Securing Patient Data

If you make use of the interactive services of your website, then you should be aware that these will collect patient data which must be handled appropriately.

BMA Guidelines state that the patient data must be protected by encryption for the whole journey from their submitting it to your receiving it. There are two parts to this:

• the collection of the patient data by a form on the webserver, 
• the transmission of the data from the webserver to your surgery.

GP-UK.net websites are configured to ensure that the first point happens automatically, but you need to take certains steps to ensure the second. Therefore we shall concentrate on the latter of these two points, transmission of data from the webserver to the practice, and finish with an explanation of how the data collection is secured automatically.

Conveying Patient Data from the Webserver to the Practice

There are two options for you here:

1. Use of the free secure SSL webmail service provided by GP-UK.net. Patient data emails (e.g. prescription requests) are stored on the webserver and you access them by secure encrypted webmail.
2. Activation of the encrypted emails feature, combined with use of decryption software at the practice, enables you to have the patient data emails delivered safely to your surgery email system, and you decrypt them on arrival.

Which one to use?

The latter has the advantage that the messages will come directly to you and will be available in your surgery inbox, and depending on the configuration of your surgery email system your staff may receive popups indicating that a new message has arrived. However this is perhaps not such a great advantage given that they should still check the mailbox from time to time in case they missed the popup!

The disadvantages of the latter are:

• You will need to install and configure decryption software. There is some free softare available (e.g. GnuPG) and also some commercially supported packages (e.g. PGP).
• This will require extra configuration and testing of your website setup.
• It may also require adjustments to your surgery email system.

SSL Secured Webmail

This is probably the simplest and cheapest option. If you wish to make use of this then please email support and ask for a mailbox to be setup for you.

This mail is stored on the webserver rather than travelling across the Internet, and so it does not need to be encrypted. You access it directly by webmail with an SSL connection - you simply point your browser at http://www.gp-uk.net/webmail/ and automatically you will be viewing your mail across an encrypted SSL connection.

Using Encrypted Emails

The webserver has the capability to encrypt the patient data and then send it directly to your surgery email address. To make use of this option please follow the instructions on the Email Encryption Instructions page.

SSL Webserver

The first part of the journey of the data is when the patient types their details into a form on your web-pages. This part is automatically encrypted by the use of an SSL server for these pages. An SSL server provides strong encryption and you can check that this is in action by looking, in most browsers, for the padlock icon, or by viewing the page properties.

You may activate SSL encryption on any of the pages of your website. This is easily achieved by viewing the 'Page Header' and ticking the checkbox 'Enforce HTTPS'. However it is not sensible to activate SSL on more pages than necessary, since these pages load more slowly owing to the processing power used by the encryption process.