Necessity being the mother of invention, the onset of coronavirus has accelerated the digital transformation of the NHS. Software vendors are bombarding providers with offers of pro-bono services. But in the rush to embrace new ways of working, buyers should be aware of the hidden risks.
Given that public trust in digital services can be hard to win and easily lost, vendors must be able to demonstrate they are serious about security and information governance. Here are some key considerations to bear in mind when reviewing digital health proposals:
- Data Security and Protection Toolkit: This is an online self-assessment tool for measuring performance against national data security standards. It is a mandatory requirement for any organisation that has access to NHS data and must be in place.
- Data Hosting: If personal data is held within the European Economic Area, ask the organisation if there are appropriate data transfer agreements in place with Standard Contractual Clauses. As the UK proceeds with no-deal Brexit planning, this must be considered in any agreement.
- Privacy Policy: What is the hosted data going to be used for? Ask the organisation if it is going to be using anonymous data for research or selling to third parties for commercial gain. Inhealthcare is a data processor and performs no other activities with data.
- Security accreditations: What annual audits and security accreditations does a vendor comply with? Does it comply with ISO standards such as 27001 and conduct annual penetration testing?
- Medical device: What is the purpose of the solution and is it registered as a medical device? The new medical device directive may have been delayed by a year but it will come around quickly and contracts now for services will be in place next year when this becomes law.
As a reminder, Inhealthcare is ISO 27001 and 9001 certified; carries the Cyber Essentials verification; is DCB0129 Clinical Risk Management compliant; is registered with the UK Information Commissioner’s Office and has CE marks for its patient and public-facing apps. Here you can view our full list of security standards.
Finally, we are here to help: if you have any questions about security and information governance or would like a second opinion, please get in touch.