NHS urged to take security steps ahead of Caldicott report

NHS organisations have been urged to appoint a senior information risk owner alongside a Caldicott Guardian – and to make sure that both are operating at “board or equivalent level.”

The move is one of a number of steps that have been urged on NHS organisations by the Care Quality Commission and the Office of the National Data Guardian, ahead of their reviews of data security in the NHS.

Health secretary Jeremy Hunt asked the CQC to review data security and Dame Fiona Caldicott, the national data guardian, to develop new data security standards for health and social care and to create a new patient opt-out model.

Both pieces of work are complete, but have been held up by civil service ‘purdah’ rules ahead of the local government elections and the EU referendum, which will take place on 23 June.

The CQC and Dame Fiona’s office have sent a ‘dear colleague’ letter to NHS organisations to formally update them on progress and to “highlight some of the key principles and actions that can be taken now in order to continue the important work of securing data.”

The letter says the review is themed around people, processes and technology, and that appointing a SIRO and Caldicott Guardian “at board or equivalent level”, and registering them with the Health and Social Care Information Centre, is an important first step.

Central government has been encouraging councils and other public bodies to appoint SIROs as part of its wider efforts to improve data security. The establishment of SIROs has also been required by the NHS since 2008, when it was included within the Information Governance Toolkit.

The inclusion of the reminder to NHS organisations that they should have SIROs as well as Caldicott Guardians in place suggests that some are missing people in this position, or there are concerns about their seniority, or that some have not made themselves known to the HSCIC, which has established a CareCERT to help organisations identify and respond to cyber security threats.

The role of the SIRO is to take ownership of an organisation’s risk policy, to advocate for this to be taken seriously by the board, and to sign off on risk issues in the annual report.

However, the ‘dear colleague’ letter stresses that all staff at all levels should have security training that meets a national standard, and says the HSCIC is looking at how this can be met.

On processes, the letter says that “all organisations should have processes in place to prevent data security breaches and to ensure that incidents or near misses are dealt with appropriately” and that CareCERT will help. On technology, it says that organisations should be using up to date technology to support their IT estates.

The letter indicates that the new data standards that should now be published this summer have been designed around these three themes, and to apply as much to small care providers, such as GPs, as large acute trusts.

Dan Taylor, the head of the HSCIC's security operations, outlined the role of considering people, processes and technology as part of a 'defence in depth' strategy in a new column for Digital Health's cyber security hub last week; read the column in features.