In a digital world it’s easy to assume that everything is simple to share, but when it comes to something as important and confidential as the Mental Health Act, it is absolutely imperative to get it right. When we send a confidential document to a colleague, upload it to Rio or save it to a 3rd party software system, how do the non-techies amongst us know it is going to be kept safe? One of the key challenges Thalamos has had to overcome is how to share electronic medico-legal documents both securely and legally.
Every information sharing system has its advantages and its risks. For example, paper forms are very accessible and easy to use, but they are also easy to lose and, if lost, the patient’s information could be accessed by anyone.
An encrypted device with multi-factor authenticated bank-style log-in is very secure, but in the healthcare world it can be highly inaccessible. This is both from a hardware cost and day-to-day usage perspective. So, there is therefore a balance which has to be struck whereby potential risks are reduced, but accessibility maintained.
1. Am I able to accidentally send this document to the wrong person? In other words, how sure am I the file I’m sharing will only reach the right person?
2. If It does end up in the wrong hands is that person able to access sensitive information?
3. Can an audit trail be produced detailing what has happened to that document?
There are plenty of other things to consider when sharing electronic documents. Are files encrypted? What is the risk of them being hacked? Are documents editable? And so on. The reality is hacks are usually due to human error somewhere in the chain rather than a technical one. Therefore we believe the three key risks detailed above are the most imperative to get right.
These risks must be balanced with the four general requirements of information sharing in a healthcare setting:
1. Speed (done quickly)
Paper is definitely simple, but it doesn’t meet speed or certainty (that it will reach the correct destination) which puts its security into question.
Sharing PDFs is simple and can be done quickly. However, when it comes to certainty this is less easy to prove, even if using NHS.net. It is easy to make a mistake and send it to the wrong person or even to an external non-secured email. Plus there is no audit trail. It is also possible to have multiple versions of the same form “floating around” in inboxes, so how do you know you have the correct one?
If a computer is not encrypted and it is stolen, then a hacker could potentially expose the PDF publicly. Saving a PDF to a cloud/ software system rather than to the computer can mitigate this security risk providing access to the cloud is password protected.
Whilst NHS.net is a fantastic system, there are still legacy nhs.uk systems which do not meet the same NHS Digital Data Security Standards. It therefore cannot always be assumed that emails are secure. A secure system can be provided by having a firewall in place, running antivirus and anti-malware software and having a login and password complex enough that it cannot be accessed by an unauthorised person. Furthermore, the system should be patched* as soon as a new vulnerability is found.
It is hard to call Rio accessible for inter-institution sharing. To establish even a Rio-to-Rio solution with another trust is a very significant project. Neither swift nor simple as anyone who’s been involved with one of these projects will know all too well. However if done well it can be both certain and secure.
To conclude, it is possible to share electronic documents securely. It is about striking the right balance between simplicity and security. If you share electronic documents, even over NHS.net, be sure to password protect the documents, sharing the password through another means, such as a text message. It would also be worth requesting that the correct recipient acknowledges receipt. If using NHS.net make sure you know who you’re sending documentation to.
If using 3rd party software then ask the supplier why they share the documentation in the way that they do. Can they assure you that the balance between simplicity and security is right? Check they have the appropriate approvals, and levels of encryption. Then leave the more technical questions to the IG and IT Teams.
The questions to be asking of yourself and others are: Can I be sure who I’m sending this to? What happens if I make a mistake? How do I know it has been received without interception? Your technology provider should be able to answer those very succinctly in plain English. If they can’t, they probably aren’t all over the technical parts either.
For further information, read the Information Commissioner’s Office (ICO) guidance for Sending personal data by email.
* Patching is a set of changes made to a computer programme to fix, update or improve it. This includes fixing security vulnerabilities or bugs. Patches can also be referred to as bug fixes.
Daniel has over 20 years of experience leading projects and building software primarily within start ups. He has experience in several industries including business services, technology and financial services. More recently Daniel has shifted his focus to deploying his skills in health technology and, in particular, mental healthcare.
Register here if you’d like to hear more about Thalamos courses, news and updates.