Data protection and cyber security in social care

Data Protection Act 2018 in health and social care

The Data Protection Act 2018 modernises data protection laws in the UK, requiring health and social care providers to create a new culture of privacy through organisational policies and procedures.  The Act aims to safeguards individuals’ data by ensuring that health and social care staff are trained in the correct procedures for storing, sharing and securing data.

The Data Protection Act 2018 was designed to adapt the General Data Protection Regulation (GDPR), and EU Law Enforcement Directive (LED) into UK law. The Act sets out specific conditions for processing sensitive data in the UK and extends to areas of processing not covered by the GDPR or LED. The 2018 Act replaces the Data Protection Act 1998, which has been rendered obsolete by the development of the internet, digital data, and social media.

Advantages of data protection act in health and social care settings

The advantage of the Data Protection Act (DPA) is that it gives health and social care providers clear guidance on how to collect and use personal data in a way that prioritises the safety of the people they are caring for. This is essential in health and social care because people need to feel able to trust their carers with very intimate details of their lives.

The DPA’s rules are very thorough, and cover almost every possible scenario, leaving little room for doubt. They uphold the seven key data protection principles: lawfulness, fairness and transparency; purpose limitation, data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

In addition, the DPA provides stronger protection for sensitive areas such as: health, ethnicity, sexual life, political opinions, religious beliefs, and criminal background.

Disadvantages of data protection act in health and social care

The disadvantage of the Data Protection Act (DPA) is that it places strict controls on how health and social care providers collect and use personal data. Care professionals are required to seek consent from people they are caring for if they need to collect personal data. This can be a challenge when dealing with vulnerable people who may lack the capacity to make decisions. Additionally, people have the right to have their records deleted, which can have a detrimental effect on the quality of the care they receive.

The health and social care sector is already under heavy pressure from increased demand, and the Data Protection Act is yet another area that overburdened care professionals need to get to grips with. Providers often lack the resources to provide the necessary training for their staff. Furthermore, they may have concerns that the DPA could be used to launch frivolous legal actions against them.

Security of data in health and social care

Security of data in health and social care is vital, but there are many challenges. Most providers are working with multiple interconnected systems, each with their own distinct risk vulnerabilities. In addition, providers also have external suppliers with their own systems and vulnerabilities. New technology is being introduced all the time, and providers often lack the expertise to evaluate their security features.

The use of legacy technology is still widespread, with many providers finding it too expensive to upgrade. Numerous providers are still using outdated digital care record systems, bought long before the NHS Transformation Directorate was created to set new standards for cyber security.

Overworked and understaffed providers typically lack the time and resources to devote on upgrading their organisation’s data security protocols. The solution is to recruit external security consultants, but this is hampered by the current UK-wide shortage of cyber professionals.

Overall, the health and social care sector is lagging in data security compared with other sectors, causing cyber security criminals to see it as an easy target.

Why is data protection important in health and social care? 

Data protection in health and social care is an extension of the provider’s duty of care, and must take into account the vulnerability of the person and the sensitivity of the data held.  A client’s health and care records contains their entire life history. Criminals could use the information in these records to steal the client’s money or identity, threaten and intimidate them, or carry out fraud by claiming to be a person from the client’s life.

The rapidly advancing technology of the Internet of Medical Things (IoMT) creates hitherto unknown and potentially devastating avenues of attack for cyber criminals. The risk occurs when a device can be remotely controlled through a computer or mobile app. Medical devices such as insulin pumps and pacemakers could be hacked, allowing cyber criminals to operate them remotely to cause harm, say by triggering an insulin overdose.

The special nature of the health and social care sector means the consequences of a data breach can be significantly more devastating than for other sectors. The potential risks are not only monetary loss, disruption of services, and reputational damage, but also threats to the very health and wellbeing of vulnerable people.

What is data protection in health and social care?

Data protection in health and social care starts with identifying the most common cyber security risk scenarios and drawing up appropriate cyber security measures to mitigate possible threats. The guiding principle of data protection is to safeguard personal data from corruption, compromise or loss.  

There are six key areas of data protection:

IT security

IT security is the first line of defence against attempted unauthorised access to an organisation’s data assets. Most modern cyber security solutions incorporate automated processes that prevent common hacking attempts such as trying to force entry with multiple random passwords.

Although many cyber criminals aim to steal sensitive data, others will simply seek to cause disruption to services by blocking access to IT systems. Providers need to ensure continuous delivery of care to people.  By making frequent backups, they can be certain that vital data may still be accessed if systems go down.

Physical security

Remember that data is data, whether it’s held digitally or in paper form. Many providers are anxious about entrusting their data to a digital system while being oblivious to the risks already present in their paper systems. Providers can be alarmingly lax about protecting paper records including , often leaving paper files unsecured and unguarded. Paper files containing sensitive  data have been left on trains, in cafes, and even tossed into rubbish bins.

Mobile devices

Mobile devices including laptops, tablets and smartphones are a key area of vulnerability due to their frequent use outside the security of the health or care environment. Very often mobile devices are left lying around unattended, allowing anyone to pick them up and access confidential information. A simple and effective remedy is to enforce automatic timeouts on all mobile devices.

Many organisations allow staff to access company software on their phones, but this can create easy entry points for hackers. Bring your own device (BYOD) policies are essential to enforce data safety protocols, thereby safeguarding the sensitive data accessed on staff members’ phones.

Logins and passwords

Although most people understand the role of passwords in data protection, in practice they can be alarmingly lax when it comes to password security. Too many people are using their favourite sport’s team or kid’s name plus a number as their password. Even worse, in many offices you will see passwords on sticky notes stuck on the side of computers.

The National Cyber Security Centre recommends using three random words for a secure password. This is both easy to remember and almost impossible to hack. When juggling multiple passwords, a password manager tool is a simple and secure solution.

Policies and procedures

Policies and procedures in health and social care are necessary to set out clear guidance to staff about appropriate procedures in different scenarios. Staff need to know what they can and cannot share. For example, if a client in a care home forms a relationship with another client, staff should be aware that it may not always be appropriate to share this with family members.

Even minor details can be vital, such as requiring staff to face their computer screens away from uncovered windows to prevent confidential data being viewed by passers-by.

Policies also need to address the high turnover of staff in the health and care sector. All too often, when staff leave, they retain valid passwords which could be used to access or alter client records. Drawing up a checklist of permissions that need to be revoked when former staff leave is one way to prevent this.

Training and awareness

Staff who are inadequately trained and lack cyber security awareness are a key vulnerability. Data breaches are mostly due to human error, not technical shortcomings. A common example is falling prey to phishing attacks. People open emails without checking the email address is legitimate and click on things they shouldn’t. A common tactic used by hackers is to send out an email claiming to be about an unpaid invoice, asking readers to click on link to see the details.

Hackers know how to target people’s natural instinct to help. In one instance, a hacker was able to bypass multi-factor authentication (MFA) by repeatedly pinging a staff member’s phone until they approved access without bothering to check. People need to be trained to question why their phone might asking them to approve access when they are not trying to access the system.

Staff need to also be aware that actions made with the best intentions can have serious consequences. For example, a staff member might post a photo of their client Peter on their social media with an accompanying message about how much they enjoyed their day looking after Peter. Unfortunately, the photo might contain clues to Peter’s address, thus broadcasting the location of a vulnerable person to potential criminals.

Storing data online securely in health and social care

Storing data online securely in health and social care should be a priority for every provider. Data needs to be protected from unauthorised access, alteration, or deletion. The protection must extend throughout the life of the data, until it is no longer needed and can be safely erased. The protection must hold even when data is passed to authorised third parties.

What security should be in place for records in care?

Data is protected at rest

Disc encryption should be used on mobile devices and removable media which are vulnerable to loss or theft. The encryption converts all data into code that is unreadable to everyone except for authorised users.

Data is protected in transit

Unencrypted communications are a golden opportunity for cyber criminals to acquire sensitive data by spoofing a service. Secure, encrypted and authenticated application protocols should be used as standard with recourse to Virtual Private Networks (VPNs) where needed.

Access to data is strictly controlled

Access to data should be made through secure interfaces that only allow users to access data that they need to know. Permission to access sensitive datasets should only be granted if there is a legitimate interest and user access should be carefully monitored.

Data is backed up

All essential data, including client data and business data, should be backed up in different locations. This ensures that operations can be resumed quickly in event of a cyber incident during which data is lost or destroyed.

Sanitise no longer needed devices

Devices which are no longer needed should be securely sanitised before they are disposed of. Sanitisation means that the data they contain is permanently deleted so it cannot be recovered and viewed by unauthorised persons.

Secure systems for recording storing and sharing information in care

Building a secure system for storing and sharing information is the best way to protect sensitive data in health and social care.

The ideal scenario is to construct a complete ecosystem with the latest cyber security features and services.

Unfortunately, this type of high-end setup is prohibitively expensive for all but the largest providers. A more realistic alternative is to partner with an established software supplier who can offer these advanced features at an affordable price.

Key things to look for in a secure system:

Certifications 

• ISO 27001: The international standard on information security which addresses people, processes and technology. 
• SOC 2: For managing customer data based on the five principles of security, availability, processing integrity, confidentiality and privacy. 
• GDPR: Demonstrates compliance with EU laws on collecting, handling, and protecting personal data of EU residents. 

Accreditations 

• Data Security and Protection Toolkit (DSPT): Recommended if they are holding information on individuals.
• Medicines and Healthcare products Regulatory Agency (MHRA): If they supply medical devices. 
• Care Quality Commission (CQC): For quality digital record keeping in social care. 

Security measures 

• Penetration testing: To make sure they’re secure enough to withstand a malware attack. 
• Version control: To track revision history throughout the development process. 
• Regression testing: To ensure updates do not introduce new bugs. 
• Multi-site hosting: To minimise downtime during an attack or server failure. 
• Disaster recovery plans: To formulate an effective response strategy in the case of a cyber attack. 
• Business continuity plans: To ensure operations can continue in the event of a cyber attack. 

Advanced technologies 

• Behaviour-based threat detection: To identify activity outside of normal behaviour patterns and sound alerts. 
• Next-generation firewalls: Look for advanced features such as integrated inclusion prevention, application awareness, and threat intelligence. 
• Tier 3 data centres: To ensure a high degree of uptime with diesel powered generators to take over in the event of power cuts. 
• Active-active data centres: If one data centre does down, another data centre will take over with no break in service. 

Data protection solutions

Data protection is a concern of all responsible health and social care providers. However, identifying key risk areas and drawing up preventative strategies can be a complex and daunting task. Care providers busy with the day-to-day running of their home simply don’t have the time to become experts in data protection and cyber security.

This is why we created our Mastering Cyber Security in Social Care guide, which addresses the unique challenges faced by care providers around cyber and data security, and presents simple and effective solutions. Featuring input from experts from Digital Social Care, Care England, and The Access Group, our guide will tell you all you need to know to keep the people you care for and your organisation safe.

Download our Guide to Mastering Cyber Security in Health and Social Care

If you’re looking for an all-in-one care planning management solution that allows you to deliver effective, personalised care with the assurance that people’s data is safe and protected, consider Access’ Care planning software. The Access Group is an NHS England Assured Supplier of Digital Social Care Records (DSCR).

Feel free to contact us if you have any questions or want to book a demo.

Contact us or book a demo