Enter the CCG: on IG, security, and the fear of being shot

  • 8 March 2016
Enter the CCG: on IG, security, and the fear of being shot
What speed limit would you pick? What speed limit would you pick if the penalty was to be shot?

I’ve just returned from chairing a national conference on ‘Protecting patient information’ organised by THINK Healthcare.

The conference covered data security, information governance and cyber crime, and it proved to be utterly fascinating – not just because of the content of the individual lectures but because of the unexpected emergence of a highly significant set of common threads.

Fear stops good things happening

I’d been asked to start the ball rolling by discussing the practical problems of sharing data in the complex NHS – with its scores of different providers and subcontractors – and, especially, in the field of preventive medicine.

It can be so difficult for the average clinician to know with certainty whether to share, or not to share; whether formal consent needs to be obtained, perhaps even in writing; and so on. Even as someone who is supposed to be knowledgeable on things like this, I find the whole subject utterly daunting.

The trouble is that there is, potentially at least, a £500,000 fine awaiting if you get information governance wrong.

Yes, comforting noises have been made in the past by representatives of the Information Commissioner’s Office about how no clinician has yet been penalised in this way. But it doesn’t matter what happened in the past: no-one wants to be the first to be punished in the future.

That’s one reason why the default position so often seems to be: “I’m not going to put my head above the parapet: I’m not going to volunteer to share.”

An analogy may help. We’ve all had the experience of driving in an unknown, semi-rural area and suddenly being unsure of the current speed limit. So what speed you go at? Some would choose 30mph; others, 40 mph; a handful might even select 50 mph.

But what if the penalty for exceeding the speed limit was to be hauled out of your car and summarily shot? Without doubt you’d choose 30 mph. And at heart, that is why so many clinicians opt for the careful approach: uncertainty plus draconian penalties creates utterly cautious behaviour.

Be clear. Then be clear about that

On the cyber crime front, I wrote about this topic last month, lamenting the difficulty the NHS faces in having a centre of cyberprotective excellence in CareCERT that has no mechanism or (especially) resources to mandate NHS organisations to use up-to-date hardware and software. Which, potentially, exposes them to hackers.

Wouldn’t it be good if the Health and Social Care Information Centre could publish a list of Windows and Internet Explorer requirements for all popular software used within the NHS, so users could easily check that any planned local upgrade wouldn’t interfere with other standard NHS IT functionality, such as smartcards?

This simple idea met with a warm response at the event: where delegates could easily see how useful and important such a list might be. This was where a variety of common themes started to emerge (and which apply to all areas of the NHS, not just data safety). These include:

  • The need for clarity over what the law and NHS regulations require individuals to do
  • Communication of that clear view…
  • …and the recognition of the disjunction between the understandings and perceptions of the leaders of many NHS organisations, and the needs and perceptions of the workers at the coalface.

1. The need for clarity

I couldn’t count the number of times I’ve felt bewildered by the plethora of recommendations, protocols and legal restrictions relating to my work as a GP. Fortunately, when talking to the experts, things have often become a great deal simpler.

Perhaps I’ve got the wrong end of the stick; or alternatively information is actually available, but difficult to access (I’m not alone: for example, my peers are just as confused about data sharing as I am. I’ve often wished that we had a resident lawyer at the clinical commissioning group to guide me).

2. The need for communication

Nevertheless, there is little point in having a clear view of the overall situation if that clarity mainly exists in the top echelons of the NHS and hasn’t been disseminated effectively to the troops.

Managers of specialised, high-powered groups in the NHS can be (rightly) confident in their own expertise and understanding of the situation. That’s their day job. By comparison, for most frontline healthcare workers’ the day job is looking after patients: related subjects like IG and IT security inevitably have to take a back seat.

Clear, comprehensive communication of duties and responsibilities concerning these specialised areas is therefore essential. Guidance needs easily available, rather than buried in the recesses of a website or at the end of a daisy-chain of hyperlinks.

Explanations and examples also need to relate to real-world examples, not sanitised ones (real-world problems are inevitably fuzzy and imprecise).

3. The disjunction

I don’t think that the potential disjunction between the top echelons of the NHS and the frontline workers can be emphasised enough – but I’m not being accusatory here, really I’m not: often the experts in charge genuinely don’t realise the practical problems of those working at the coalface.

Sometimes they are surprised that anyone finds the subject to be that difficult; often they are convinced that they’ve already communicated sufficient guidance.

Many organisations seem unaware of the complex difficulties frontline workers experience; of their struggle to acquire related information in sufficient detail; and crucially, the lack of — and the need for — official shortcuts and published workarounds.

Gratifyingly, when misunderstandings and lost opportunities are pointed out, managers are often genuinely surprised (and saddened) and want immediately to step in and help.

The message

The overall message for all NHS organisations is simple and practical:

  • Be ultra-precise about what you’re asking for
  • Communicate your ideas clearly, and make them easy to access
  • Listen to the needs, comments and suggestions of those at the coalface
  • Take time to create shortcuts and workarounds for frontline staff. 

Dr John Lockley

Dr John Lockley is clinical lead for informatics at Bedfordshire Clinical Commissioning Group and a part-time GP.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

How to equip NHS staff with cyber security skills they will use

How to equip NHS staff with cyber security skills they will use

Too often, cyber security training is a seen as a burden. But it is possible to make it relevant and useful, writes Nasser Arif.
Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside Integrated Care System has selected a healthcare cyber security platform from Cynerio to strengthen its defences.
How to find your inner ‘cyber defender’

How to find your inner ‘cyber defender’

A "back to basics" and "honest" approach to personal cyber security can help NHS staff make larger improvements at work, writes Nasser Arif.