4. System suppliers should be compliant with the NHS Information Governance toolkit (IG level 2)
The IG toolkit is a Department of Health (DH) policy delivery vehicle, that the Health and Social Care Information Centre (HSCIC) is commissioned to develop and maintain.
It creates a single standard, combining legal requirements and central guidance as set out by the DH.
As data handlers and data processors, it is important suppliers are compliant with this.
Compliance demonstrates that organisations can maintain confidentiality and security of personal information, correctly handle data and, ensure protection from unauthorised access, loss, damage and destruction.
Individual organisations have to submit their completed toolkits, which are evaluated for compliance and then published.
IG assurances are required as part of the terms and conditions of using national systems and services.
5. Cyber essentials (CE)
(Cyber essential plus Certificate)
Cyber security is a well-recognised problem within the NHS.
When handling personal and patient information, it is imperative that systems are secure against malware, hacking and cyber-attacks.
All suppliers should have a government approved Cyber essentials certificate or Cyber essentials plus certificate, which is preferable.
Protection from malware and cyber-attacks has never been more relevant.
The most recent WannaCry attack exploited a flaw in the Microsoft Windows operating system and propagated through much of the NHS, encrypting data and demanding ransoms for its return. However, different forms of malware may be transmitted in different ways. The initial transmission could be from an infected email, website or from a USB stick.
Maintaining up-to-date operating systems, using antivirus software, and downloading from approved sites only, is crucial to prevent attacks.
Devices and software must therefore be kept up-to-date. Despite the supplier being CE certified, users may still be vulnerable due to their operating systems and software being outdated.
It is also important to ensure suppliers are not using unsupported operating systems or Internet browsers to access the online consultation systems.
New vulnerabilities in software or devices can occur.
For this reason, updates or ‘patches’ are released regularly to address any potential security breaches. Updates should be applied regularly in order to ensure maximum protection.
Cyber safety should include firewalls to secure your connection, security settings for devices and software, controlled access to data and services based on job roles, ensuring a need-to-access basis.
From April 2018 the new Data Security and Protection Toolkit (DSP Toolkit) replaces the Information Governance Toolkit (IG Toolkit).
It will form part of a new framework for assuring that organisations are implementing the ten data security standards and meeting their statutory obligations on data protection and data security. This will include information governance, a General Data Protection Regulation (GDPR) checklist, and Cyber security.
6. Patient Identification and Authentication
Practices have a legal obligation to provide a secure and confidential service.
Identity verification and authentication protects both patients and practices from unauthorised disclosure of personal or confidential information and any fraudulent activity.
Practices must have processes in place to adequately authenticate and verify the identity of a patient, ensuring that the applicant for online access is the same person whose recorded identity the account is associated with.
The verification process should allow an applicant to prove their identity, while preventing those trying to claim to be somebody they are not.
Many system suppliers may take down the date of birth, name and address of patients in order for practices to verify them against their records. However this is not sufficient, as this information could be available to friends, parents or family members.
The responsibility of verification and authentication falls on the practice.
Where data breaches occur practices may be at risk of financial penalties. Where patients have consented to carers, parents or relatives communicating with the practice using online consultations, they should have a separate identity verification process and be granted authorisation by proxy.
Correctly verifying the applicant’s identity is necessary when prescribing, advising treatment plans or making onward referrals to other healthcare professionals. Further information about the steps that can be taken may be found via NHS England, Patient Online Services in Primary Care, and Good Practice Guidance on Identify Verification.
7. General data protection regulation (GDPR)
The EU General Data Protection Regulation (GDPR) will come into effect in May 2018.
For the purpose of the online consultation fund, it is worthwhile reviewing evidence of suppliers’ future compliance with GDPR. This will replace the Data Protection Act 1998.
Within GDPR, Practices are delegated as data controllers and suppliers as data processors.
Both of these roles will be under greater scrutiny and will be legally required to demonstrate compliance with the regulation.
The purpose of the regulation is to create greater transparency with the handling of data, as well as better informed consent with how data is used.
Patients, as data subjects, will have greater access to their data and non-compliance with regulations will face greater penalties.
When procuring systems from suppliers who act as data processors, it is crucial to check suppliers are compliant and conform to the regulation requirements.
If any data breaches occur, system suppliers should support practices to report and investigate any data breaches, and, comply with the requirement to notify the Information Commissioners Office (ICO) within 72hours.
Data disclosure requests from patients may include information processed by the online consultation systems, for this reason, it is imperative that records held by the supplier are as robust and accurate as possible, securely held within the U.K. and easily accessible to the practice.
8. Record keeping
Interoperability with existing GP operating systems enables data to be electronically transferred directly into the patient’s clinical records. Online consultation systems should use recognised clinical coding systems to facilitate this (e.g. SNOMED CT).
Manually transferring clinical information from one clinical system to another can increase workload and the risk of errors, as well as negatively impacting on continuity of care for the patient.
Where systems use artificial intelligence or symptom checkers to signpost patients to other services, it is important that this information is captured and relayed to the GP and integrated into the patient’s clinical records.