1 / 62

NIGB

NIGB. NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution. Break out Sessions Information Risk. NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE. #NIGB #HSCIG. Leeds – Birmingham - London .

hilda
Download Presentation

NIGB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Information Risk NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE #NIGB #HSCIG Leeds – Birmingham - London

  2. Smartcards, Registration Authorities, Access & Integrated Care Philip Gill Apira June 2012

  3. What is RA? • A Registration Authority manages the registration and access control processes required to ensure individuals who need access to NHS systems are identity checked to a satisfying standard and are assigned appropriate access – Assurance of Identity and Access Control • Registration Authorities, by following guidelines and policies set out by CfH, ensure compliance with best practice, Government guidelines and provide assured identity so patients can be confident their medical records are kept secure and safe. • This is therefore linked to the NHS Care Record Guarantee that all NHS staff are bound to • RA activity in the future will be managed through User Identity Manager (UIM)

  4. Governance (1) • Governance requirements contained in DH Gateway Document 6244 ‘Registration Authorities: Governance Arrangements for NHS Organisations • Outlines that each NHS organisation must have an RA • Clear that non-NHS organisations cannot (1 exception) • Lays out requirements • Backed up by NHS CFH Operational Process Guidance – it is just that, guidance, also written for the current RA software world rather than UIM

  5. Governance (2) • Gateway document states: • All NHS organisations are responsible for the registration of NHS CRS users whether their own staff or those of independent contractors, independent providers, voluntary organisation and other public bodies appropriate to that NHS organisation. They should do so within the policy and guidance frameworks of the Department of Health and Connecting for Health. These responsibilities in every NHS registration authority should be integrated into the host organisation‘s Information Governance Framework.

  6. Governance (3) • An important policy change in November 2011 – Non NHS organisations will be allowed to have their own RAs after passing some form of assessment process (CFH letter 20 December 2011) • BUT is now caught up in the hiatus around general NHS restructuring so don’t expect any movement soon!

  7. So how might you work together? • While it the NHS organisation(s) that need to ‘own’ the RA it is possible to delegate some responsibilities to others under that organisational banner • For example: • Local Authority staff being granted access in the NHS organisation by the NHS organisation • Some RA tasks can be delegated to Non-NHS organisations using that NHS organisational banner – such as RA agent activity • New registration software (UIM) allows the granting of access rights to be delegated more easily as well

  8. Access granted to Non-NHS employees • Individual follows the normal processes for gaining access: • Approval for access • Identity assurance • Agreed access rights • Gains Smartcard & training and works accordingly

  9. Delegated Tasks • Non-NHS organisation has secure N3 connection • RA agents training in the system • RA agents provided with the kit to run some RA activities – note this can include printers which can be purchased • Audit trail/reporting arrangements agreed with NHS ‘host’ organisation to satisfy governance requirements

  10. A further step – granting of access rights by the Non-NHS organisation • Traditionally this has been the area that some NHS organisations have found very uncomfortable • New registration software UIM allows for bundles of access rights to be created and then individuals assigned to these rights for a specific or open time period • Where effective governance arrangements are in place the NHS organisation could allow RA agents in the non-NHS organisation to assign individuals to these access rights – NOTE they cannot modify these access rights in any way

  11. The Future • Where will RA sit in the future? • Abolition of SHAs – loss of the RA hierarchy – will the National Commissioning Board pick this up? Have they thought about it? • Clinical Commissioning Groups –Who will undertake RA for the primary and community care sectors? • What will the assessment process for non NHS RAs look like? • will Smartcards be retained? – look at single sign on progress

  12. Questions?

  13. NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Information Risk NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE #NIGB #HSCIG Leeds – Birmingham - London

  14. Identifying and Managing Information Assets NIGB Workshop

  15. Presenter David Stone Managing Consultant 07947 052704 david.stone@apira.co.uk Apira Limited www.apira.co.uk

  16. Information as an asset Infinitely shareable Value increases with use Information Value increases when combined Shared ownership Adapted from: Vogel, L (2003). Finding value from IT investments: Exploring elusive ROI in Healthcare. Journal Of Healthcare Information Management; Vol 17, No 4

  17. Information Governance Maturity Model

  18. Information Assets (ISO27005) Primary assets Secondary assets Hardware Software Network Personnel Site Organization’s structure Risks and mitigations • Business processes & activities • Information in transit • Information • Information at rest

  19. Primary Assets =

  20. Secondary Assets + -

  21. Direct Patient Care IA Indirect Patient Care IA

  22. Managing Information Assets (IA) Primary Assets Secondary Assets Hardware Software Network Environment • Is the data personal, sensitive or corporate? • What is the retention schedule? • Who is accountable? • Who is responsible? • Who has access? • How much is the risk inherited from the secondary assets? • What controls mitigate the risk?

  23. Identifying Information Risks (in transit) 308 202 209 324 207 110

  24. This dog bites! Generic Risk Assessment Its not the 99 times you get it right: it’s the 1 time you get it wrong

  25. Managing Information Assets (IAs) IA registration, characteristics and risk assessment Audit of IAs 206: Confidentiality Audit 404: Multi-professional records audit 406: availability of records audit 505: Internal and external coding audit 506: Coding audit programme 507: Completeness and Validity Audit 604: Information lifecycle audit • 301: Risk assessment programme • 307: Risk register • 323: Risk assessment • 303/304/305: Access control • 309/310: Business Continuity and Disaster Recovery • 311: Virus protection • 313: Network security • 314: Mobile, home and remote working security

  26. Obtaining consent and respecting dissent

  27. Content

  28. People Controls

  29. Organisational Controls

  30. Q&A

  31. NIGB NIGB IG Collaborative Workshops The Reality of Delivering the Information Revolution Break out Sessions Information Risk NATIONAL INFORMATION GOVERNANCE BOARD FOR HEALTH AND SOCIAL CARE #NIGB #HSCIG Leeds – Birmingham - London

  32. Contract Clauses and Risk NIGB Workshop

  33. Presenter David Stone Managing Consultant 07947 052704 david.stone@apira.co.uk Apira Limited www.apira.co.uk

  34. MOST IMPORTANT You must understand the difference between a Data Controller and a Data Processor

  35. IGT • 110: Contracts with legal entities • 111: Contracts with people • 112: Training to ensure policy compliance and mitigate risk • 205: Subject Access Requests • 210: Change control including Privacy Impact Assessment • 302: Incident reporting • 603: Freedom of Information Act

  36. Applicable Law • Data Protection Act • Computer Misuse Act • Freedom of Information Act • Human Rights Act • Common Law Duty of Confidentiality

  37. Data Protection Act Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless— (a) the processing is carried out under a contract— (i) which is made or evidenced in writing, and (ii) under which the data processor is to act only on instructions from the data controller, and (b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle. DPA 1998 Schedule 1, Part II, 12

  38. Data Protection Act Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle— (a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and (b) take reasonable steps to ensure compliance with those measures. DPA 1998 Schedule 1, Part II, 11

  39. DH Standard Commissioning Contract 2012/13 • Part E (60.3 and sub clauses) • To the extent that the Provider is acting as a Data Processor on behalf of a Commissioner …

  40. Controls and Assurance People Audit Technological Organisational

More Related