Patient data must be kept confidential and secure

Jason McLaughlin


Nothing is more confidential and personal than patient data, so the need to keep it secure and only accessible to the right staff is paramount.

There are times when medical staff take pictures of patient wounds to see how the effect of the treatment over time: there is nothing more personal.

Or a caregiver giving medication to an elderly resident must be able to log and update the information correctly so it can be reviewed later.

Role-based definitions

It is vital to have the data secure and held on a secure platform. It is crucial that the system set-up is done correctly with role-based definitions for access. A nurse needs a certain level of access, while the director may need higher admin rights.

Microsoft Active Directory defines the system access from the start to allow the right access control. Healthcare facilities need to be able to file GDPR reports on what happened, when it happened, who did it and the implications. They have the highest Data Protection Act requirements of all industries and are held to the highest standard.

For example, a nurse comes to the patient’s room to give medication using the touch screen outside. If they forget or don’t update it correctly and there is an issue, the records can be reviewed. Or if the patient has a stroke, the medical team can evaluate all critical information to understand what happened.

Hacked or Stolen

The platform should be stable, secure, cloud-based and encrypted with multi-factor authentication and location-based access control. You can’t have a nurse going home, accessing the data on their home PC and it being hacked or stolen.

Under GDPR, healthcare businesses require a Data Protection Officer, which can be either an internal or external role, but the person must have relevant experience to handle the issues.

At Ortus, I am the in-house DPO with 20 years experience in IT, but we decided to also appoint an external DPO alongside to ensure we are at the highest level.

Steep fine

It is important to understand that if there is a serious data breach without being able to respond adequately to the Data Commissioner’s 22 questions about the measures in place, you face a steep fine.

The technology is available to be ultra-secure: it is like building a house, from the foundations around user access, which apps are accessible by whom, the correct permission levels for different types of data, such as HR, Accounts and patient data. Again, this must be role-based.

The current Covid-19 crisis has created some different issues. One nursing home moved all its top management to remote working to safeguard its residents. Using our systems, they had no problems at all, they didn’t even need to ring us because everything was set up already.

Don’t wait to fix these issues if you haven’t done so already. Work with your Managed IT provider to make sure that you will not be in breach of GDPR regulations – but, more importantly, that you are able to give the best care to your patients.

To read more about Ortus Managed IT and Cloud Solutions for Healthcare Providers, click here.

To contact Ortus, click here.