Practical Challenges of Healthcare Security

From time to time we will look at healthcare IT environments from around the world to see how different countries approach healthcare technology challenges. Below is the second in a series of guest posts on the English NHS from contributor Colin Jervis.

In the UK, an aging population threatens to increase demand for healthcare and social services. My last post looked at the features of the integrated care needed to stem this tide and some of the security and confidentiality issues raised by sharing between organizations. Really, the only answer in the short- and medium-term is better models of care supported by Information and Communications Technology (ICT).

In addition, Baby Boomers are now aging and are likely to be far more assertive than their parents about healthcare quality and delivery. And they often have better ICT at home than they encounter in a spell with the NHS.

For sure, the management of long-term conditions is likely to be a competitive arena for public and private sector healthcare providers. Even among traditional NHS providers we already see the formation of GP consortia and of secondary care providers hiring salaried GPs to create new organizations.

Supporting this are wirelessness and data integration – moving away from traditional institutions and clinics and moving closer to care in a patient’s home. But the great benefits this promises come with risks.

The NHS uses two-factor authentication to authorize access to systems that contain confidential patient data – password and smartcard. Something you know and something you have. This is practicable for most NHS staff; however, for some it is not.

In a busy emergency department with few end user devices, the time taken for an individual to log out and in to the electronic patient record each time is unbearable. So, what tends to happen is that someone logs in with their smartcard at the start of the day and remains logged in until the end of their shift, letting their colleagues use their access rights. Not what is intended, but difficult to censure when clinicians put addressing patient needs before information governance.

Further, clinicians mobile in the community often have issues with security. They can attend a patient at their home and login. Provided access is good and there is continuous interaction between patient, clinician and machine this is fine.

However, some clinicians, such as physiotherapists, may have longer interventions away from the machine. To comply with security, the device times out after a few minutes. Logging in again is a pain, not to mention the possibility that – for example – an inquisitive family member could access the unattended machine while the connection is open. In the world of remote access security form does not always follow function.

Two-factor authentication is sound, however, many ICT helpdesks will rate the resetting of passwords as the biggest reason for user calls. Passwords are not easy for most people to remember particularly if the structure is prescriptive; for example, at least one capital letter, one digit and one symbol – and also has to be changed regularly.

Nothing of nothing comes. With the greater use of ICT and the benefits of instant access and mobility, we must trade something. There is no activity that carries no risk. Even if I lie in bed all day to avoid being run over by a truck or attacked by a mugger, I still risk the disbenefits of inactivity such as depression, heart disease and an overdose of comfort eating.

But how important to us is the confidentiality of healthcare information, particularly with the growth of wearable health devices and the smartphone app? I’ll address that in my next post.

What questions do you have?

Colin Jervis is an independent healthcare consultant. His book ‘Stop Saving the NHS and Start Reinventing It’ is available now. His website is kineticconsulting.co.uk, and he also posts on Twitter @colin_jervis.