Professionals working in the healthcare sector have been urged to protect data to the point of destruction and avoid any more damaging and embarrassing leaks.
The protection of medical data has grown in importance in recent years.
In August, it emerged that Gardaí and the Data Protection Commissioner began an investigation into how private information on Tallaght Hospital patients was compromised. Tallaght Hospital had been using Uscribe, based in the Phillipines, to transcribe medical records. An evaluation of the service revealed some dictated letters did not come back transcribed.
And in 2008, there was the theft of a disk and laptop belonging to the Irish Blood Transfusion Service (IBTS) in New York, which contained the details of 170,000 donors. According to the IBTS, the data was encrypted
A forum organised by information management specialists KEFRON emphasised that data protection cannot slip off the agenda.
With remote access to data becoming increasingly necessary and the majority of organisations introducing digital storage systems, such as hard drives and USB sticks, to replace traditional paper systems, organisations cannot afford to be complacent.
Data protection in the healthcare sector
All medical organisations are required by national and European law to keep information secure to the point of destruction before disposing of it.
In Ireland, the principle legislation governing the area of information management is the Data Protection Act 1988.The Act provides the legal foundation to the key principles of data protection and provides guidance on the level of security that must be in place to guard the use and storage of information.
“It is vital that an organisation is aware of who has access to its electronic devices, that information is encoded or password protected and is disposed of correctly,” KEFRON’s Paul Kearns explained.
“Confidential paper-based data should be treated in the same manner as electronic information.
“Any medical organisation or healthcare professional must draw up a clearly defined data-protection policy. Key consideration should be given to the acquisition, storage and destruction of documents in paper and electronic systems in order to manage all potential risks. Furthermore, anyone responsible for the storage of data has a duty of care to implement a complete document management policy and to communicate it to everyone with access to the confidential data.”
“Once in place, it is important that management constantly check that it is up to date, reflecting technological advances in the work environment,” concluded Kearns.