Secure the Data: The NHS PACS Programme14 March 2011 Mary Barber
Confidentiality and security are the cornerstones of any successful IT project relating to patient data. The roll out of the PACS programme across the NHS has drawn praise from around the health service based on its ability to track, manage and audit information, writes Mary Barber of NHS Connecting for Health.
Picture archiving and communication systems (PACS) and radiology information systems (RIS) were not new technologies in the NHS before the national PACS programme, but the programme made a massive difference to the speed with which they were adopted across the NHS in England.
Such were the clinical and financial benefits of PACS and RIS that it was decided they should be rolled out as quickly as possible. In the three-year period ending December 2007, 127 trusts received commercial, off-the-shelf PACS (known as COTS) and, where appropriate, RIS products as a result of the national programme. In addition, the trusts connected to four central data stores and used them as an archive for their images.
This was a massive collaborative effort involving NHS Connecting for Health (NHS CFH), strategic health authorities, trusts, local service providers (LSPs) and their suppliers, professional bodies and clinicians. The speed and success of the roll out has earned the NHS plaudits and rarely have so many staff been so positive about specific pieces of technology.
Of primary importance for the PACS programme and its stakeholders, both during and after the roll out, have been the security and information governance issues associated with the patient data within the system. The programme has constantly strived to manage these issues effectively while allowing clinicians operational flexibility. It has also sought to ensure that the NHS balances value for money and affordability against existing levels of risk.
Security is synonymous with confidentiality, integrity and availability. Within healthcare, of course, the focus has been on ensuring that the confidentiality of data held about patients is not breached - that data is accessible only to those people who should be able to see it. The NHS care record guarantee provides a range of commitments to patients about how their sensitive data will be managed safely and securely.
The integrity and availability of the systems and the data stored within them are also vital: the data upon which clinicians make decisions has to be accurate and must not be altered, either maliciously or unintentionally, and systems and the data within them must be available to the users who need them.
There is a 'mixed economy' across England in regards to PACS security. The types of security controls originally envisaged by the PACS programme, such as smartcards and the national role-based access control model, have been deployed in those parts of the north, Midlands and east served by Accenture and its PACS supplier Agfa, with 26 trusts benefitting from these features. Accenture has been the first local service provider (LSP) to deploy this technology.
In the rest of the LSP estate, however, other secure technologies are in use to control access to the data within PACS and RIS. Here, single-factor authentication is provided using usernames and passwords, and there are role-based access controls inherent within the commercially available software. These features are designed to control what data users are able to access and what they are able to do with it.
Balancing the costs and operational challenges of implementing the security controls originally envisaged across the entire LSP PACS/RIS estate against existing risks, the programme took the pragmatic decision to focus funding and resources on some of the additional clinical requirements that have emerged since awarding the LSP contracts. For example, it has been possible to provide funding for the digitisation of the breast screening programme across the north-west and West Midlands as a result of this approach.
In conjunction with its stakeholders, NHS CFH continues to explore the extension of smartcards and the national role-based access control model to other trusts because this provides a higher level of security than is currently available. The reprocurement of PACS and RIS, as the LSP contracts come to an end in mid 2013, and 2015 in London, will provide further opportunities for NHS trusts to consider how to address these issues.
In the future, when greater access to data is enabled by enterprise-wide data-sharing solutions, tighter access controls are likely to be even more necessary and cost-justified. It is also the case that smartcards and tighter access controls are becoming the industry standard in healthcare IT. Richer security features are being developed and adopted by radiology systems suppliers as part of their product development roadmaps. This provides a more cost-effective mechanism for adoption of these controls within the NHS, as existing products are upgraded.
With the need for NHS trusts to share images among themselves and with the independent sector, it's important for these organisations to understand the controls that need to be in place during this process in order to protect patient data.
These controls are set out in NHS CFH's image sharing policy, which requires that organisations implement the informed implied patient consent model. Here, the patient is informed - through leaflets, posters and, in some cases, letters in their referral pack - that if it is stored, their data may be shared. There are two broad types of data-sharing solutions in use within the NHS. Data push mechanisms allow data to be sent between organisations as part of a care pathway. Examples include the image exchange portal, which has been widely adopted across England, the PACS Exchange solution in London and Accenture's PACS Connect. Local policies and procedures, recommended by NHS CFH to be documented and approved by the Caldicott Guardians in the form of data sharing protocols, have been used to ensure that legitimate relationships can be inferred, and that data is only transferred to support referrals where patient consent can be implied through the consent of the patient to the referral.
With data query mechanisms, an organisation grants a user in another organisation access to its local data store, typically via secure web access. The user is then able to view all data on the hosting organisation's PACS. In this case the protocols must ensure that the organisation granting access to the user in another organisation subjects them to the same controls as its own employees. This is done by ensuring that the users concerned are appropriately sponsored.
Without such controls in place, data held on a PACS should only be available to appropriate users within the organisation within which it was created.
Audit is also an important issue. There is always the potential for debate over who has accessed a patient's record or which record a user has accessed.
The former may result from a patient with privacy concerns raising a subject access request, as they are entitled to do under the Data Protection Act.
The latter may result from an internal investigation into suspected malpractice or a security breach - or, just as likely and importantly, the need to correct a mistake on the record.
Each of the COTS products audit access to patient data. Appropriate audit records must be collected, stored and made available in a suitable format so that authorised users can access and analyse them to identify and investigate unusual patterns of activity.
Network security versus application security
In the digital age, hospitals are operating network and IT infrastructure as clinical systems in their own right. Without reliable access to networks and IT infrastructure, many of the core systems and services required to run a hospital, such as PAS, PACS, email and IP telephony, may become unusable. As a result, NHS organisations operate secure network infrastructure and take great care to protect it from threats such as viruses, which are an inevitable consequence of the need for users to access the internet and email. Network security is not just about protecting the confidentiality of data traversing a network; it is about protecting the availability of that network and the clinical systems that operate over it.
While technical controls can be and are implemented to secure the networks against these threats, there is still the risk that a network could be hacked, allowing unauthorised personnel to access the data on that network. To further protect sensitive data transferring across those networks, it is necessary to secure the traffic itself. The most effective way to do this is to use point-to-point encryption before data crosses the network. This effectively renders the data useless to anyone attempting to intercept it.
PACS and RIS products are made up of many sub-systems, which communicate with one another and other systems in the hospital. For example, X-ray machines located in examination rooms send multiple images to PACS located in secure server rooms, which in turn communicate with end-user computers located in the public areas of a hospital, such as the emergency department.
Ensuring that every element of communications between these systems was capable of encrypting the network traffic they generated was a significant challenge faced by the PACS programme and its suppliers.
Where technically feasible, the applications encrypt the traffic using the industry standard secure sockets layer (SSL). It is not always cost effective and therefore feasible to provide encryption in this way and where this is the case, a pragmatic approach has been taken to assess the physical and logical security of the network footprint over which the traffic traverses.
This is particularly true of the DICOM transfers over the N3 network between trust host PACS systems and the regional archives. In these circumstances, network level encryption is provided using IPSec VPNs. These are established using encryption routers located within physically secure environments, thereby guaranteeing the end-to-end security of the data.
Those implementing and managing radiology systems should work closely with their IT departments to ensure that the network, IT infrastructure and service support arrangements upon which their PACS and RIS will depend are designed and maintained in such a way as to fit the system's requirements.
At a time of great financial pressure for the NHS, the national PACS programme is continuing to ensure that security and information governance has a central role, while offering value-for-money for the NHS. There are clear benefits to implementing security and information governance at local level, to the healthcare organisation and the patient, and these are weighed against the cost, implementation and a range of operational challenges.
As NHS trusts with LSP PACS and RIS choose how they want to manage their system provision beyond the end of the present contract term they will need to consider how to balance these often conflicting requirements. The lessons learned from the national programme will be a good starting point.