Handling Security Incidents Affecting Patient Confidentiality

Handling Security Incidents Affecting Patient Confidentiality

Handling Security Incidents affecting Patient Confidentiality

Introduction

There are several ways in which patient confidentiality may be breached such as theft, break-ins and poor disposal of confidential waste. All breaches should be investigated and reported accordingly. This guidance suggests mechanisms for handling security incidents where patient confidentiality has been or may have been breached.

The majority of IM&T security breaches are innocent and unintentional such as the user not ‘logging out’ at the end of the day. However ‘near misses’, where no actual harm results from the incident, should still be reported and analysed to look for possible ways of preventing an actual incident occurring in the future.

Definitions

An IM&T security incident is defined as any event that has resulted or could result in:

the disclosure of confidential information to any unauthorised individual

the integrity of the system or data being put at risk

the availability of the system or information being put at risk

An adverse impact can be defined for example as:

threat to personal safety or privacy

legal obligation or penalty

financial loss

disruption of HA business

an embarrassment to the HA

Types of Security Incidents

The types of security incidents likely to affect patient confidentiality are variable. Data security incidents may take many forms including the following:

  • Theft of equipment holding confidential information – PCs, dicta-phones, case-notes, etc.
  • Unauthorised access to a building or areas containing unsecured confidential information.
  • Access to patient records by an authorised user who has no work requirement to access the records.
  • Authorised access which is misused (staff).
  • Electronic access (hacking) and viruses.
  • Misuse of equipment such as faxes, text messages on mobiles and e-mails.
  • Inadequate disposal of confidential material (paper, PC hard drive, disks/tapes, etc).
  • Car theft / break-ins to on-call staff carrying patient records.
  • Unauthorised access to records away from premises (e.g. laptops and notes when travelling between clinics to home-visits etc).
  • Complaint by a patient, or a member of the public, that confidentiality has been breached.
  • Careless talk.

Data Security Incident Monitoring

A data security incident may come to light because a patient has complained about a breach of confidentiality or because of one of the above incidents.

In the first case the cause of the breach will need to be investigated by interviewing the patient, interviewing staff and checking incident logs and computer audit trails. There may also be the opportunity to investigate CCTV videos.

In the second case the risk to patients confidentiality should be assessed and any damage limitation may need to be applied. In some cases it will be appropriate to warn patients of a possible breach to their confidentiality.

Incidents should always be investigated immediately whilst there is still the possibility of collecting as much evidence as possible.

Because of the variety of different types of security incident it is important to have clear procedures in place to cover the main types of incident. Any investigation may involve a number of key individuals. The investigation should be co-ordinated by a named person who will decide how to take matters forward / resolve them. All staff should be aware of the need to report any suspicious incidents to the named individual.

Staff must understand the reporting procedures and the type of incidents to report. Near misses are indicators of potential problems and should also be reported. In order to respond fully to an incident, audit logs need to be kept (records of transactions carried out on computer, date and time and who by).

Contacts may need to be:

  • Security Officers for arrangements made for the physical security of the building.
  • IM&T Manager.
  • IM&T support companies (to help with audit).
  • Other outside contractors who may be involved.
  • The Police.
  • Any members of staff who may be involved.

A log should be kept of all incidents reported whether they lead to a complaint or not. All incidents should be considered as to whether they indicate a need for improvement in arrangements. The log may be incorporated into other incident logs as appropriate. A regular report on the number, type and location of data security incidents should be made allowing any trends to be picked up and addressed.

An example would be:

Break-in to the premises to steal a computer

* risk of occurrence = high

* possible consequences to patients = serious. (blackmail, unacceptable risk to privacy, loss of confidence in health care)

As such the following actions would be appropriate:

  • Approved door locks.
  • Internal door locks.
  • Anything portable to be locked away in a fireproof cupboard.
  • Toughened glass and window locks.
  • Intruder alarm.
  • Deterrents such as ‘security marking’ the equipment.
  • Check the Asset Register of equipment, in order to quickly assess loss.
  • Password protection to system / sensitive documents.

Reporting Arrangements

All incidents or information indicating a suspected or actual data security breach should initially be reported to the immediate line manager and then a completed incident form sent to the Acute Trust Risk Manager, who must keep a record of all incidents that are reported. The record need not be more than a statement of the persons involved in the incident, a description of the incident and what action has been taken. The Patient Confidentiality Security Incident Form, which can be found in Appendix 2 (Ref: Patient Confidentiality Security Incident Form), is intended to be used for this.

Where the suspected security breach involves the staff member’s line manager, the member should inform their line managers’ superior and / or a Director.

If a staff member believes a security breach is the result of an action or negligence on behalf of a Director, the incident should be reported directly to the Chief Executive.

Where there has been an incident involving a Acute Trust IT system, the Head of Technical Services and the Cheshire Health Agency Technical Development Manager must be informed to determine whether an actual security breach has taken place. The majority of IT security breaches are innocent and unintentional (e.g. user not “logging out” when leaving for the day) and would not normally result in disciplinary action being taken.

If an actual data security breach has occurred, the incident should also be reported immediately to the Acute Trust’s Caldicott Guardian.

It may also be necessary to report the incident to others depending on the type and likely consequences of the incident, e.g. inform the Police.

Monitoring Arrangements involving an Acute Trust IT system

Where there has been an incident involving anAcute Trust IT system, the following procedure should be observed:

The Cheshire Health Agency Technical Development Manager will maintain a record of all reported IT system incidents, to be reviewed monthly with the Acute Trust Head of Technical Services (the record need not be more than a statement of those involved, a description of the incident and the action taken).

Where it is likely that an actual security breach has taken place the Head of Technical Services must report the incident immediately to the Acute Trust Director responsible for IM&T, the Head of Informatics and the Finance Director of the Cheshire Health Agency.

If it is determined that a breach has actually taken place the following action will be agreed with the Acute Trust Director, Head of Informatics and Finance Director of the Cheshire Health Agency:

  • a report will be made by the Head of Technical Services and the Cheshire Health Agency Technical Development Manager to include the background, nature, risks and recommended remedial action.
  • no action will be taken, unless the incident constitutes a continuing and serious risk to the business or patient-identifiable data, until a consensus is obtained from the aforementioned Senior Officers.
  • an incident report will be made to the appropriate Telecommunications Branch.
  • a full report will be made to the Acute Trust Director, the Head of Informatics and the Finance Director of the Cheshire Health Agency.
  • The Head of Technical Services should categorise the incident within one of the incident classifications below (high, intermediate or low). The Director of Finance of the Cheshire Health Agency should be informed of any financial implications for the Acute Trust, and the Human Resources Manager should be informed to determine whether any disciplinary action is necessary. If the classification is significantly high, the Acute Trust Chief Executive should be informed immediately by the Director of Finance.

Monitoring Arrangements involving a data security breach

Where an actual data security breach has occurred, the following procedure should be observed:

The Acute Trust Risk Manager will maintain a record of all reported data security incidents, to be reviewed monthly with the Acute Trust Information Governance Manager (the record need not be more than a statement of those involved, a description of the incident and the action taken).

Where it is likely that an actual security breach has taken place the Acute Trust Risk Manager must report the incident immediately to the Information Governance Manager, who will report it to the Acute Trust Caldicott Guardian and the Head of Informatics.

If it is determined that a breach has actually taken place the following action will be agreed with the Acute Trust Director and Head of Informatics:

  • a report will be made by the Acute Trust Risk Manager and Information Governance Manager to include the background, nature, risks and recommended remedial action.
  • no action will be taken, unless the incident constitutes a continuing and serious risk to the business or patient-identifiable data, until a consensus is obtained from the aforementioned Senior Officers.
  • a full report will be made to the Acute Trust Director and the Head of Informatics.
  • The Acute Trust Risk Manager should categorise the incident within one of the incident classifications below (high, intermediate or low). The Director of Finance of the Cheshire Health Agency should be informed of any financial implications for the Acute Trust, and the Human Resources Manager should be informed to determine whether any disciplinary action is necessary. If the classification is significantly high, the Acute Trust Chief Executive should be informed immediately by the Director of Finance.

Incident Classifications

Incidents should be classified according to severity of risk, as follows:

1 = High risk of harm to patients whose confidentiality has been breached.

2 = Intermediate risk of harm to patients whose confidentiality has been breached.

3 = Low risk of harm to patients whose confidentiality has been breached.

The senior managers in the Acute Trust should review the number and type of security incidents, which have occurred, regularly and decide on any appropriate preventative action to be taken.

Procedure for Dealing with various types of Incident

1) Theft of equipment holding confidential information – PCs, dicta-phones, case-notes etc, and unauthorised access to an area with unsecured confidential information:

  • Check the asset register to find out which equipment is missing.
  • Investigate whether there has been a legitimate reason for removal of the equipment (such as repair or working away from the usual base).
  • If the cause is external inform the Police and ask them to investigate.
  • Interview staff to establish what data was being held and how sensitive it is.
  • Establish the reason for the theft/ unauthorised access, such as;

- Items to sell.

- Access to material to embarrass the practice.

- Access to material to threaten patients (blackmail, stigmatisation).

  • Consider the sensitivity of the data and the risk that it will be misused, in order to assess whether further action is appropriate (e.g. warning patients, informing the Police).
  • Consider whether there is a future threat to system security, or NHSnet access and report to the IM&T lead at the Acute Trust.
  • Inform organisation of replacement requirements.
  • Inform system suppliers if appropriate.
  • Categorise and report the incident as described as per ‘Reporting and Monitoring Arrangements’ above.

2) Access to patient records by an authorised user who has no work requirement to access the record:

  • Interview the person reporting the incident to establish the cause for concern.
  • Establish the facts by;

- Asking the system supplier to conduct an audit on activities by the user concerned.

- Interviewing the user concerned.

  • Establish the reason for unauthorised access.
  • Consider the sensitivity of the data and the risk to which the patient(s) have been exposed and consider whether the patient(s) should be informed.
  • Take appropriate disciplinary action.
  • Categorise and report the incident as described as per ‘Reporting and Monitoring Arrangements’ above

3) Inadequate disposal of confidential material (paper, PC hard drive, disks/tapes):

This type of incident is likely to be reported by a member of the public, a patient affected, or a member of staff;

  • Investigate how the electronic or paper data left the practice by interviewing staff and contractors as appropriate.
  • Consider the sensitivity of the data and the risk to which the patient(s) have been exposed and consider whether the patient(s) should be informed.
  • Take appropriate action to prevent further occurrences. (e.g. disciplinary, advice/training, contractual).
  • Categorise and report the incident as described as per ‘Reporting and Monitoring Arrangements’ above.

4) Procedure for dealing with complaints about patient confidentiality by a member of the public, patient or member of staff:

  • Interview the complainant to establish the reason for the complaint and why the practice is being considered responsible.
  • Investigate according to the information given by the complainant and take appropriate action.
  • Categorise and report the incident as described as per ‘Reporting and Monitoring Arrangements’ above.

Staff Training Needs Analysis for Data Security and Confidentiality

All employees need to have annual refresher training on all aspects of Data Security and Confidentiality. This document is designed to act as a guide when training is being planned.

Employee Name______

Job Title______

Have you received appropriate training on the following topics, within the last year?

Yes / No / Unsure
Physical Security of Manual Records
Physical Security of Computer Records
Computer Passwords
Access to Patient Data
Confidentiality and the Use of Patient Identifiable Information
Media Handling
(Storage/Transfer/Disposal)
Telephone Enquiries
Safe Haven Procedures
Legal Requirements
Caldicott Guidelines
Sharing Information with Other Organisations
Security of the Building

Are there any other area’s of data security and confidentially that you feel you need further training on?

………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

Signature of Employee______Date______

Name of Manager ______

Action / Training plan:

……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….

Signature of Manager______Date______

Top View