In association with Philips

Philips

Ensuring the security of our health data

Health-care tech and data analysis offer huge potential to the National Health Service but they also come with risks. However, while the concerns raised about security are valid, they are not insurmountable. 

Sign Up

Get the New Statesman's Morning Call email.

Digital technology has unleashed a scale of transformation that was hard to imagine a few decades ago. Today we use contactless credit cards that don’t require a Pin to authenticate them; we carry personal tracking devices that allow our every move to be recorded (they just so happen to allow us to make phone calls and browse the web as well); and we share intimate detail of spending habits, personal interests and emotional and physical well-being with companies every time we make a purchase online – our data is used by these companies to sell us yet more products and services.

When it comes to our health information, however, we are significantly more reserved and cautious about what is collected, where it is stored and how it is used. And yet the benefits it can bring us can be vast.

For example, online patient-reported outcomes on the success of hip and knee replacements are enabling orthopaedic surgeons to improve the aftercare that they offer patients, reducing the need for follow-up appointments, at a cost saving of £86,000.

Meanwhile, wearable technologies that record our vital signs are improving the ways in which we maintain health and well-being. Philips, for example, has worked with Radboud University Nijmegen Medical Centre in the Netherlands and the customer relationship management provider Salesforce to develop technology that improves the treatment and lifestyle of patients with chronic obstructive pulmonary disease (COPD). The patient wears a sensor that is connected to a database via the cloud, which allows them to be monitored around the clock. The data is then monitored in real time by the clinician, who can provide support when needed. Help can also be accessed at any time by the patient, giving them control of their own health.

The government believes this is the direction of travel needed for the UK to maintain a high standard of health care for its citizens.

“We need to transform health care in the NHS from a 20th-century model, in which health is something done to you, to a 21st-century world in which we empower people to take more responsibility over their own health and life choices,” says the Minister for Life Sciences, George Freeman MP. “Greater use of NHS-approved apps and making sure that new medical innovations get to patients quickly will help the NHS lead the way in giving patients more personalised care.”

As the wider public, health-care professionals and technology companies become increasingly interested and proficient in measuring, monitoring and analysing health data, the way in which that data is stored and used also becomes more important.

Previously, keeping patient data secure included measures such as making sure documents were locked in filing cabinets and that surgeries had appropriate burglar alarms in place. Today, theft and loss are still important concerns, but the focus has instead shifted online, fuelled by high-profile stories such as the recent hacking of Talk Talk.

So what can the NHS do to make sure patient data is kept secure?

At the most basic level is compliance with laws such as the Data Protection Act 1998, the EU Data Protection Directive and the Care Act 2014, which set rules for how data is to be collected, stored and managed, and which prevent health data from being used for purely commercial purposes such as setting insurance premiums.

To add more weight to these, the Care Quality Commission (CQC) is conducting a review of data security standards to assess what more could, and should, be done, says Freeman. “The National Data Guardian, Dame Fiona Caldicott, will contribute to this review by developing clear guidelines for the protection of personal data against which every NHS and care organisation will be held to account,” Freeman said. “She will provide advice on the wording for a new model of consents and opt-outs to be used across the health and care system. The work will be completed by January and from next year the new guidelines will be assured through CQC inspections and the NHS England commissioning process.”

The private-sector companies that provide health-care tech products and services to the NHS also have a critical role to play within data protection. Their reputations and ability to do business are dependent on data being used carefully and effectively, and so they take stringent precautions to ensure personal information is protected. Philips maintains corporate-wide privacy rules, which also apply to all subcontractors and third parties that it works with, while its digital health propositions are developed against the backdrop of the most stringent of international data protection regulations.

Meanwhile, the way in which data is used can itself add layers of security. For instance, the Health and Social Care Information Centre (HSCIC), the body responsible for providing a trusted safe haven for the nation’s health and care information, uses different formats of data, ranging from the identifiable to the aggregated and anonymised.

The use of encryption, data shredders and biometrics also helps add extra layers of protection. At Philips, its IT security team is looking at how to maximise the value of “block chaining”, which allows data to be manipulated and transactions to take place without the data being decrypted or even accessed directly.

“Vulnerabilities can occur when data is moved and then encrypted – hackers can identify weak points in this process,” explains John Huffman, chief medical informatics officer and chief technology officer at Philips Healthcare. “Very few security breaches come from the cloud vendors themselves. They usually occur at a network level due to poor security such as a lack of encryption – or because someone has taken home a disk full of passwords and data.”

As Huffman suggests, an IT system is only as secure as its weakest links, and protection can only be realised if IT managers implement comprehensive, multilayered strategies (including policies, processes and guidelines).

While the HSCIC has overarching control over this within the NHS, some of the responsibility also lies at the feet of health-care professionals themselves. As the doctors Bradley H Crotty and Arash Mostaghimi pointed out in the British Medical Journal: “As clinicians, we are stewards of our patients’ personal information, and we have a professional duty to safeguard such information through the proper use of technology. We must be vigilant about the technology and systems that we use and take precautions to prevent inappropriate disclosure of patient information . . .These include device encryption, understanding local policies and regulations about information storage and transfer, and maintaining awareness of the settings on their devices. In areas where guidance is limited, clinicians should consult local experts.”

In particular, they were keen to highlight how this does not simply involve work-based computers and databases, but also personal laptops and mobile phones.

“Clinicians now routinely use the same devices for both professional and personal purposes. Although convenient, there is a danger of information breaches if proper safeguards are not used. For example, if viruses or malicious software (malware) infect a device, user credentials and other information may be compromised, allowing access to confidential data. It is possible to use personal equipment, but physicians must be constantly vigilant about their device settings and personal usage patterns,” they wrote.

This is an important point, agrees Philips’s Huffman. However, he adds: “You can enforce lots of rules around using long, complicated passwords, but if a person has to write them down to remember them then it can defeat the point. Also, once an individual has accessed information it can be difficult to know what they’ve done with it. Have they printed it out or made a copy of it? There isn’t much you can do at that stage,” he says.

Huffman suggests that rather than insisting on regular password changes, the NHS would be much better off using sophisticated security tools, such as malware detectors, and software such as the kinds that banks use to see if suspicious transactions on accounts have been taking place. And, of course, it is essential to embark on training and support so that health-care professionals understand their roles and responsibilities.

Ultimately, we are heading towards a future where patients are in control of their own data. This data may be held by the NHS or in some other system, such as that offered by the Philips HealthSuite Digital Platform, but will be accessible by the patient, through their own computer and smartphone, at any time of day or night, from anywhere they may be. When this happens, they will become the gatekeepers of their own health-care data and will decide when and with whom they want to share it with, placing increased responsibility on the individual to ensure they also have the right security measures in place.

Confidentiality and patient-doctor trust are quite rightly the cornerstone of the medical profession. The technology exists to ensure it stays that way. We now need to give the NHS the means by which to use it, so that the full potential of health-care technologies and data analysis tools can be realised for the benefit of us all.

This article is part of a thought-provoking series on living health, brought to you by the New Statesman in association with Philips, which looks at how technology, innovation and big data are helping to improve your health and our health-care system.