Whilst this might not seem like the most exciting topic, the security of the data your tech product may produce or store is really important. Imagine how you would feel if a patients personal data got into the hands of an email phisher or fraudster – all the security measures organisations like the NHS have in place are to protect the data to ensure this doesn’t happen and that the people who use its services know their data is held safely.
Data, data, data
Each organisation will have slightly different processes but its worth bearing in mind some of the common questions/areas you are likely to consider. The first and probably most important question is if the tech will generate or store any personal data. If it does, does it need to? For instance, do you really need to have the patients full name and DOB when a single name would do? Can the data be completely anonymised? Pseudo-anonymised? Eliminate the use of personal data if you can.
However, if you definitely need to store personal data then the data processing regulations apply. This is where your local information governance along with IT will be a real help. If you work in a small organisation and so don’t have your own information governance team or you are working with companies outside your organisation you will need to know some more info to be sure that the data you might give them to process is done so securely. Look out for ISO registration, particularly standard ISO 27001 which covers data security and protection; if they don’t have them, are they working towards it or do they have other accreditation e.g. cyber essentials plus.
Stay secure
In any case, you will need to consider what security measures are you taking. Can the data be encrypted? Can the data be managed in house? If you are working with external developers, what do they need access to? If they need to see the entire content including patient info/images etc to unpick any technical issues they will need confidentiality agreements with your organisation.
If any data needs to be stored, is it stored inhouse or in the cloud? Are your local IT team willing to be responsible for the data? You will need to work closely with local IT to ensure they understand what the data are and so they can advise you on where the best place is for storage.
Clouds, clouds everywhere
If you can’t store data locally, can you IT team approve cloud storage? Don’t forget there is a cost for storing data in the cloud. The cloud is an on demand service for hardware, software and data storage which you as the user don’t need to provision.
And where is the cloud based? In the sky is not an answer.
Where your cloud is matters because its physical location means it is subject to different rules about how it stores the data. Even if you are using an off the shelf product rather than designing one, you may need to ask these questions of the people who developed the technology you want to use – don’t assume because it is commercially available it’s ok. It might be, but healthcare organisations, particularly the NHS, set a pretty high standard for data security.
Written by Rachel Stockley and Kathryn Jarvis