Tuesday, November 13, 2012

Does Anyone Know Just How Secure Our Electronic Patient Records Are? Anyone Have Some Numbers?

The following article appeared in the UK Guardian a few days ago.

How to secure patient trust in electronic record systems

A breach of personal data could do considerable damage, so trusts must build patient privacy into NHS IT systems
Electronic records can improve outcomes for patients, but patients should be able to trust that their information is secure. Photograph: Martin Godwin for the Guardian
Electronic record systems are among the most important healthcare advances of our times.
They bring better, more sustainable healthcare and offer the NHS the opportunity to make large savings – allowing more public money to be invested in improving patient outcomes.
However, a recent survey of more than 1,000 UK citizens revealed that 86.5% of respondents believed a serious breach of personal data would do considerable damage to a hospital's reputation, while 87.2% thought the NHS should monitor who looks at their patient records.
Despite this, many NHS hospitals do not have systems in place to proactively detect privacy violation – and remain vulnerable to breaches, litigation and regulator fines.
Until it becomes mandatory for trusts to build patient privacy into NHS IT systems, the risk of major data breaches will remain, and patients will not fully realise the benefits of electronic healthcare systems.

Disclosure and notification

Recent data from the UK Information Commissioner's Office (ICO) reveals that data security breaches within the NHS have increased by 935% in the past five years. Yet there remains no legal requirement in the UK for providers to disclose to the patient when a privacy breach has taken place.
This must be addressed. UK citizens have a basic right to know when their records have been inappropriately accessed and their privacy compromised.
When a breach has occurred, providers must be mandated to disclose this to patients, and notify the ICO. This would bring a level of accountability to care providers that cannot be achieved by other measures such as random audits and fines.
Healthcare privacy laws in the rest of the world are being significantly strengthened – and the NHS cannot afford to be left behind. In the US, Arra Hitech privacy legislation (2009) introduced – and enforced – strict guidelines around breach disclosure and notification.
Similarly, in Europe, pending legislation in the General Data Protection Regulation will mandate the disclosure and notification of privacy breaches to individual patients and governmental organisations respectively. The NHS should rigorously enforce this legislation.
Lots more here:
Does anyone know of comparable statistics for Australia?
Second question - if we don’t know just why might that be?
Sadly I am an answer free zone - but I really feel we should know!