Mind the security gap while adopting electronic health records
Marc Lee, Director EMEA, Courion
10 April 2013
The target set by UK Health Secretary Jeremy Hunt, for digital
information to be available across NHS and social care services by
2018, stirred a debate about whether the NHS is prepared to
seamlessly transition to new digital records system without exposing
patient data to security risks.
The move is aimed at enabling healthcare staff to share data more
effectively and improve the efficiency of services. The paperless
patient records agenda offers great opportunities for service
improvements for the NHS. However, in the past some parts of the NHS
have had real challenges with managing the risk of security
breaches, with the Information Commissioner’s Office (ICO) levying
heavy fines for breaches resulting from staff error and lack of
compliance with data protection policies.
To overcome these security issues and enable more efficient
healthcare, the NHS will need to ensure that sensitive patient
information is captured, stored and transmitted securely in
accordance with the latest compliance requirements.
The introduction of electronic patient records will also call for
automatic enforcement of existing data governance practices and
compliance mandates. One of the key issues will be how to ensure
that only authorised personnel have access to patient information
and that there are mechanisms in place to manage accountability in
the event of a breach. Compliance mandates also require healthcare
organisations to periodically review and certify that their
employees’ access privileges are consistent with their role in the
This is becoming increasingly critical as regulations require
primary healthcare providers (ie GP practices and hospitals) to
ensure that business partners (suppliers, insurance companies, etc)
also implement security processes and procedures designed to protect
sensitive patient data against disclosure. However, the issue is
that existing approaches to data governance and access certification
focus on providing access privileges to authorised personal and
reviewing these access rights on every three, six or twelve months.
This gap between user provisioning and access certification
exposes healthcare organisations to significant security risks as
changes that happen within this period remain undetected. This issue
will be amplified by the introduction of electronic patient records
as the immediacy of access to sensitive information will require
near real-time management of access risk. Failing to achieve such
robust access management practices may have negative consequences
for NHS data protection requirements.
Therefore any major innovations in digitising of patient records
must be accompanied by stringent analysis of potential access risk.
This will help prioritise and plan for existing and potential
security risks, while enforcing internal data protection policies
and automatically provisioning or revoking access to patient records
depending on those rules. What’s even more important is that a
strong access risk management strategy will enable IT staff to
easily identify abnormal activities and act upon them before they
have turned into a major security issue.
To be able to control access to sensitive patient data, it may be
necessary for healthcare organisations have near real-time view into
access risk, especially as they significantly widen access to
patient records with the patients themselves and a range of
providers, many of which will be private healthcare contractors.
This strategy will constantly analyse IAM and other security data
from access governance, user provisioning, and password management
systems to identify and quantify access risk. Moreover, this
approach allows organisations to analyse data from external
resources such as SIEM and DLP systems, providing IT staff and
compliance officers with a clear view of how sensitive data is being
This view will not only improve the enforcement of data
governance practices, but will also help ensure that changes in
users’ access rights are reflected in the IT system in almost
real-time, thus mitigating the threat of a potential security
When an action that affects access occurs, the access management
system should be able to automatically drive compliance with
policies and regulations, eliminating time, cost and errors of
manual processes. This will significantly increase operational
efficiency and improve control over access risk, while ensuring that
data privacy standards are maintained.
Such successful access risk management practices have already
been implemented in other healthcare organisations across the world.
For instance, HCR ManorCare, which is one of the biggest home
care providers in the US, has implemented access risk management
solutions that leverage a real-time access intelligence engine to
monitor, quantify and analyse access risk and enforce data
protection policies across its workforce of 60,000.
The NHS IT policy promises to transform how patients and
clinicians access and share information to enable enhancements in
care and healthcare outcomes. These goals will be achieved so long
as the NHS strikes the right balance between protecting user privacy
and providing access to confidential data, while ensuring control of
access risk. This will be essential for ensuring the long-term
success of the electronic patient records initiative and will
provide an additional layer of security for patients and NHS staff
Marc Lee is Director EMEA for Courion.