Healthcare technologies must protect patient data, as well as support care and treatment. Privacy, security and confidentiality are red hot topics in the healthcare sector. Sensitive personal data has to be kept safe from unauthorised access, misuse, corruption and loss. The law demands this and patients expect this. Yet, at the same time, the healthcare sector needs to be efficient and productive. Security cannot become a barrier to the delivery of patient care. In life and death situations and cases of urgency doctors, nurses and paramedics should not be impeded by archaic technological processes, or unnecessary worry about compliance with confidentiality, privacy and security law.
In this paper we identify and discuss the core legal framework for confidentiality, privacy and security in the UK and Europe, looking at how these topics are regulated and how the law treats failure. Our core proposition is that the law requires the healthcare sector to adopt ‘Privacy and Security Enhancing Technologies’ (‘PETs’ and ‘SETs’), but in order to satisfy the primary duty of care owed to patients, which is to afford them speedy and appropriate treatment, these technologies must be ones that are ‘business enabling’. Both issues must be addressed in the procurement process and during the design of technology architectures. Focussing simply on the privacy and security considerations at the expense of efficient delivery of healthcare is legally unsustainable. PETs and SETs must also help to lower the barriers to patient care and treatment.
In this paper we will also outline what organisations are required to do in practice to protect patient data (based on UK and European enforcement action and guidance) and identify core functionality that can help organisations meet those requirements in a business efficient way.
Healthcare providers are totally reliant on electronic systems for the processing of patient data. Patient records contain some of the most sensitive and private information about individuals that is imaginable. Without appropriate PETs and SETs in place, there is an obvious risk that patient data will be accessed and used unlawfully.
The privacy and security of patient data is now subject to heightened public interest and regulatory attention, following many high profile cases of privacy and security breaches. This is evidenced in the enforcement action taken by regulators and in court judgements across Europe. Failure to comply with the law can lead to very serious legal consequences, including criminal prosecutions, penalties and sanctions, and significant operational challenges, such as business disruption, financial loss and damage to brand and reputation. In the last 3 years, the Spanish data protection authority has issued fines of over €40 million and the UK data protection regulator has issued fines of over £5 million for breaches of data protection law. These figures will be significantly higher when the proposed mega fines in the draft EU Data Protection Regulation are approved.
As healthcare organisations adopt new technologies and introduce more applications, each with their own privacy and security features and requirements, patient care and treatment may be impeded by doctors and nurses being subject to multiple login and authentication requirements resulting in more time being spent logging into systems and less time caring for patients.
Each new layer of login and authentication introduces another new barrier to productivity and efficiency. In healthcare, particularly in emergency situations, productivity and efficiency is a vital consideration and very often a life and death matter. What healthcare organisations need is business enabling privacy and security technologies. Technologies should protect the privacy and security of patient data in ways that are practical to use and which facilitate rather than inhibit productivity and workflow.