freedom of Information Act, historically the category that stood out in previous year’s assessments to be the one trusts most struggled with.

However, this positive aside, the overall outcome after seven years of the NHS Information Governance standard, was the overall and no doubt unexpected drop in standards across the board, with the fact that there were fifteen NHS trusts that failed to achieve a satisfactory rating in any of the six categories, compared to that of just one trust missing all targets in the previous year.

Wind of Change

It is evident that the v8 requirement for supporting evidence instigated a process of re-assessment beyond anything undertaken in previous years. Resulting consequently in trusts increasing, the availability of resources and thus investment in information governance, especially between Oct 2010 and Mar 2011. This however was clearly not enough, given the fact that very few trusts met the required target, level 2 capabilities for all requirements.

In any assessment of what further investment still needs to be made, trusts should also take into consideration the use of the current returns by Care Quality Commission (CQC) and prospect of future change in the monitoring of this standard. Via the NHS Reform Bill, and proposal within for the assignment of responsibility for maintenance and development of the standard to CQC, the consequence perhaps being a more formally regulated information governance regime.

Paying due respect to the fact that NHS information governance assessment returns are already considered by the CQC in their independent assessment of trusts (essential standards of quality and safety). The CQC assessment (Outcome 21 – Records), contains 62 quality and risk profiles that are based on the current NHS IGT standard and assessment approach. Consequently the mechanism for formal NHS information governance regulation is already largely in place.

CloudTrusts would do well to assume that this is an element of the reform bill likely to secure a good level of support toward being accepted. Especially given the v8 capability assessment results and not least because it would provide the mechanism for addressing a great many of the Information Commissioners concerns regarding NHS failure to implement a consistent and adequately robust approach addressing data protection.

If by any (very) remote chance the NHS information governance standard does not become part of the CQC regulatory function, then trusts should consider the alternative option of the Information Commissioner being granted his request for having a greater range of powers to undertake unannounced inspections, this being the next most likely option to be considered and possibly implemented.

Going Forward

Unquestionably, the reaction of the majority, on seeing the very poor results of the v8 assessments, will initially have been one of great shock, followed quickly by disappointment. There is also likely to be a great deal of concern and frustration with trust Chief Executives, Senior Information Risk Owners and Caldicott Guardians. Concern given these positions are individually accountable for the validation and sign off of information governance and data protection assessments, and frustration born from the need, after all this time, for them to re-focus more of their valuable time and effort towards addressing the gaps in capability, instead of perhaps focusing on the delivery of the austerity measures.

Information Governance Managers on the other hand may actually be smiling, for a great many may now be getting budgets and support to make investment, which until now has been traditionally very hard to obtain.

Equally, the IG Managers compadre’s, the Information Asset Owners, may also now feel that they have the opportunity to secure investment and tools, that can actually help them to deliver on the obligations of this assigned role.

Going ForwardThe facts however are clear, that the majority of NHS information governance functions have not been supported adequately with budgets and funding to make any real difference to the level of compliance capability. This is additionally evidenced by how little investment has actually been made in information governance technology solutions, such as those addressing fundamental requirements of:

  • Identity and Access Management Assurance
  • Access and Compliance Audit
  • Policy Management and Dissemination (interactive solutions)

Employing technologies that are readily available and mature in addressing these requirements can transform an organisations compliance capability and ironically, it is possible for organisations to also secure demonstrable cost savings and efficiency gains and delivery of Quality, Innovation, Productivity and Prevention (QIPP) objectives.

Most importantly, it is only through the use of technologies such as these that will enable the NHS to demonstrate a robust, assured and reliable approach being take in addressing data protection requirements, necessary to secure patient confidence and engagement needed going forward.

In Conclusion

If the result of this poor outcome, is a re-prioritisation of attention and investment towards addressing this negative position, with senior management obtaining in the process, a better understanding of the wider business and austerity benefits, to be secured from investment, then this will represent a significant turning point in the data protection attitudes.

Consequently 2010, probably was “the year” for Information Governance, unfortunately the real benefit of any increase in resources and / or investment cannot be appreciated fully, until we see the outcomes from the IGT v9 assessments, currently being undertaken.

  • 0

NHS Identity Management – The importance of being!

Tags : 

NHS investment on Identity Management (IdM) technologies in recent years has not been as significant as one would expect, especially given that this very much underpins organisation Information Governance capability.

Paul White asks is this the time Identity Management in health comes of age!

Not Something for Everyone?

After the course of 2 years, and visits to over 200 trusts to promote the merits of identity and access management solutions, I had to take a step back and reflect on why it was proving so difficult to secure commitment, at least to progress exploration of requirements beyond a mild level of interest in what identity management technology had to offer.

It’s was not like I was the only one trying to encourage trusts to consider the merits of IdM solutions, in 2005 Connecting for Health invested nearly £20m in a Novell Enterprise Wide Agreement that incorporated Novell’s Identity Vault product licences.

Despite the Novell EWA underwriting a proportion of the solution costs, wide-scale adoption of the Identity Vault solution did not occur. Although in this case it appeared to be a reluctance to readopt Novell technology, given the majority of trusts had some years back migrated to standardise on Microsoft technology. Rather than any lack of appreciation of the merits of IdM.

Although I had greater success in securing trust adoption of an alternative Microsoft technology based solution, even managing to establish market leading status in health, despite not having the same central funding support that Novell benefited from. Achieving mainstream adoption across health of any IdM technology platform has proved too great a challenge for any single provider.

The reality was, that despite the business requirement and emphasis provided through the Information Governance toolkit for Identity Management, and ICT appreciation of what IdM could achieve, qualifying this into a business case to secure funds and commitment proved to be too a challenging piece of work in its own right.

Business Requirements Re-evaluated

Identity – the name or essential characteristics that identify somebody or something, in the case of information governance for example a role or function a person performs for the business forms an essential characteristic of a member of staff.

Technologies that the NHS largely already has in place, e.g. networking and data management systems have an evolved capability to store a great level of detail about the professional characteristics of staff. For the best example of this open your Microsoft Outlook message client and take a look at the address book entry or outlook contact form.

DirectoryDetails in addition to Forename, Surname email address, can include, employee ID’s, department, job title, place of work, contact details, line manager to name just a few of the more critical information governance elements.

Yet when you examine almost any directory service within an organisation you will be lucky to find anything more than the just a user name and email address, take a look at the NHSmail address book, 90% of the entries contain only a very basic set of details.

This may be for legacy reasons, older technologies that have since been migrated or upgraded never had the capacity to store more than basic details, and subsequent upgrade projects never took to opportunity to expand the level of information stored beyond what came from the legacy system.

One has to ask why, given the importance placed on the need for improved information governance, was the opportunity to increase the level of staff identity information stored in the system not a key deliverable of any technology upgrade or refresh projects?

Should identity information be added? Simply yes, it is an imperative element of information governance, without it, organisations and users cannot validate access rights if they cannot easily identify individuals, their roles, their relationships to departments and others within the organisation hierarchy and structure.

Case for Identity Management, a no Brainer!

With Just a focus on users such as Information Asset Owners and Heads of Departmental, people who are much closer to the change management requirement that needs to be implemented, such as staff changing roles, promotions, leavers and new starters.

This overworked staffs are engaged in what is quite often a convoluted paper based administration process, for which many of my of the organisations I have met with, readily admitted to be untimely, error prone and consequently very unreliable approach.

Many went further in acknowledging that their network, back office and clinical systems contained a disjointed and wide variation of information on end users, a consequence of which results in compliance audits either almost impossible, or at least extremely costly to achieve.

Yet modern network technologies provide mechanisms for greatly simplifying the assignment of user access controls and permissions, reliably and automatically. Through features such as group or role based policies which utilise information such as location of work, staff job functions or roles to determine and implement permissions and access controls accordingly and automatically.

CogsThe benefits of utilising these technology features are numerous and extend well beyond just those of good information governance practice, for example, automation of user account creation and administration will free up valuable technical and systems administration resource. That instead can be put to more productive and useful work, such as developing systems rather than just running them.

Information governance risk and likelihood of issues occurring through inappropriate access or misadventure are also greatly reduced, with the provision of the added benefit of being able to demonstrate that a robust and reliable approach taken on access control.

However, one of the initial root causes of the current state of affairs, is the fact that the native “out-of-the-box” systems administration tools provided are just not user friendly, nor easily implemented in a way that only provides access to functions and features that are relevant, they tend administratively to take and all or nothing approach when in comes to granting of administrative rights.

Resolving the Challenge

All is not lost, specialist identity and access assurance solution providers are in abundant supply, a great many with mature, proven and highly flexible set of solutions that resolve this NHS information governance dilemma.

From providing a business and user friendly administration interfaces, complimented with reliable and timely workflow services, information asset owners and heads of department can be properly engaged in the process of user account administration and access rights authorisation and revocation.

A huge tick-in-the-box for NHS Information Governance Toolkit (IGT) requirement:

  • eGovernment305 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems, and a significant contribution towards helping organisations better achieve the IGT audit requirement:
  • 206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information.

The fact is, with a well-qualified set of user identity metrics readily accessible to all staff, then a significant number of IGT level 2 requirements become consequentially much easier, and subsequently more cost effectively achieved.

Furthermore, the current cost of administration and management of the various systems can be greatly reduced, as a result of Identity Assurance technology’s comprehensive interface capabilities that automate integration of multiple identity data sources, provisioning of user accounts and access rights  management across all systems (network, business and clinical).

Providing organisations with the ability to demonstrate delivery of Quality, Innovation, Productivity and Prevention (QIPP) cost savings and efficiency gains, especially with regard to back office administration and management functions.

Everybody benefits

Having a solid identity management foundation is a information governance pre-requisite, it is possible to establish manual process and procedures to address this requirement, but not cost effectively nor efficiently, human frailties unfortunately prevail.

With modern Identity Assurance Solutions the human frailties are removed, to ensure a reliably, robust, timely and assured process for identity and access management assurance is established, delivering and consistent approach with staff identities on all systems to make assurance of rights and access activities easy to achieve.

Citizen CentricThe organisation also ends up with a better informed user community, with colleague information readily accessible through user friendly technologies such as the outlook address book, greatly enhancing opportunity for staff collaboration through increased understanding of colleague roles and functions, and most importantly, the opportunity for users to validate the appropriateness of information sharing.

Better yet, being able to demonstrate the reliable maintenance of identities and access rights for the entire organisation will secure the support of regulators, and most importantly the patients and public. A must if investment in electronic patient records and electronic health systems is to secure patient engagement and participation.

  • 1

NHS Information Governance Toolkit – Creating a false sense of data security?

Tags : 

Variation between the requirements of data protection law and provision of guidance on information governance contained within the NHS Information Governance Toolkit, is having a counter productive effect that undermines the value and benefit that should be derived from the application of good information governance and data protection practice.

Lock OpenThe NHS Information Governance Toolkit represents the Department of Health method of providing guidance on data protection and means of assessing information governance compliance capability of healthcare organisations, defined by a broad set of requirements:

  • Data Protection Act (1998).
  • Common Law Duty of Confidentiality.
  • Confidentiality NHS Code of Practice.
  • NHS Care Record Guarantee for England.
  • Social Care Record Guarantee for England.
  • International information security standard: ISO/IEC 27002: 2005.
  • Information Security NHS Code of Practice.
  • Records Management NHS Code of Practice.
  • Freedom of Information Act (2000).

The stated purpose of the NHS Information Governance Toolkit:

“The purpose of the assessment is to enable organisations to measure their compliance against the law and central guidance and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.”

For a Primary Care Trust (PCT), the information governance obligations are described by forty one requirements broken down into six key themes:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance
  • Clinical Information Assurance
  • Secondary Use assurance
  • Corporate Information Assurance

(NHS Information Governance Requirements for different organisation types can be viewed here)

For smaller organisations supported by PCT’s such as General Practices, the information governance obligations are described by thirteen requirements broken down into just three key themes:

  • Information Governance Management
  • Confidentiality and Data Protection Assurance
  • Information Security Assurance

Line GraphThis variation is somewhat inexplicable; and importantly highlights that the NHS Information Governance Toolkit is not addressing entirely the statutory obligations defined by the acts of law! For example PCT requirements 110, 111, 112, 206, 300, 301, 305, 309, 310, 311, 313, 314, 323 and 406 make explicit reference to Data Protection legislation principle 7 as being a requirement origin:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Yet in the NHS Information Governance Toolkit version for general practice these requirements are not present. There are in fact thirteen requirements in the PCT version specifically identifying Data Protection legislation principle 7 as an origin, yet in the general practice version there are only seven, not a single one of any of the NHS Information Governance Toolkit requirements founded on principle 7 in either set, is the same for both organisations.

The shortcomings of the general practice requirements are not limited to just principle 7 of the Data Protection legislation, other PCT requirements make explicit references to other Data Protection legislation principles, 3, 4, 5 and 6, when the general practice requirements do not.

These shortcomings and variations in the guidance and measures allocated between organisations are not limited to those highlighted here; they occur between secondary care, health and social care and third party requirements too.

A Negative Outcome

Face FrownThe fact is the majority of healthcare organisations, since the inception of the NHS Information Governance Toolkit in 2002/03, have focused on implementing and maintaining compliance in accordance with these requirements, not surprisingly since that is what they have been targeted to do. Consequently, healthcare (and allied) organisations utilising the NHS Information Governance Toolkit as the only guide, will not be fully compliant from the perspective of law, in accordance with the Data Protection legislation.

The implication of on-going shortcomings in addressing adequately data protection, are far reaching. Beyond organisational failure to appreciate the value of investment in improving capability, and consequence of operating at a unsustainable level of risk that is periodically rewarded with a failure, and occasional fine and or sanction from the regulatory authorities (neither of which presently, commentators suggest is sufficient to instigate the required change in attitude, and appreciation in the need for better information governance and data protection).

The wider and more far reaching consequence of inadequate data protection, is the undermining and consequently “more costly to achieve” impact, this has on the important and valuable effort and investment in increasing patient and public confidence, with the objective of securing their more effective involvement. A fundamental and necessary deliverable required for the reform of the NHS.

A Positive Solution

face-smileMature and proven technologies addressing information governance requirements, that enable organisations to easily bridge the gap between the NHS Information Governance Toolkit and Data Protection legislation requirements are available, these same technologies used accordingly, deliver additional strategic support to business decision making on information capability investment, addressing the aims of effective patient and public involvement and underpin delivery of the “information revolution” requirements. At the core of the requirements for information governance compliance, there are three fundamental elements that must be addressed, these are:

  • Identity and Access Management (WHO), staff, their roles and relationships, functions, activities, locations of work, and place in the organisation’s hierarchy. Without this level of information on all staff (permanent and temporary) readily accessible (beyond organisational boundaries), then almost every aspect of the information governance process will be undermined on a regular basis.
  • Policy Management (HOW), data and service quality is founded on standards; policy is the method by which these standards are conveyed to staff. Unfortunately traditional methods of policy production and management are not dynamic or interactive enough to meet the modern day demands of busy environments dealing with critical needs. Policy and document management and workflow technology radically transforms static policy and standards systems, into an interactive and pro-active organisation development tool. Staff can be updated instantly on policy changes and new standards and organisations can track acceptance and validate implementation. Delivering consequently a much more assured process in the development of working practices and staff culture in standards and quality.
  • Audit (WHAT and WHEN), validating staff activities, both operationally and in an informatics context is vital, for both the delivery of the information governance and data protection assurance requirements, as well as providing data to support the prioritisation of investments in digital information capability.The validation of the use of information assets provides intelligence on what is not being used to the fullest of its capabilities, consequently helping to identify gaps in informatics capability and data quality that are undermining measures of productivity and assessment of service quality, and subsequently opportunities to identify and implement cost savings and efficiency gains.

eGovernmentThe right application of information governance solutions employed in the Who, What, When and How, provides a solid foundation upon which the strategic aims and objectives of the information revolution are better addressed, supporting the creation of improved measure of quality of service and operational performance, and an improved informatics capability with patient and public engagement.

Positive Outcomes

There are a significant range of business benefits to be gained from addressing these three fundamental elements of the information governance requirements. Benefits that are not just concerned with compliance to data protection law, but that also serve to support organisational efforts to improve operational capability and service quality:

  • Robust and assured approach in addressing requirements of the NHS Information Governance Toolkit and Data Protection Act, significantly reduced risks and likelihood of incurring a fine and consequential costs of a breach or failure in the governance process.
  • Significant cost savings and efficiency gains from existing information governance compliance management and administration activities.
  • Greatly improved ability to engage business managers and department heads and information asset owners in supporting the implementation of assured and robust information governance practices.
  • Significantly improved assurance on the reliability, timeliness and robustness of the information governance processes and procedures.
  • Ability to hand decision control to the better placed information asset owners and departmental management resources, delivering consequently QIPP cost savings and efficiency gains through reduction in the dependency and need to engage high cost back office technical resources.
  • Release of specialist technical resources from mundane administration and management tasks permitting reassignment to better support efforts to secure increased cost savings and efficiency gains though better use of technology.
  • Increased ability to support staff in meeting their individual compliance obligations with improved ability to develop and maintain information governance culture and awareness.
  • Increased ability to validate existing investment in digital information capability and prioritise / focus future investment at areas of most need / benefit.
  • Increase confidence and assurance on collaborate and data share activities within the organisation and between partners.
  • Ability to demonstrate a robust approach to privacy and confidentiality to secure confidence and increased patient and the public involvement in service delivery.

The Conclusion

The NHS whitepaper, “Liberating the NHS: An Information Revolution” promotes the need for further investment in technology and that information as key to the success of NHS reforms, and in particular, a critical element in ensuring the NHS can achieve £20bn of cost savings and efficiency gains in the coming years.

There are few that disagree with the need for a reformed NHS founded on the principles of choice, responsiveness and equity that designs and delivers health services around the needs of patients. Fewer still that would argue against greater patient and public engagement, it is imperative therefore, for all concerned to recognise the important and somewhat fundamental contribution of information governance.

Citizen CentricHowever, despite the increased support available to information governance managers. From the likes of board members assigned Caldicott Guardian and Senior Information Risk Owner roles, with the CEO or equivalent retaining final sign off responsibility of information governance assessments, the lack of any budget and commitment to exploit the advances in information governance technology, have the potential to make the strategic aims of a reformed NHS remain unreachable, or if not at least a more costly goal.

  • 0

Courion Selects eCulture Solutions as Key Solution Partner

Tags : 

NHS specialist will focus on providing Courion’s solutions to manage access governance across UK

London, UK 6th June 2011 — Courion Corporation, the leading provider of access risk management solutions that help organizations cost effectively deal with compliance and security risk, has selected eCulture Solutions as a Solution Partner in the UK to offer healthcare trusts the ability to improve their risk management strategies with automated identity and access governance (IAG) solutions.

eCulture Solutions specialises in providing IAG solutions to healthcare organisations and is an expert in serving NHS foundations in particular. The organisation is well-versed in the details of the Information Governance Toolkit — the NHS standard from Connecting for Health — which describes the required safeguards for, and appropriate use of, patient and personal information. By partnering with Courion to offer best-in-class user access management and compliance solutions, eCulture Solutions can help Trusts to define, assess, enforce and verify their access policies so that all user access is appropriate and compliant with policies.

“We’ve found that Courion’s Access Assurance Suite™ addresses the guidelines set out by the NHS Information Governance Toolkit to safeguard personal health information more comprehensively than any other provider,” said Paul White, managing director of eCulture Solutions. “Courion brings a wealth of expertise and understanding to the table. The company has been identified by Gartner as a Leader in this space for the past few years and has a very clear IAG focus. It is very refreshing for our customers to see a suite that is truly fit for this purpose.”

“As well as monitoring users for accidental or malicious use of data, Courion’s User Activity Manager integrates identity with reports and alerts, merging a unique identity profile to user activity information, so that managers are able to identify users who are not making full use of the systems at their disposal.” added White.

“Confidential data, and access to it, is of huge importance for all UK government departments,” said Marc Lee, EMEA sales director at Courion. “With eCulture Solutions, we have a partner that understands what NHS managers specifically need, and what the Information Governance Toolkit requires, at a very detailed level.”

Courion’s unique approach to identity, access and compliance management ensures that only the right people have the right access to the right resources and are doing the right things. Access Assurance unifies Access Governance, Access Compliance and Access Provisioning in the most complex, heterogeneous environments. This comprehensive approach increases operational efficiency and transparency, strengthens security, and improves compliance, while delivering the industry’s fastest time to value and lowest total cost of ownership.

About Courion

Courion’s award-winning Access Assurance Suite solutions are used by more than 450 organizations and over 12 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at, our blog at, or on Twitter at



Have a digital project idea you would like help with, then check out our services available from eCulture Solutions