Handling Security Incidents affecting Patient Confidentiality
Introduction
There are several ways in which patient confidentiality may be breached such as
theft, break-ins and poor disposal of confidential waste. All breaches should be
investigated and reported accordingly. This guidance suggests mechanisms for
handling security incidents where patient confidentiality has been or may have been
breached.
The majority of IM&T security breaches are innocent and unintentional such as the
user not ‘logging out’ at the end of the day. However ‘near misses’, where no actual
harm results from the incident, should still be reported and analysed to look for
possible ways of preventing an actual incident occurring in the future.
Definitions
An IM&T security incident is defined as any event that has resulted or could result in:
the disclosure of confidential information to any unauthorised individual
the integrity of the system or data being put at risk
the availability of the system or information being put at risk
An adverse impact can be defined for example as:
threat to personal safety or privacy
legal obligation or penalty
financial loss
disruption of HA business
an embarrassment to the HA
Types of Security Incidents
The types of security incidents likely to affect patient confidentiality are variable.
Data security incidents may take many forms including the following:








Theft of equipment holding confidential information – PCs, dicta-phones, casenotes, etc.
Unauthorised access to a building or areas containing unsecured confidential
information.
Access to patient records by an authorised user who has no work requirement to
access the records.
Authorised access which is misused (staff).
Electronic access (hacking) and viruses.
Misuse of equipment such as faxes, text messages on mobiles and e-mails.
Inadequate disposal of confidential material (paper, PC hard drive, disks/tapes,
etc).
Car theft / break-ins to on-call staff carrying patient records.



Unauthorised access to records away from premises (e.g. laptops and notes
when travelling between clinics to home-visits etc).
Complaint by a patient, or a member of the public, that confidentiality has been
breached.
Careless talk.
Data Security Incident Monitoring
A data security incident may come to light because a patient has complained about a
breach of confidentiality or because of one of the above incidents.
In the first case the cause of the breach will need to be investigated by interviewing
the patient, interviewing staff and checking incident logs and computer audit trails.
There may also be the opportunity to investigate CCTV videos.
In the second case the risk to patients confidentiality should be assessed and any
damage limitation may need to be applied. In some cases it will be appropriate to
warn patients of a possible breach to their confidentiality.
Incidents should always be investigated immediately whilst there is still the possibility
of collecting as much evidence as possible.
Because of the variety of different types of security incident it is important to have
clear procedures in place to cover the main types of incident. Any investigation may
involve a number of key individuals. The investigation should be co-ordinated by a
named person who will decide how to take matters forward / resolve them. All staff
should be aware of the need to report any suspicious incidents to the named
individual.
Staff must understand the reporting procedures and the type of incidents to report.
Near misses are indicators of potential problems and should also be reported. In
order to respond fully to an incident, audit logs need to be kept (records of
transactions carried out on computer, date and time and who by).
Contacts may need to be:






Security Officers for arrangements made for the physical security of the building.
IM&T Manager.
IM&T support companies (to help with audit).
Other outside contractors who may be involved.
The Police.
Any members of staff who may be involved.
A log should be kept of all incidents reported whether they lead to a complaint or not.
All incidents should be considered as to whether they indicate a need for
improvement in arrangements. The log may be incorporated into other incident logs
as appropriate. A regular report on the number, type and location of data security
incidents should be made allowing any trends to be picked up and addressed.
An example would be:
Break-in to the premises to steal a computer
* risk of occurrence = high
* possible consequences to patients = serious. (blackmail, unacceptable risk
to privacy, loss of confidence in health
care)
As such the following actions would be appropriate:








Approved door locks.
Internal door locks.
Anything portable to be locked away in a fireproof cupboard.
Toughened glass and window locks.
Intruder alarm.
Deterrents such as ‘security marking’ the equipment.
Check the Asset Register of equipment, in order to quickly assess loss.
Password protection to system / sensitive documents.
Reporting Arrangements
All incidents or information indicating a suspected or actual data security breach
should initially be reported to the immediate line manager and then a completed
incident form sent to the Acute Trust Risk Manager, who must keep a record of all
incidents that are reported. The record need not be more than a statement of the
persons involved in the incident, a description of the incident and what action has
been taken. The Patient Confidentiality Security Incident Form, which can be found
in Appendix 2 (Ref: Patient Confidentiality Security Incident Form), is intended to be
used for this.
Where the suspected security breach involves the staff member’s line manager, the
member should inform their line managers’ superior and / or a Director.
If a staff member believes a security breach is the result of an action or negligence
on behalf of a Director, the incident should be reported directly to the Chief
Executive.
Where there has been an incident involving a Acute Trust IT system, the Head of
Technical Services and the Cheshire Health Agency Technical Development
Manager must be informed to determine whether an actual security breach has taken
place. The majority of IT security breaches are innocent and unintentional (e.g. user
not “logging out” when leaving for the day) and would not normally result in
disciplinary action being taken.
If an actual data security breach has occurred, the incident should also be reported
immediately to the Acute Trust’s Caldicott Guardian.
It may also be necessary to report the incident to others depending on the type and
likely consequences of the incident, e.g. inform the Police.
Monitoring Arrangements involving an Acute Trust IT system
Where there has been an incident involving an Acute Trust IT system, the following
procedure should be observed:
The Cheshire Health Agency Technical Development Manager will maintain a record
of all reported IT system incidents, to be reviewed monthly with the Acute Trust Head
of Technical Services (the record need not be more than a statement of those
involved, a description of the incident and the action taken).
Where it is likely that an actual security breach has taken place the Head of
Technical Services must report the incident immediately to the Acute Trust Director
responsible for IM&T, the Head of Informatics and the Finance Director of the
Cheshire Health Agency.
If it is determined that a breach has actually taken place the following action will be
agreed with the Acute Trust Director, Head of Informatics and Finance Director of the
Cheshire Health Agency:

a report will be made by the Head of Technical Services and the Cheshire Health
Agency Technical Development Manager to include the background, nature, risks
and recommended remedial action.

no action will be taken, unless the incident constitutes a continuing and serious
risk to the business or patient-identifiable data, until a consensus is obtained from
the aforementioned Senior Officers.

an incident report will be made to the appropriate Telecommunications Branch.

a full report will be made to the Acute Trust Director, the Head of Informatics and
the Finance Director of the Cheshire Health Agency.

The Head of Technical Services should categorise the incident within one of the
incident classifications below (high, intermediate or low). The Director of Finance
of the Cheshire Health Agency should be informed of any financial implications
for the Acute Trust, and the Human Resources Manager should be informed to
determine whether any disciplinary action is necessary. If the classification is
significantly high, the Acute Trust Chief Executive should be informed
immediately by the Director of Finance.
Monitoring Arrangements involving a data security breach
Where an actual data security breach has occurred, the following procedure should
be observed:
The Acute Trust Risk Manager will maintain a record of all reported data security
incidents, to be reviewed monthly with the Acute Trust Information Governance
Manager (the record need not be more than a statement of those involved, a
description of the incident and the action taken).
Where it is likely that an actual security breach has taken place the Acute Trust Risk
Manager must report the incident immediately to the Information Governance
Manager, who will report it to the Acute Trust Caldicott Guardian and the Head of
Informatics.
If it is determined that a breach has actually taken place the following action will be
agreed with the Acute Trust Director and Head of Informatics:

a report will be made by the Acute Trust Risk Manager and Information
Governance Manager to include the background, nature, risks and recommended
remedial action.

no action will be taken, unless the incident constitutes a continuing and serious
risk to the business or patient-identifiable data, until a consensus is obtained from
the aforementioned Senior Officers.

a full report will be made to the Acute Trust Director and the Head of Informatics.

The Acute Trust Risk Manager should categorise the incident within one of the
incident classifications below (high, intermediate or low). The Director of Finance
of the Cheshire Health Agency should be informed of any financial implications
for the Acute Trust, and the Human Resources Manager should be informed to
determine whether any disciplinary action is necessary. If the classification is
significantly high, the Acute Trust Chief Executive should be informed
immediately by the Director of Finance.
Incident Classifications
Incidents should be classified according to severity of risk, as follows:
1 = High risk of harm to patients whose confidentiality has been breached.
2 = Intermediate risk of harm to patients whose confidentiality has been breached.
3 = Low risk of harm to patients whose confidentiality has been breached.
The senior managers in the Acute Trust should review the number and type of
security incidents, which have occurred, regularly and decide on any appropriate
preventative action to be taken.
Procedure for Dealing with various types of Incident
1) Theft of equipment holding confidential information – PCs, dicta-phones,
case-notes etc, and unauthorised access to an area with unsecured
confidential information:





Check the asset register to find out which equipment is missing.
Investigate whether there has been a legitimate reason for removal of the
equipment (such as repair or working away from the usual base).
If the cause is external inform the Police and ask them to investigate.
Interview staff to establish what data was being held and how sensitive it is.
Establish the reason for the theft/ unauthorised access, such as;
- Items to sell.
- Access to material to embarrass the practice.
- Access to material to threaten patients (blackmail, stigmatisation).





Consider the sensitivity of the data and the risk that it will be misused, in order to
assess whether further action is appropriate (e.g. warning patients, informing the
Police).
Consider whether there is a future threat to system security, or NHSnet access
and report to the IM&T lead at the Acute Trust.
Inform organisation of replacement requirements.
Inform system suppliers if appropriate.
Categorise and report the incident as described as per ‘Reporting and Monitoring
Arrangements’ above.
2) Access to patient records by an authorised user who has no work
requirement to access the record:






Interview the person reporting the incident to establish the cause for concern.
Establish the facts by;
- Asking the system supplier to conduct an audit on activities by the user
concerned.
- Interviewing the user concerned.
Establish the reason for unauthorised access.
Consider the sensitivity of the data and the risk to which the patient(s) have been
exposed and consider whether the patient(s) should be informed.
Take appropriate disciplinary action.
Categorise and report the incident as described as per ‘Reporting and Monitoring
Arrangements’ above
3) Inadequate disposal of confidential material (paper, PC hard drive,
disks/tapes):
This type of incident is likely to be reported by a member of the public, a patient
affected, or a member of staff;
 Investigate how the electronic or paper data left the practice by interviewing staff
and contractors as appropriate.
 Consider the sensitivity of the data and the risk to which the patient(s) have been
exposed and consider whether the patient(s) should be informed.
 Take appropriate action to prevent further occurrences. (e.g. disciplinary,
advice/training, contractual).
 Categorise and report the incident as described as per ‘Reporting and Monitoring
Arrangements’ above.
4) Procedure for dealing with complaints about patient confidentiality by a
member of the public, patient or member of staff:



Interview the complainant to establish the reason for the complaint and why the
practice is being considered responsible.
Investigate according to the information given by the complainant and take
appropriate action.
Categorise and report the incident as described as per ‘Reporting and Monitoring
Arrangements’ above.
Staff Training Needs Analysis for Data Security and
Confidentiality
All employees need to have annual refresher training on all aspects of Data Security and
Confidentiality. This document is designed to act as a guide when training is being planned.
Employee Name
__________________________________________________
Job Title
__________________________________________________
Have you received appropriate training on the following topics, within the last year?
Yes
No
Unsure
Physical Security of Manual Records
Physical Security of Computer Records
Computer Passwords
Access to Patient Data
Confidentiality and the Use of Patient
Identifiable Information
Media Handling
(Storage/Transfer/Disposal)
Telephone Enquiries
Safe Haven Procedures
Legal Requirements
Caldicott Guidelines
Sharing Information with Other
Organisations
Security of the Building
Are there any other area’s of data security and confidentially that you feel you need further
training on?
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
Signature of Employee _____________________________
Date
__________
Name of Manager ______________________________________________________
Action / Training plan:
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
…………………………………………………………………………………………………………….
Signature of Manager
_____________________________
Date
_________