Safe Digital Transformation data security aspects of digital transformation presented by Greg Fletcher Central Architecture Services

NIB background Digital Transformation

National Information Board Senior advisory group formed in March 2014 Comprises 29 organisations across the health and care system. work stream roadmaps are funded through £4.2billion secured specifically for technology from government spending review 8 original work stream items 10 Delivery Domains 33 Programmes of activity The NIB acts as a focal point for communication across the health and care sector, gathering together members from across the sector to steer the direction of information and technology developments. It is a framework for action to deliver real benefits for:  Patients and Citizens;  Health and Social Care Professionals;  Commissioners and Provider Organisations;  Innovators across the health and care sector

Roadmaps 1 providing patients and the public with digital access to health and care information and transactions providing citizens with access to an assessed set of NHS and social care ‘apps’ 2 setting the commissioning and regulatory roadmap for implementing of digital data standards by 2018 to 2020 developing a roadmap for comprehensive data on the quality, efficiency, and equity of health and care services for secondary uses 3 make the quality of care transparent 4 build and sustain public trust 5 bring forward life-saving treatments and support innovation and growth 6 support care professionals to make the best use of data and technology https://www.gov.uk/government/publications/national-information-boards-workstream-roadmaps

Delivery Domains A Self-care and prevention B Urgent and emergency care C Transforming General Practice D Integrated care E Digital Medicines F Elective Care G Paper Free at Point of Care H Data Outcomes for Research and Oversight I Infrastructure J Public Trust and Security https://www.gov.uk/government/publications/national-information-board-nib-annual-report-2016

National Information Board outputs NIB Personalised Health and Care 2020 Using Data and Technology to Transform Outcomes for Patients and Citizens, November 2014 https://www.gov.uk/government/publications/personalised-health-and-care-2020 NIB Prospectus National Information Board interim report: 2015 September 2015 NIB Annual Report 2016 National Information Board annual report: 2016 September 2016 https://www.gov.uk/government/publications/national-information-board-nib-annual-report-2016 NIB Personal Health and Care 2020: consider what progress the health and care system has already made what can be learnt from other industries and the wider economy set out a series of proposals including: ‘build and sustain public trust’ NIB Prospectus: describes the impact of Personalised Health and Care 2020 (PHC2020) for patients, citizens and professionals provides an overview of progress to date, including a description of how the NIB has been established and its membership sets out the PHC2020 commitments that are due to be achieved by March 2016 provides a mechanism to set out how the success and impact of the NIB can be measured for patients, citizens and professionals. NIB Annual Report: This is the National Information Board’s first Annual Report. reporting progress made, details the work streams that identified what would need to happen to make the vision a reality

Independent reports Safe data, safe care Making IT work: harnessing the power of health information technology to improve care in England Report by National Advisory Group on Health Information Technology in England, chaired by clinician and digital expert Professor Robert Wachter September 2016 https://www.gov.uk/government/publications/using-information-technology-to-improve-the-nhs Digital proposals for the NHS The 4 main recommendations to the National Information Board by Baroness Martha Lane Fox December 2015 https://www.gov.uk/government/news/martha-lane-fox-challenges-the-national-information-board https://www.gov.uk/government/news/martha-lane-fox-sets-out-her-digital-proposals-for-the-nhs Safe data, safe care Review existing levels of data security across the NHS, Care Quality Commission (CQC) July 2016 http://www.cqc.org.uk/content/safe-data-safe-care with input from security breach report 2015r: http://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf Review of data security, consent and opt-outs Recommendations to strengthen security of health and care information and ensure people can make informed choices about how their data is used. National Data Guardian (NDG), Dame Fiona Caldicott https://www.gov.uk/government/news/new-safeguards-and-public-conversation-about-health-and-care-data-proposed https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs Making IT work: harnessing the power of health information technology to improve care in England details overall findings and principles gives 10 implementation recommendations Carry out a thoughtful long-term national engagement strategy Appoint and give appropriate authority to a national CCIO Develop a workforce of trained clinician-informaticians at the trusts, and give them appropriate resources and authority Strengthen and grow the CCIO field, others trained in clinical care and informatics, and health IT professionals more generally Allocate the new national funding to help trusts go digital and achieve maximum benefit from digitisation While some trusts may need time to prepare to go digital, all trusts should be largely digitised by 2023 Link national funding to a viable local implementation/improvement plan Organise digital learning networks to support implementation and improvement Ensure interoperability as a core characteristic of NHS Digital ecosystem – to support clinical care and to promote innovation and research A robust independent evaluation of the programme should be supported and acted upon Safe data, safe care Six recommendations The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability. All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely IT systems and all data security protocols should be designed around the needs of patient care and front line staff to remove the need for workarounds, which in turn introduce risks into the system Computer hardware and software that can no longer be supported should be replaced as a matter of urgency. Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability CQC will amend its assessment framework and inspection approach to include assurance that appropriate internal and external validation against the new data security standards have been carried out, and make sure that inspectors involved are appropriately trained Review of data security, consent and opt-outs 10 new data security standards to apply to all organisations that hold health or care information – for example, organisations should use identify and address risks such as default passwords, dormant accounts and unsupported operating systems

Patients and citizens access comprehensive, accurate and timely information empowered with improved access and personalisation of care in partnership with professionals manage long-term conditions and prevent avoidable lifestyle-related diseases patients able to access and contribute to medical records deliver the online services that all patients need to help them manage their own care and wellbeing home and on the move Patients will be able to use laptops, smart phones or other mobile devices to access digital services to:  register with a GP;  book or change appointments (with the GP surgery or hospital);  order and pay for prescriptions;  access and spend personal budgets with links to appropriate care services. https://www.gov.uk/government/publications/national-information-board-nib-annual-report-2016

Health and social care professionals equip health and social care professionals with digital tools, information and training enable staff to access and share up to date, accurate data with both the individual and other professionals lead to integrated care planning, better decision making and seamless transfers between care settings Health and care professionals will have the ability to set automatic notifications to inform decisions, and make use of tools and applications to monitor and communicate remotely. Patients will be able to use laptops, smart phones or other mobile devices to access digital services to:  register with a GP;  book or change appointments (with the GP surgery or hospital);  order and pay for prescriptions;  access and spend personal budgets with links to appropriate care services. https://www.gov.uk/government/publications/national-information-board-nib-annual-report-2016

Innovators changing ways of working across traditional delivery boundaries, innovation has the potential to transform care delivery embrace new technologies and establish new partnerships unlock the potential of the digital agenda and create products that can offer smarter, faster and improved healthcare creation of an open and transparent infrastructure will encourage research and innovation whilst aiding rapid implementation Patients will be able to use laptops, smart phones or other mobile devices to access digital services to:  register with a GP;  book or change appointments (with the GP surgery or hospital);  order and pay for prescriptions;  access and spend personal budgets with links to appropriate care services. https://www.gov.uk/government/publications/national-information-board-nib-annual-report-2016

Commissioners and provider organisations Health and care data needs to flow across traditional delivery boundaries in order for commissioners and providers to deliver an integrated package of care It is critical that timely, accurate and comprehensive information is available digitally to inform workflows and business processes for the entire workforce within an organisation and across local economies Organisations across the health and care sector need to work together to achieve the best outcomes and drive efficiency. Patients will be able to use laptops, smart phones or other mobile devices to access digital services to:  register with a GP;  book or change appointments (with the GP surgery or hospital);  order and pay for prescriptions;  access and spend personal budgets with links to appropriate care services. https://www.gov.uk/government/publications/national-information-board-nib-annual-report-2016

Public Trust and Security Digital Maturity Readiness: http://systems.digital.nhs.uk/infogov/iga

Build and Sustain Public Trust Privacy Security Account-ability Confidentiality Integrity Availability Trust Safe Care Timely Care Balancing data security against patient care

CareCERT http://content.digital.nhs.uk/carecert CareCERT Assure a new service offering an assessment of an organisation's cyber security preparedness. given a set of recommendations for removing vulnerabilities and reducing risks to technology and data to help decide where best to focus efforts and investment for the greatest return CareCERT React a support service to provide professional guidance and advice on the decisive actions to reduce the impact of a data security incident It will also provide additional information about CareCERT advisories where requested This builds on the advisories already provided through the existing CareCERT service CareCERT Knowledge a new e-learning service relating to data/cyber security, information governance and information management The aim is to inform professionals of their personal responsibility for data security http://content.digital.nhs.uk/carecert Supporting the National Data Guardian 10 identified standards

National Data Guardian - the Standards NDG Recommended Data Security Standards 1 All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes. 2 All staff understand their responsibilities under the National Data Guardian’s Data Security Standards including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches. 3 All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit. 4 Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals. 5 Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. 6 Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection. 7 A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management. 8 No unsupported operating systems, software or internet browsers are used within the IT estate. 9 A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually. 10 Suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standard. https://https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs