Healthcare information security

NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK

Susan Morrow
October 31, 2017 by
Susan Morrow

Other articles in this series:

Pt. 1: Data security standards and opt-out models in health and social care

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit


In our previous article, we looked at the recommendations that came out of the National Data Guardian’s (NDG) paper ‘Review of Data Security, Consent and Opt-Outs’ on the use of data use in health and social care. As a consequence of this paper, the UK Department of Health conducted a public consultation on the findings. This consultation resulted in the paper, “Your Data: Better Security, Better Choice, Better Care”.

The original NDG paper was a response to a number of drivers around privacy and health data. Drivers such as the increasingly hostile cybersecurity landscape - the recent WannaCry ransomware attack which affected the NHS nationally being a case in point. However, another major driver is the general public’s expectations of health data accessibility in a modern healthcare system.

The current situation in the UK in terms of health data access and sharing is changing. NHS England has been open to the sharing of data across organizational boundaries under the bounds of the UK’s Data Protection Act of 1998. However, the sharing of individual patient data in a patient-centric manner has been slow in coming. Typically, gaining access to your own patient record has been a protracted process, requiring a formal application to do so. Patients now expect a more online, data accessible experience, and increasing use of connected devices is also driving the generation of patient-generated data available for sharing with health practitioners; the Future Health Index found that 57% of patients wish to share health data with their primary physician.

‘Your Data: Better Security, Better Choice, Better Care,' assesses the current difficulties in patient access, and sharing of, health data, with reference to the NDG paper. Using case studies to exemplify the recommendation and outlook, the paper provides an insight into the issues with the current system and how resolution can improve patient care. To move the recommendations forward, the paper also takes a deep dive look at the issues and hurdles to implementation of the recommendations in the NDG paper.

Overview of Paper and Recommendations

‘Your Data: Better Security, Better Choice, Better Care,' was the result of a public consultation on the recommendations of the ‘Review of Data Security, Consent and Opt-Outs’ and another paper ‘Safe Data, Safe Care’ by the Care Quality Commission - the latter looking at the data security standards in NHS IT systems. The ultimate outcome of the consultation was to agree with, follow, and set out implementation of the recommendations.

One of the main pivots of the NDG paper was the allowance of an ‘opt out’ option for patients. This gives individuals the right to prevent their personal data being used for anything other than their direct care. The paper recommends that local organizations implement the 10 recommended security standards of the Care Computer Emergency Response Team (CareCERT) as a minimum, to provide good healthcare and robust data security.

Main drivers that came out of the consultation

“We consider that effective data security is essential if the public is to trust us to use data for public health analysis...”

‘Your Data: Better Security, Better Choice, Better Care,’ brought out a number of considerations when dealing with patient health data:

  • Security and privacy of patient data. Cyber security is becoming part of an individual’s everyday experience. High profile ransomware attacks such as WannaCry, which affected the NHS directly, are making patients aware of data security; patients are educated about data privacy and data sharing security issues. Patients want to make an informed choice about how their health data is used.
  • Approach to security and the opt out model. How the NHS can build and retain trust as the custodian of health data. Are healthcare IT systems secured, and are patients well-informed about the basis upon which their data is shared?
  • People and processes. Security is about people and processes as much as it is about technology.

The consultation paper recognized that to ensure patient privacy and to encourage informed decisions by patients, they must abide by the Caldicott Principles. The principles set out the appropriate use and security of shared patient data.

To achieve the tenets of the recommendations, the paper recognized several key areas:

  1. Culture of security. To achieve the NDG recommendations, a culture of security throughout the health service needs to be fostered. As part of this, a cash injection into data security will be made. £21 million will go immediately to major trauma sites to boost resilience to cyber threats.
  2. Managing resources. A redesign of the current Information Governance Toolkit is recommended. The report sets out that a balance is needed between the financial expectations across variable health care services and implementing cybersecurity measures. This is especially true for smaller services.
  3. Training. Improved training on cybersecurity. CareCERT services will be available to support organizations within the NHS. It was recommended that more training documentation and information was prepared and made available. Importantly, improvement of communication between NHS Digital and NHS England is required. Cross organization staff training packages around cybersecurity need to be updated. The emphasis is on understanding that data protection is part of good patient care.
  4. Technology. The paper recognizes that updating older software systems comes with some issues. The focus initially will be in replacing unsupported operating systems and browsers. This is likely a direct response to the WannaCry attack and other ransomware infections which take advantage of software vulnerabilities.

The NHS CareCERT service plays a central role in providing cybersecurity support packages across the NHS.

Recommendations and Reply

The consultation paper recognizes that the NHS needs to bring their data usage models up to modern expectations. In doing so, they can improve healthcare and patient outcomes. As part of this, patients need to have confidence that the NHS is using data appropriately. The current framework landscape for data protection, which includes the DPA and Caldicott principles, will be enhanced by the NDG recommendations of a simplified, national, opt out standard.

Currently patient opt out is confusing. The consultation showed that individual’s want to know that their choice in sharing data is “clear, easily available and accessible“. The consultation paper will create a framework for all stakeholders that clarifies data sharing that incorporates safe care for both adults and children.

The paper continues to expand on choice, stating that transparency on data sharing will be integral. A central register of who has accessed a person’s summary care record will be made available online.

Situations where opt out is not applicable will also be made clear. Anonymized data use is also recommended wherever possible and should be used inline with the Information Commissioner's Office (ICO) recommendations.

Across all replies, transparency and clarity were key words used.

Implementation and options

Learning from previous events, early involvement by CareCERT is clearly central

to the successful management of a data security incident.”

The UK government has created a strong mandate for following all recommendations of the NDG’s paper, i.e., creating a trusted system of sharing patient data within a simplified national opt out framework.

This will entail a much more stringent acceptance of cybersecurity requirements and a culture of security that permeates throughout the NHS. It will incorporate board members requiring them to ‘own’ data security.

Out of this, a new and improved Information Governance Toolkit will be created to help implement the recommendations. The toolkit will form the basis for organizations to evidence their commitment to improved cybersecurity measures.

As far as individual patients are concerned, a more robust approach to cybersecurity can only be a good thing. Ultimately, better patient outcomes and improved care packages can be made available with a reduced concern for cyber threats. Engaging the patient in data sharing choices will, in turn, improve trust in the NHS as a service, at a time when the NHS has suffered from negative press. Having the ability to open up a more digital service, brokered by better cybersecurity protection, will offer better digital services to patients, including online care management. Initiatives like UK Innovate are pumping £86 million into digital health initiatives, including healthcare technology to improve patient data sharing and access.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.


The NDG’s recommendations on patient privacy, cybersecurity, and having a simplified opt out for patient data are welcomed by the UK government. This acceptance of the recommendations is expected. Ransomware and other malware attacks against healthcare institutions have been prevalent over the last two years, and are likely to continue. Whilst at the same time, access to and use of patient data has become increasingly important to provide better healthcare. As patients themselves become better educated about the type of threats against their personal and health data, and as expectations around access to these data change, it is vital to have a national framework for data security and privacy that put the patient at the center of the system. Patient choice, coupled with transparency of operation, is a pivot for the implementation of the NDG’s recommendations, but it is nothing without the parallel implementation of sound cybersecurity training and technology improvement.

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.