Dame Caldicott’s initial investigation was commissioned in September 2015 by Health Secretary Jeremy Hunt and the Care Quality Commission (CQC). Her report gathered evidence and conducted interviews with key organisations such as GPs and other clinicians, social services, and the Information Commissioners Office (ICO). In her review, Dame Caldicott said: “There are cases where … trust has been eroded by data breaches, such as when emails containing sensitive information have been sent to the wrong address, data is shared without consent, or people experience their records being misplaced or lost.”
Her report identified that outdated tech was a major, but not the only, vulnerability that plagues NHS Trusts. According to the Dame Caldicott, software is not being used to its full potential and the best security solutions are not adopted wherever possible. One of the most crucial recommendations central to her review was an enhanced consent/opt-out model, where people are given a clear choice about how their data is used beyond their own personal care.
While it might seem that this advice on up-to-date tech and data protection has come rather late, these recommendations will be enforced under the Standard Contract (the mandate for the NHS in England) and kickstarted by an additional £21 million investment. This initial injection will aim to boost the resilience of major trauma sites as first priority as well as NHS Digital’s capabilities to identify and respond to threats.
The adoption of Dame Caldicott’s recommendations was confirmed in a White Paper from the Department of Health titled ‘Your Data: Better Security, Better Choice, Batter Care’. According to the Government, NHS Improvement will publish a new ‘statement of requirements’ which will clarify how these recommendations become regulations. Hints to these implementations already exist in Annex A of the report, which cites all ten recommendations alongside ‘Government Responses’.
In practice, one of these rules will force every NHS organisation to have a board member responsible for cyber-security. The Your Data report said: “Data security simply will not improve across the health and social care system without strong board level leadership which views and prioritises data security as importantly as financial integrity and clinical safety”.
Another will see the deployment of an Information Governance Toolkit, currently under development by NHS Digital, which will give advice on the correct procedures to be adopted by staff when handling personal data. The report said: “Leaders should use the Information Governance Toolkit to engage staff and build professional capability, with support from national workforce organisations and professional bodies”.
It is hoped that these implementations will prevent another WannaCry-esque attack, which the report concedes was a wake-up call for the NHS across the UK. In the wake of the attack, Chief Information Officer Will Smart is conducting a ‘Lessons Learned’ report, due for publication in October 2017.
In the meantime, NHS Health Services Scotland has been contacted by DIGIT, but has yet to comment. It remains unclear and somewhat surprising that Scotland seems set for no such boost, given that eleven of Scotland’s fourteen health boards as well as the Scottish Ambulance Service were also hit by WannaCry in May 2017.