6: Data security and data protection

Question 1

What are EHRs

Answer 1

EHRs are digital records that contain all of a patients medical details including their medical history, physical examinations, investigations and treatments

Question 2

What are some potential benefits of electronic health records

Answer 2

• Overcoming the shortcomings of paper-based records such as the lack of accessibility, errors and data loss
• Reducing errors by providing a comprehensive record of a patients medication and allergies
• Improving accessibility and storage space
• Aiding individual diagnosis by providing a comprehensive picture of a patients health information
• Improving public health outcomes by providing meaningful insights into specific conditions, preventative measures and medication use
• Identifying specific risk factors to improve patient outcomes such as diabetes + hypertension

Question 3

To what extent are electronic health records being introduced in the UK

Answer 3

• In October 2020, the Royal Devon and Exeter NHS Foundation Trust (RD&E) launched their electronic health record system.
• The system includes features like MyChart, a portal available via an app or online, and a gradual roll-out of a patient portal called MY CARE.
• The Trust assured patients who are concerned about using new technology or lack access that paper communications will continue to be used.

Question 4

What are the barriers for adoption of electronic health records

Answer 4

• Insufficient training and lack of knowledge among clinicians.
• User digital literacy and technical skills.
• Poor interoperability between different systems and technologies.
• Patient resistance, lack of trust in data privacy, and risk of data loss.
• Poor system quality, compatibility, and efficiency.
• Resource constraints, including device, time, and licensing constraints.
• Legal liability and lack of policies for appropriate and effective use.

Question 5

What are the four major ethical priorities for electronic health record

Answer 5

• Data and privacy
• Security breaches
• System implementation
• Data inaccuracies

Question 6

What is abrams taxonomy

Answer 6

Four ways data originates within a digital system.

Provided: Directly provided by users (e.g., signing up for an account).
Observed: Indirectly collected through tracking people or devices.
Derived: Obtained by combining datasets or simple processing.
Inferred: Produced using complex analytical methods and algorithms for profiling or categorization.

Question 7

Examples of data origins abrams taxonomy

Answer 7

Provided: Signing up for an account.
Observed: Tracking online activities or device usage.
Derived: Combining datasets or performing basic data processing.
Inferred: Predicting future health outcomes based on correlations and probabilities.

Question 8

Differences between inferred and derived data

Answer 8

inferred data: Based on probabilities and complex methods -> AI/ML
Derived data: Comes from combining datasets and simple processing.

Question 9

Usage of inferred data

Answer 9

Profiling or categorizing individuals based on algorithms and dataset analysis.

Question 10

What is the difference between pseudonymisation and anonymisation?

Answer 10

Pseudonymisation is the process of collecting and processing personal data in a way that it can no longer be attributed to a specific individual without additional information.
Anonymisation is where data is modified or processed to the extent that an individual is no longer identifiable, and the General Data Protection Regulation (GDPR) no longer applies.

Question 11

What is personal data

Answer 11

Personal data refers to information about a living individual that directly or indirectly identifies that person. It includes both objective data, like date of birth and address, and subjective information, like opinions and sensitive data. Personal data doesn’t have to be private information

Question 12

What is data privacy

Answer 12

Data privacy refers to the rights of individuals and organizations regarding the collection, storage, and use of information or data. It encompasses issues such as consent, notice, and the sensitivity of the data.

Question 13

What is data protection

Answer 13

Data protection refers to the process of safeguarding data and the laws and regulations that govern the collection, dissemination, and storage of information. It includes ensuring data integrity, protection against corruption, and privacy.

Question 14

What is data security

Answer 14

Data security is concerned with safeguarding information and ensuring that it is accessible only to authorized individuals. It includes measures such as authentication, data encryption, data masking, network protections, and data resilience.

Question 15

What is CIA triad

Answer 15

• Confidentiality (C): Prevention of unauthorized disclosure of information.
• Integrity (I): Guarantee that information sent is the same as received and not modified.
• Availability (A): Ensuring timely and uninterrupted access to information.
• Resilience: Ability to operate under adverse conditions and restore to an effective state.

Question 16

What is Information Governance (IG)

Answer 16

Information Governance is a framework that brings together legal, ethical, and quality standards for handling sensitive and personal information in clinical settings. It ensures the confidential and secure handling of information.

Question 17

What are some examples for cyberthreats

Answer 17

1. Phishing:
   Definition: Fraudulent attempt to obtain sensitive information through deceptive emails or messages.
2. Vishing:
   Definition: Voice-based phishing scam to extract personal information.
3. SIM Hijacking/SIM Swapping:
   Definition: Gaining control of a phone number by assuming the victim’s identity and persuading the service provider to transfer the number.
4. Malware:
   Definition: Software designed to harm or exploit systems, including viruses, spyware, and ransomware.
5. Hacking:
   Definition: Deliberate unauthorized access to computer systems.

Question 18

What are some security techniques

Answer 18

1. Authentication:
   Definition: Process of identifying and authorizing users to ensure authorized access.
   Example: Passwords and two-factor authentication for emails.
2. Data Encryption:
   Definition: Scrambling data to make it unreadable without access to a specific key.
3. Data Masking:
   Definition: Technique of hiding information to protect it, such as masking data in receipts or databases.
4. Data Erasure:
   Definition: Secure removal of data to prevent unauthorized access.

Question 19

What is the General Data Protection Regulation (GDPR)?

Answer 19

The General Data Protection Regulation is a regulation in the European Union that aims to strengthen and unify data protection laws. It sets out rules regarding the processing and free movement of personal data.

Question 20

What are the 8 Caldicott Principles?

Answer 20

1. Justify the purpose: Every proposed use or transfer of patient -identifiable information within or from another organisation should be clearly defined (and reviewed if continuing).
2. Do not use patient-identifiable information unless it is absolutely necessary: Patient identifiable information items should only be used if there is no other alternative.
3. Use the minimum necessary patient-identifiable information: Where use of patient- identifiable information is considered to be essential, each individual item of information should be justified, with the aim of reducing identification.
4. Access to patient-identifiable information should be restricted on a strict need-to-know basis: Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items they need to
   see.
5. Everyone should be aware of their responsibilities: Action should be taken to ensure that all staff are aware of their responsibilities and obligation to respect patient confidentiality.
6. Understand and comply with the law: Every use of patient-identifiable information must be lawful.