Back

Data and Security —
Training activity: 2

Training activity information

Details

Review and identify the data protection and cyber security risks of a clinical system or key clinical infrastructure, develop appropriate mitigations and update the safety case report

Type

Developmental training activity (DTA)

Evidence requirements

Evidence the activity has been undertaken by the trainee​.

Reflection on the activity at one or more time points after the event including learning from the activity and/or areas of the trainees practice for development.

An action plan to implement learning and/or to address skills or knowledge gaps identified.

Considerations

  • Hazard logs, risk assessments
  • Cost, procurement and contracts
  • Collaboration with local and national ICT cyber-security teams
  • Agreement and assignment of responsibilities and accountabilities e.g. Clinical Safety Officer(s)
  • Local, national or international policies, procedures and guidance
  • External security accreditation
  • Risk assessments
  • Software and hardware systems
  • Medical device management and maintaining clinical and patient safety
  • Lifecycle management for data protection and cyber security measures

Reflective practice guidance

The guidance below is provided to support reflection at different time points, providing you with questions to aid you to reflect for this training activity. They are provided for guidance and should not be considered as a mandatory checklist. Trainees should not be expected to provide answers to each of the guidance questions listed.

Before action

  • What do you need to know before embarking on this review? Consider your understanding of data protection legislation, cyber security principles, risk assessment methodologies, and the structure of a safety case report.
  • What do you anticipate you will learn from this experience? Think about the specific insights you hope to gain regarding identifying vulnerabilities, developing effective mitigation strategies, and applying these to a safety case report. Consider what you already know about data protection and cyber security in clinical environments.
  • What actions will you take in preparation for this experience? Will you discuss risk assessment frameworks with your training officer? Will you research common data protection and cyber security risks in healthcare? Consider potential challenges in identifying risks or developing suitable mitigations and how you might address them. Identify how you feel about embarking on this training activity.

In action

  • When reviewing the system, what methods are you using to identify potential risks? Why are you prioritising certain aspects over others in your initial assessment?
  • What decisions are you making about the likelihood and impact of the risks you identify? How are you deciding on appropriate mitigation strategies?
  • Where does your existing knowledge of data protection (e.g., GDPR) and cyber security principles feel sufficient, and where are you having to consciously recall or look up information?
  • How well do you think your current approach is uncovering the key vulnerabilities? What challenges are you facing in developing effective mitigations or in updating the safety case report?
  • What are you learning about the specific data protection and cyber security challenges of this clinical system as you work? How does this align with your broader understanding of these areas?
  • If you are unsure about a particular risk or mitigation, are there other frameworks or resources you could consult? Would discussing this with a security specialist or your supervisor be helpful now? Are the mitigations you are proposing feasible and within your remit to recommend?

On action

  • Outline the clinical system or infrastructure you reviewed, the data protection and cyber security risks you identified, the mitigations you proposed, and how you updated the safety case report.
  • What did you learn about identifying data protection and cyber security risks in a clinical setting? How did you develop your skills in proposing appropriate mitigation strategies? What did you learn about the content and purpose of a safety case report? Did reflecting during the activity (reflect-in-action) help you refine your risk assessment or mitigation strategies?
  • What areas of risk assessment and mitigation do you need to develop further? How will you apply this learning to future risk assessments of clinical systems? What are your next steps in improving your ability to contribute to safety case reports? Do you require any further resources or guidance on data protection, cyber security in healthcare, or safety case report writing?

Beyond action

  • Have you revisited the risks you identified, the mitigations you proposed, and the updated safety case report? How has your understanding of data protection and cyber security evolved since then? Have you compared your findings with others?
  • How has this experience impacted your current approach to identifying and mitigating risks in other systems or projects? Has it informed your understanding of safety case reports and their role in governance?
  • What transferable skills, such as risk assessment and analytical thinking, did you develop? What further learning in data protection and cyber security would benefit your future practice?

Relevant learning outcomes

# Outcome
# 1 Outcome

Review and prepare appropriate documentation for clinical information systems.
# 2 Outcome

Review and identify data protection and cyber security risks for clinical information systems and develop and implement appropriate mitigation strategies.
Top