Not surprisingly, data security is often the first issue raised by domiciliary care providers considering moving from local or paper-based records management to something that works on mobile networks and based in the ‘cloud’. This is to be expected and welcomed. Given the potentially sensitive and personal data domiciliary care providers hold it would be strange if data security were not a big issue.
But before getting into the ways that we secure personal data in CareForIt, perhaps it’s worth thinking about what currently happens when files are kept centrally either on paper or on office-based PCs.
The following guidance on data sharing comes from the website of a security consultant who specialises in health and social care:
‘All personal data can be shared, provided you have the authority to do so. If in doubt, obtain written authorisation from your employer specifying the data to be shared, the purpose and the recipient. When sharing personal data, make sure you keep a record of what was shared, why, with whom and how it was shared, for example by email.’
That sounds simple enough in principle. But how rigorously can this authorisation process be followed 100% of the time in a busy domiciliary care provider with many service users? How much effort is involved in getting authorisation and keeping audit trails if you want to do this properly? And can data really be considered secure once you’ve emailed it?
Removing paper records
There’s also helpful advice for removing paperwork from the office:
‘Ask yourself whether it is vital to take a case file with you. If it is, anonomyse the data or remove as much of the personal content as possible. The level of security you use should be proportionate to the consequences if that data is misplaced. If it is just your call sheet – a list of names and addresses – keep it in your pocket. A case file will require greater security. Take only the files you need and keep them locked in the boot of your car at all times. Only take out the specific file for the service user you are visiting and keep it in a locked bag.’
The advice is targeted more at social workers but would be equally applicable to domiciliary care workers who might need to have details of care plans, particularly if it’s a service user they don’t know. How easy would it be to leave files on the front seat of your car rather than locked in the boot when you’re in a hurry?
Domiciliary care – data security is always an issue
I guess what this shows is that security should already be a significant concern. In many ways properly secured electronic record keeping in web based domiciliary care software is inherently safer. At a very basic level, if you are accessing service user information via a mobile device nobody should be able to see it without a password.
Just for the record here’s some details of how we keep information secure at CareForIt. All data transferred between mobile devices and the central CareForIT database is fully encrypted. Our SSL certificate is a 256 bit High Grade certificate provided by Geo Trust, the world’s second largest digital certificate provider.
We believe that we are the only provider of domiciliary care management software in the UK to meet the ISO 27001 standard for data security.
Our data security means that data cannot be intercepted and used by unauthorised people. Also, if somebody breaks into a care worker’s car and steals their mobile they will not be able to access any service user information because nothing is stored on the phone. The same cannot be said for paper records.
Data held centrally is also password protected and fully encrypted. Breaches of the physical security of your building will not allow anyone access to your data even if they steal your PCs and network server. For one thing your data is not held locally but on servers hosted by Rackspace in their secure Tier III London Datacentre – which is ISAE 3402 Type II SOC 1 Audited.
Any data kept on our servers is encrypted using AES256 encryption provided by Gazzang.
Password protected documents are not secure
If your service user information is on Word or Excel files with or without bog-standard password protection it’s not hard to access. Paper based records are only as secure as the lock on your filing cabinet.
As a final point we are fully compliant with all data protection legislation and registered with the Information Commissioner – our ICO Data Controller number is Z3162856. In line with legal requirements and good practice all data is held on UK based servers.
Controlled access to information
By controlling access to information through password permission it’s also much easier to track who can view it. The problem with any document (paper or electronic) is that once you email it to somebody you lose control of where it might end up. Keeping all data centrally and then controlling who can access it is much safer than allowing people to keep local copies.
Usually when I explain the full details of how we secure personal data the issue goes away. But I do see a few furrowed brows when I ask people what they are currently doing to achieve anything like the same level of security.
Dan Farrell-Wright, Technical Director, CareForIt
Give me a call on 08455 44 23 11 to arrange your on-line demo