the evolving role of the nhs siro and iao
DESCRIPTION
The Evolving Role of the NHS SIRO and IAO. Please read the information pack that has been placed on your chair before we start. Housekeeping. Fire alarms Exit routes and assembly point Toilets Mobile phones Smoking areas Refreshments Questions. Agenda. Welcome and session introduction - PowerPoint PPT PresentationTRANSCRIPT
The Evolving Role of the NHS SIRO and IAO
Please read the information pack that has been placed on your chair before we start
Housekeeping
• Fire alarms• Exit routes and assembly point• Toilets• Mobile phones• Smoking areas• Refreshments• Questions
Agenda
• Welcome and session introduction
• Session 1 – The Roles and Responsibilities (45mins)• Session 2 – Acute Case Study One (45mins)
• Break
• Session 3 – PCT Case Study Two (45mins)• Close of session and opportunity for Q&A
Introductions
• Presentation team• Attendees• Aims of today’s event
Why is it important that you are here?
• Public, professional, organisational and political confidence in our ability to protect sensitive personal and business data is vital
• Information risk management is deceptively easy
• Improving information risk management at an enterprise level can involve changing cultures, processes and technologies across an organisation
• Benefits are hard to measure
Driving Business Benefits
Repeating disparate information risk management techniques across the organisation is inefficient and unlikely to succeed because:•Securing one system often requires changes to others•Investment in one system may undermine security in another•Overall performance may be constrained by factors such as style of information governance, cultural attitudes, HR policies and compliance monitoring
– These factors need to be addressed across the organisation rather than at the system level
•Costly– There are economies of scale
Mitigating Information Risk
Data breaches to incur up to £500,000 penalty
“New powers, designed to deter personal data security breaches, are expected to come into force on 6 April 2010. The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act”.
ICO Press release 12/1/10
IA Delivery Model
The role of the SIRO
“The NHS SIRO should be a member of the Trust Board, or equivalent level within NHS organisations without Boards, who is responsible to ensure organisational information risk is properly identified and managed and that appropriate assurance mechanisms exist.”
The role of the IAO Information Asset Owners:
• are directly accountable to the SIRO in this role
• must provide assurance information risk is managed effectively for the information assets that they ‘own’
• may ‘own’ several assets that include components used in assets of other IAOs e.g. shared hardware and software
The supporting role of IAAs
Information Asset Administrators (IAA) are:
•Usually operational managers who are familiar with information risks in their area or department e.g. Security managers, Records Managers, DP Officers, Internal Audit, Department Heads, etc
Relationships
Risk Policy
Risk Management
IG Activities
Assurance
SIRO IAO IAA
Components of an Information Asset
Personal Information Content Software
Databases and data files Back-up and archive data Audit data Paper records (patient case notes and
staff records) Paper reports
Applications and System Software Data encryption utilities Development and Maintenance tools
Other Information Content Hardware
Databases and data files Back-up and archive data Audit data Paper records and reports
Computing hardware including PCs, Laptops, PDA, communications devices eg. blackberry and removable media
System/Process Documentation Miscellaneous
System information and documentation Operations and support procedures Manuals and training materials Contracts and agreements Business continuity plans
Environmental services eg. power and air-conditioning
People skills and experience Shared service including Networks and
Printers Computer rooms and equipment Records libraries
Positioning Information Risk
• Information Risk Assurance & Management (IRA&M) must be considered in a structured way alongside other NHS business risk:– All NHS organisations should
have the means to effectively identify, assess and address their information risks
– Evidence of risk consideration will allow a proportionate response
Business Impact Analysis
Business Impact Analysis (BIA) is:
• A formal mechanism to help identify essential functions and assets
• A key stage of the IRA&M process
• Essential to understand the business values, dependencies and impacts that affect an information asset
Staff Training and Awareness
• Critical issue for the effective management of information risk
• All staff and contractors who have access to personal data must undergo annual training concerning information risk awareness
• The SIRO should verify a process exists to ensure staff and contractors receive this training on induction and annually thereafter
Audit
• The DH-ID IG Policy and Planning team have been working with the Audit Commission to develop an ‘Audit Handbook’.
• The handbook will describe the audit requirements in detail and is due to be released in conjunction with the IG Toolkit version 8, due end of June 2010.
Information RiskConsiderations for Boards
• “What have we done as a board to understand the information risks that we are accountable for managing?”
• “What were the outcomes of our most recent reviews of the risks to our key information assets and have all reasonable steps to mitigate against these risks been taken?”
• “Do we, as an organisation board, have the capacity and capability to ensure that information incidents are quickly identified and effectively managed with lessons learned appropriately?”
End of Session 1
Acute Scenario
NHS Information Governance
Background
• A small Acute Trust hospital trust, would have been a district general at one time
• Has less than 2000 staff, many long serving• Mainly new executive directors with little corporate
memory• Some long serving clinicians are finding it difficult to
adjust to the new competitive health economy and are resistant to change
• Robust Information Governance in IT, but keen to improve, aware of some weaknesses and in the process of recruiting additional resources
Incident
• The GUM clinic Office Administrator makes an initial call for assistance in the management of scanned records to the ICT Helpdesk– This was prompted by her return from long-term
sickness, the departure before her return of the temp, who destroyed/disposed of information before she left and provided no handover
• The ICT helpdesk engineer identifies this as a possible new data flow and in need of investigation
• A helpdesk alert is issued to the Information Security Manager for further investigation
Investigation
Interview with the Office Manager identified key issues:
• Historically records for specific clinics have been subject to special treatment as a response to limited on storage space
– Records considered not sensitive as patients in GUM clinics are given the opportunity to give a false identity
• A supplier had been requested (there was no contract) to:
– Collected paper files
– Scanned them to a digital image
– Destroyed the paper files
– Returned scanned images
Report 1Procurement• There was no copy of a contract or any agreement between Trust
and supplier• There was no confirmation from the supplier of compliance with
national requirements– The supplier subsequently provided assurances that their
system would comply with national guidelines
Records Management• There was no protocol for the selection or logging of records given
to the supplier. Approximately 70 records had been handled by the supplier for a trial run
• There was no record of the individual files sent• There was no confirmation of file destruction• There was no record or correlation of the files returned.• There was no record of checking the quality of the images
Report 2Training• The Office Manager had completed the Trust’s own E-learning
Module on confidentiality• The Office Manager had not completed the E-learning Module on
the Information Security Policy
Immediate Actions• The Office Manager has been advised to halt any further removal of
records until the issue had been resolved• The Office Manager has requested the return of the CDs held by the
proposed new supplier of the test batch of records• The Security Manager to engage with the proposed new supplier to
establish whether or not the test batch of records had already been destroyed and, if so, what verification was available, and if not, get them back.
Next steps
• The Trust decided to initially declare this as a Level 2 Serious Untoward Incident, while they moved on to the next stage of investigation to establish the full scale of the incident
• The incident was recorded on the local (Datix) and external (STEIS) databases within 48 hours
• Terms of Reference for the SUI Panel were developed
Lessons Learnt 1
Fault/weakness in local system management controls:• No evidence of involvement by other senior staff in the
development of this process• Inadequate third party support and maintenance contract
in place.• No evidence of Contract or Non-disclosure agreement in
place
Lessons Learnt 2Ineffective operational system management arrangements in place:• No evidence of involvement by other senior staff in the
development of the process for digitising GUM clinic records• Service compromised by non-adherence to documented
support procedures in central policies• Lack of awareness of Information Security Policy, Code of
Conduct for Confidentiality, Medical Records Policy and Standing Financial Orders.
• Service compromised by absence of documented support local procedures
• No guidelines or procedural documentation for the process undertaken
Lessons Learnt 3
Teamwork Shortcomings?• Supervision was available but not sought• No evidence provided that any advice was sought from ICT,
Finance or Medical Records in the creation of the process
Skills or Performance Deficit?• Induction content should be reviewed with regards to the
introduction of changes and the need to refer to policies and management
• The original process was develop by a previous member of staff who has since left without any handover documentation.
End of Session 2
PCT Scenario
NHS Information Governance
Background• PCT created by merging three covering a large and rural
area
• Severe financial restraints and resulting in poor relations with providers
• Mainly newly appointed executive directors with expanded and expanding portfolios.
• Inherited mixed governance / management structures and disparate legacy IT systems
• 8000+ staff; long serving, low morale, frequent management restructuring; staff co-located with local Acutes
• Former PCTs scored between 33% to 64% in IGT; now less than 33%!
Situation
PCT B•Registered copy
•In use
• IT SLA from Acute
•Database not
covered
IncidentReport categorised the incident as “Non-Patient”
• Specialist Nurse using database ‘XXX’• Patient contact information
• Clinical assessment
• Letters to GPs
• Audit clinical performance
• Database increasingly unreliable: on the day, the database failed on 5 occasions and reported 'disc error‘
• Restarting database = rebooting computer = loss data
• Reported to Data Quality Manager in former PCT A
• Advised to report incident and send urgent email to him
Investigation
• Database designed by GPwSI , recommended by a British Society and used nationally, but unstable
• Clinical management tool and service auditing tool functions
• Records demographic and clinical information including admissions and nurse contacts
• Print outs are filed in Acute Health Records
• Automated clinician letter of medications
• Patient data not stored locally, but transmitted securely to a server
• Supplier technical support very limited: updates and patches rarely available
• Local ‘workarounds’ add stability and anonymised extracts for research
ReportIn PCT A:Data Quality Manager requests additional copy of software from IT Dept in PCT B.
In PCT C:•Database is set up and frequently fails.
•Failure reported by Nurse.
Requests For IT Support:PCT B - local Acute IT will not support (not in SLA).
PCT C - local Acute IT will not support (not in SLA).
PCT A - IT Dept report unregistered database to IG Manager
PCT B•Registered copy
•In use
• IT SLA from Acute
•Database not
covered
Risks and Impacts
• Risks:• Technical• Physical• Administrative
• Impacts:• Service Provision• Financial• Reputation• Staff
Issues
• Information Asset Owner and Administrators• SIRO• IAO• IAA
• Information Asset• Identifying the Asset• Identifying the Owner• Setting the boundaries
Lessons LearntNo. Management Conclusion
(a) (b)
1. Information Asset Register Inadequate
2. SIRO/IAO Framework
Inadequate
3. Operational Management
Inadequate
4. GovernanceInadequate(Line management)
5. Information Risk Register
Inadequate (Corporate Risk Register)
No. Management Conclusion(a) (b)
6. Information Asset Ownership Inadequate
7. IT SLAInadequate (unwritten)
8.Info Gov Leadership / Accountability
Inadequate (eg add to risk register)
9. IG AssuranceInadequate (eg report to SIRO/IG SG
10. Software Accreditation
Inadequate(unregistered )
Lessons LearntNo. System Conclusion
(c) (d)
1. DatabaseInadequate(unfit for purpose)
2. Data Quality Inadequate (Loss of data)
3. System Accreditation
Inadequate
4. Introduction of new systems Inadequate
No. System Conclusion(c) (d)
5. Business Continuity
Inadequate (No plan eg backups)
6. Procurement Control
Inadequate
7. System Patching Inadequate
8. Compatibility with Strategies Inadequate
Lessons LearntNo. Process Conclusion
(e) (f)
1. Security Procedures Inadequate
2. Documented Procedures Inadequate
3. Policies and Procedures
Inadequate(No PCT standard)
4. Incident Reporting
Adequate
No. Process Conclusion(e) (f)
5. Investigation carried out
Adequate
6. Findings considered
Inadequate
7. Incident Feedback
Inadequate
8. Learning from Incidents
Inadequate
Lessons Learnt
No. People Conclusion(g) (h)
1. IT expertise Inadequate
2. IG Awareness (General) Inadequate
3. User Training Inadequate
4. Levels of Authority
Inadequate
5. Organisational Identity Inadequate
Cultural Paradigm
PARADIGM•NHS is ‘good’•Public service•Free at point of
delivery•Clinicians values•Doctor knows best
SYMBOLS•Terminology•White Coats/Uniforms•Big institutions•Retinues•Offices
STORIES•Cures•Villains•Change agents
are fools•Abuse of managers•‘They’ say/do
POWER•Professional bodies•Clinicians•Senior Executives•Regional bodies•Politicians
ORGANISATION•Hierarchical•Mechanistic•Pecking order•Sub-ordination•Tribal/functional
CONTROLS•Performance
reporting•Financial
reporting•Professional
responsibility
RITUALS &ROUTINES•Consultation•Ward Rounds•Patient infantilising•Pass the buck
Information RiskConsiderations for Boards
• “What have we done as a board to understand the information risks that we are accountable for managing?”
• “What were the outcomes of our most recent reviews of the risks to our key information assets and have all reasonable steps to mitigate against these risks been taken?”
• “Do we, as an organisation, have the capacity and capability to ensure that information incidents are quickly identified and effectively managed with lessons learned appropriately?”