Infosec and healthcare: Prescribing the right tablets

Information security is a fundamental part of the healthcare research industry. Joanne Frearson talks to Sarah Lawson, head of IT at one of Oxford University’s research facilities

nurseBuilding security into a system and making sure data is collected securely is of prime importance at the National Perinatal Epidemiology Unit at the University of Oxford, which conducts medical studies to improve the healthcare of

women and their children during and after pregnancy.

Sarah Lawson, head of IT and Information Security at the NPEU, says: “My main concern is assuring confidentiality and integrity of the information. It would be making sure all the systems have security built in from day one. We project manage by building security from top down or bottom up or both ways.”

Her role is a combination of looking after various IT projects that she runs within the trials unit, and working on policy and governance within the university itself.

She says: “The trials I am involved in I do not have any direct contact with patients. We do not work in the hospital, but work with the data collected from it. What we try to do is integrate with all the NHS trusts in the UK and provide assistance to collect information securely in an easy fashion.

“We anonymise everything we can or encrypt information to make sure identity remains confidential. Making sure things are confidential is absolutely our business – without it we would not have a business. I think it is really important to make sure all staff and researchers understand confidentially and integrity.”

Information security starts from the inception of a project. “A particular project would involve designing the systems and making sure there are different layers of security. It is about making sure the programming team build in their own security, making sure we have externals coming into check that we are doing the right thing.”

Lawson says her biggest threat is user error, such as someone doing something accidently like taking a laptop home when they should not.

She says: “We do provide whole-disk encryption and encrypted memory sticks, as well as putting restrictions on when and where data can be seen. If it is highly secure we do not allow researchers to look at it outside the units.

“If in an event that a laptop did leave the building and it was left on the Tube, they all have whole-disk encryption which should make it impossible for anyone else to get in.

“The university itself has had laptops returned because people have stolen them, taken them to the pub, and realised they cannot get into them. Or they have taken it to an Apple dealer and said ‘can you break this?’ The Apple dealer has clearly realised it is encrypted and therefore stolen and given it to the police who have returned it to the unit it came from.”