Without IG compliance, software development companies can’t really operate in the UK healthcare sector.
illumo digital’s relationship with Information Governance (IG) compliance concerns our software projects in the healthcare sector, working with a range of industry stakeholders – from pharmaceuticals and clinical research organisations, to specialist healthcare providers and commissioning groups – to use healthcare data in secure and appropriate ways.
Today’s NHS IG requirements are detailed and exhaustive. Hardly surprising when you consider the trail of data confidentiality catastrophes that have followed the world’s biggest healthcare organisation over the years, from hard drives containing sensitive patient data being sold on eBay to some records even being posted on social media. All this means that IG compliance – and the principles underpinning it – have never been more important.
Indeed, concerns about illegitimate access to valuable patient data are running so high that the UK Government’s own scheme designed to facilitate this has just been scrapped.
So here is a summary of the requirements for IG compliance that commercial third parties need to implement in order to participate in the big e-health innovations.
Information Governance Management
- Establishing personal responsibility for ongoing IG compliance by named individuals.
- Creating and maintaining a coherent, actionable policy for IG management.
- Ensuring all staff contracts are written to clearly indicate IG responsibilities
- Ensuring relevant, up-to-date staff training and education for IG requirements.
The challenges here are not all that taxing if you routinely invest in training, and already have data governance and intellectual property protections baked into your contracts. We benefit from a lower-than-average staff churn rate which makes it easier for us to ensure continuity over responsibilities and ownership.
Confidentiality and Data Protection
- Strict adherence to the Data Protection Act (DPA), particularly in relation to obtaining consent from individuals before using or sharing their data.
- Ensuring that patient identifiable data continues to be treated under DPA and UK Department of Health rules even when the data is processed outside of the UK.
- Ensuring all access to confidential data is continuously monitored and audited.
- Developing and implementing any new processes, services, information systems, or other relevant information assets in a secure and structured manner.
- Ensuring all data transfers are secure and confidential.
Perhaps the biggest challenge for organisations here is ensuring they innovate in line with IG compliance. This necessitates having fit-for-purpose policies in place for the development process to follow from initial scoping all the way to infrastructure management.
As regards the other requirements, the DPA dates back to 1998 so software development companies should already be abreast of the requirements with mature policies and processes that ensure consent safeguards. Clearly, any organisations that offshore development work to subcontractors in foreign jurisdictions face significant challenges maintaining compliance to IG standards. These protections are becoming more commonplace in compliance mandates, such as the EU GDPR (General Data Protection Regulation).
- Maintaining a comprehensive information asset register.
- Creating and maintaining effective information security policy and procedures governing all ICT networks in addition to mobile computing and teleworking provisions.
- Ensuring physical security measures are in place to guard against unauthorised access to data.
- Ensuring appropriate access control to operating systems and information assets, with managed access rights for all applicable users.
- Ensuring plans and procedures for successful business continuity in the event of power failure, system crash or any other disruption.
- Maintaining documented incident management reporting processes.
This final set of requirements demand a vigilant cybersecurity posture, underpinned by investments in applicable security technology. These rules don’t – as some people suggest – favour the largest and most greatly resourced software development companies over the smallest. In fact the opposite could even be true, as it is agility and the adaptability to change that is more important than size. In its latest review of data standards at the NHS published earlier this summer, the Care Quality Commission (CQC) found that information security standards were not sufficiently designed around technology, people and processes – so we expect IG compliance to be toughened up even further in this respect.
Achieving IG compliance is a vital step in contributing to the future of healthcare innovations that rely upon the secure yet open, restricted but available, access to confidential information. It has enabled illumo digital to take part in some extremely valuable projects that have benefited patient outcomes.
But IG compliance must continue to keep pace with the new demands of e-health. More changes to its requirements are inevitable to address new vulnerabilities and ensure a safe place to innovate using sensitive data.