In the UK, British citizens can access to the National Health Service. Established in 1948, the NHS supplies universal healthcare to all but there is no universal law protecting the right to privacy, although privacy issues can usually be settled in court.
In the United States, privacy laws impact how doctors can operate. If they wish to assess how effective treatments are across the country for the treatment of a particular application, privacy laws stop them from having automatic access to data from any patient who is not registered with them. This is an issue, as sharing of patient data enables doctors to gain a better comprehension of the treatments that are working the best.
A workaround for doctors is to share some of their patient data using a service such as Sharepoint. Data can be obtained by any doctor that is provided with a login name and password. Access can therefore be distributed safely. Sadly, as data is stored in the hospital’s active directory, it is not possible to show that the data is being controlled, and that is required under HIPAA.
Compliance is vital to ensure both data and systems are properly secured and data access is restricted to authorized users. Data includes spreadsheets, word documents and PDF files as well as on-site and offsite networked data storage devices and all equipment accessing the databases.
Any group looking to ensure compliance is required to review the following three areas:
• Management of data access
• Separation of roles and tasks
• Auditing to ensure ongoing compliance
Access control is vital. All users must be allocated just to the data they need with access to any non-essential data prevented. It is important to separate roles and tasks to ensure that individuals are not given too much power and knowledge. In order to ensure this takes place, audits should take place to ensure continued compliance.
Healthcare groups should have IT departments able to grant or stop access to databases and Sharepoint sites. They must be able to quickly deduced who has access to data and ensure that sensitive data access is prevented. Looking at, accessing and uploading data to any website or storage facility must also be subjected to proper security controls.