In today’s post pandemic world, patients have become more comfortable with completing digital triage forms, attending remote tele or video consultations and using online portals to request repeat prescriptions. They are also accustomed to using various wellness apps to track and improve their mental and physical health, nutrition and diet, dermatology and other areas of primary everyday care.
These digital health technologies help patients better manage their health and could connect them with healthcare professionals for appropriate further care. However, the increase of digitisation also poses challenges and threats to patient data privacy and security, increasing the risk of data breaches.
And while most people trust their medical information is secure and protected, data privacy and security issues should not be taken lightly. Most recent figures show that 3,557 personal data breaches occurred in the health sector, in the two years to 31 March 2021, according to the Information Commissioner’s Office (ICO).
These data breaches may happen as a result of healthcare device or system hacks or simply due to data protection mistakes made by the healthcare provider. Examples of such mistakes include:
- Losing paperwork or a device
- Patient data being sent to the wrong recipient
- Staff accessing patient records without proper authorisation
- Disclosing information without consent
How to tackle data privacy and security issues?
First of all, as a healthcare provider, you should establish rigorous steps to identify and mitigate security-related risks. Carry out regular risk assessments and comply with the latest regulations to keep your patient’s data protected.
Below are listed four measures we propose every healthcare provider take to reduce the possibility of data privacy and security threats.
1. Patient identification
When providing health care, you need to confirm that you are dealing with the right patient. Patient identification is important as it ensures patient safety and better care coordination. It also has additional benefits such as fraud prevention, data security and verification of a patient’s eligibility for particular treatments.
To successfully verify each patient, you would need to cross-reference their patient identifiers. Use three point patient identifiers such as full name, DOB and address/postcode to ensure the right individual is receiving the right care.
You can also use ID verification plugin providers to verify the patient’s identity. These providers use a photo-based ID, a selfie and artificial intelligence algorithms to confirm the patients’ identity. Find out more about how ID checks for patients are an important privacy standard here.
2. Clinician verification
Clinician verification is an equally important step in order to protect your practice from fraudulent, accidental or unauthorised access. Here is a list of measures you can take to verify your healthcare professional’s identity. This is particularly useful when you work with independent healthcare contractors.
- Check that professional registration such as GMC (General Medical Council) or HCPC (Health and Care Professions Council) number is valid. Healthcare professionals must be registered with an organisation, have relevant education and training and not be the subject of a malpractice suit.
- All accounts should be password-protected and 2fa is recommended to ensure only authorised personnel can access each particular device. You can take this a step further by sending a text message to authenticate each device.
- Adopt access control security measures. Healthcare personnel should have different permissions based on their specific role. For example, allow admin staff and practice managers to set availability and change shift allocation but restrict their access to view patient records.
3. Information security
To provide each patient with the appropriate care needed, healthcare professionals and providers might have to share health-related data with each other. However, data privacy and security should be achieved through secure transmission of information.
Think about how you are using, moving and storing patient data. If possible Personal Identifiable Information (PII) should never be stored with Patient Medical Information (PMI).
Although we handle PII at MyPulse, we do not store this data. For information security purposes, we encrypt PII data during data transfer and storage. This way, if an unauthorised person tries to access this information, they would not be able to decode it.
We work according to the following three principles to ensure data security:
- Confidentiality – ensuring that information cannot be read by unauthorised persons.
- Integrity – proving that data has not been altered in transit or at rest.
- Authentication – proving the identity of an entity requesting access to resources.
4. Data security standards
The data security guidelines are different depending on the country each provider operates in. Being non compliant with data privacy laws could result in expensive fines, individual penalties and risk of loss of reputation. The following two sets of guidelines for the UK are:
- ISO 27001 certification which outlines the requirements for information security management systems. Being compliant shows how you operate based on your policies and procedures and proves that your ISMS (information security management system) meets the requirements of the standard. Moreover, it is crucial for organisations in the healthcare industry as it helps protect your company against breaches and cyber security threats.
- GDPR (General Data Protection Regulation) requires that personal data must be processed securely using appropriate technical and organisational measures. Being GDPR compliant shows that you can adequately protect people’s information. It calls for organisations using straight forward processes that are well documented and clearly show how data is being used.