Your data and personal details are hugely sensitive and keeping that information protected is more important than ever.

In this episode you’ll hear from Niall Wales, the IT lead at PML who explains how your data is kept secure using encryption,  rigorous security protocols and ongoing training for everybody at PML.

If you have any extra questions about your appointment or referral to PML you can get in touch with the team via the Physiological Measurements website physiologicalmeasurements.com

Welcome to the Physiological Measurements podcast for patients who've been referred for an appointment for a scan. I'm Charlotte Foster and I've been taking a look behind the scenes at head office in Shropshire, as well as speaking to one of the sonographers who works in one of the clinics. Throughout this series, I'm finding out about who PML are, the work they do, and most importantly, what you can expect as a patient. Now, your medical details are probably one of the most personal and private bits of information you have, and you may have concerns about how your data is protected, especially by a private company that's undertaking NHS work. Well, to find out more about what PML does to protect your data, I've been speaking to Niall Wales, the IT lead at PML. Now, he did pop up in our first episode, but I just thought this is such an important topic that I'd ask him a few more questions. So I began by asking him how data is stored by PML.

It's stored encrypted and it also travels in the encrypted form, and it does this by a VPN, which stands for people that might not know of a virtual private network. It basically, it's a tunnel from either a site to site, which is how we use them, and it makes sure while the traffic is flowing that it's also encrypted. There's various methods that you can use to encrypt. It makes you know that there's no way that data can be changed while it's travelling. So you know where it goes to and where it's come from is correct and it's intact, basically. So the VPN will travel to a firewall, and then the firewall then tells the traffic to where to go, basically. In a nutshell.

Fabulous. So no one's going to be able to get hold of it. Is it like on your WhatsApp messages as well? They're encrypted end to end. Is it similar to that?

It is, yeah. That's why people like to use WhatsApp, because it's the same, very similar technology. There's nothing really you can do while it's travelling, so that's why we have to use it.

And I imagine, being an NHS partner, there's lots of guidelines that you have to follow to be an NHS partner. Tell me a little bit more about what those are, please.

There is, so being a partner, the NHS has a thing called the DSPT, Data Security Protection Toolkit, and with that, there is a set of questions and guidelines that we have to follow. And it basically just shows that we are being secure, following guidelines in terms of monitoring who has access to certain systems and that certain procedures are being followed by all staff, really, because it goes hand in hand with cyber essentials, which is also another certification that we go through. It shows that we are following patching schedules so our firewalls, VPN's, any switches that we have in the business, they're kept up to date. And also, just as important, people's computers are being up to date as well and it's just showing that we are being secure as we can, basically.

Yeah. And that's important, isn't it, just keeping that level up? I'm sure there's a lot of training that goes on as well to make sure everyone knows what they're doing and that sort of thing.

Yeah, there is. So we have data protection online training, which is mandatory, so we have to take that as much as people like mandatory training, but we do have to take it. But we do get some help from other companies that are partnered with Microsoft. And we do vulnerability scans, which basically it scans all of our servers. It will pick up any vulnerabilities. And these are all given code names, I suppose, is what you call them, but it's by Microsoft or by the developers themselves. And we can basically fix it with the remediation from whoever it may be. And then on top of that we do penetration tests.

So it will be an external company that basically pretends to be a hacker or a bad person.

Oh, wow.

Yeah. So they try to get in externally and then depending on how that goes, we might give them internal access to be like an insider knowledge kind of attack. So we basically cover all types of attacks and from that we have a report, what we can work on, what went well and yeah, just another kind of check to make sure that we're being as secure as we can and follow guidelines, basically.

It sounds really rigorous, the process that you're going through, which I think is reassuring for people listening.

Yeah, there is quite a lot, but obviously the scan itself is just as important as the data that's put in the scan. So we have to make sure that we're being secure in every way possible.

Really makes sense. So this sort of leads me on to my next question. We talked about transferring the data, how it's stored and getting it there, but where is it kept? Because I think that worries people a bit as well. You've talked about how you protect it, but where does it actually stay? And can it get lost, can it get erased all that kind of all those worries, yeah.

So all the data is stored in a cloud server state, basically using industry grade requirements from Microsoft. And also there is certain procedures from NHS on how to store data, databases that you might want to use. It depends on the use case. Are you always going to be accessing the data on a daily basis, which for us we do, but it's all cloud stored, and then behind the servers or databases that the data is kept in, again, it's protected by firewalls, which knows where people are coming from. So, yeah, it's all stored in the cloud. I know it's probably quite a worrying thing when you think it's in the cloud. You think it probably could get lost. But that is the purpose of a VPN, because it is a tunnel of traffic, and it will know if the data doesn't reach the end of the tunnel.

So it's just bits like that that reassures us that it does get to where we need to. And again, the people who book and manage appointments, they can also see the data in a bit more of a readable format, not in lots of ones and zeros, though, so that we can also physically see that data has received, or we've received it from whichever end, if it is any. Any external companies within the NHS. It depends how we get referrals. NHS have their own specific VPN, it's sometimes referred as HSCN, or it can be an express route, and it's basically NHS's own, like, VPN type connection. So it's also encrypted, but it's just methods for external parties that also NHS partners, to be able to access anything that we may have. That is the only way that you can get external access, and the only way you can get one of them is being an NHS partner, basically, so...

Talk about access, you talk about the sending of data. Who is responsible for this data?

It's a good question, really, it's everybody. It's just as important for IT to follow these rules as it is for the clinicians, the imaging assistants, people here at the office. Really, it's a joint effort. I'm just here to preach the guidelines that we set for whatever it may be. But at the end of the day, it's all a joint effort. It's myself and the governance team that put the work together to get through those kinds of certifications, but we wouldn't pass them if it wasn't for all staff following the guidelines.

Fabulous. That's good to know, though. And I feel like it's something that everybody takes seriously here as well. It's not like you're going around telling people and they're going, "all right, Niall". It's something that everyone's on board with. Yeah. So this is a really obvious question, I think, but I think it's useful to say it, why is security and data security so important at PML?

It would mainly be for integrity of the company, really, because unfortunately, it's not just PML that exists in the ultrasound space. And at the end of the day, the patients are what keep the business going. If they don't know where the data is going or what's happening to any of their data, then why would they want to come and book an appointment basically. we do have a lot in place that can't go into too much detail about.

You mean you're not going to give me all the trade secrets?

Precisely. We do have a lot in place for the company size, like multiple firewalls. We do have a lot in place for security, but I suppose it's so easy to overlook bits such as vulnerabilities for software. There's quite a lot of common vulnerabilities that aren't fixed, and if you don't know about them, then it's just an accident waiting to happen, basically. So we do a lot to premeditate and remove as much as we can, and then we can reassure patients that it is safe to be with us, have an appointment with us, and just to reassure them that their data is as safe as we can possibly make it.

Ultrasounds, they're quite a personal, well, anything to do with your medical and your health. It's very personal. It's very private. It's very, very of you. If someone is just a little bit nervous, apprehensive about coming for an appointment via PML, what would be your one message to them?

We see plenty of patients a day, a month, a year. I think it's important to remember that we do this for a living. We've got plenty of well trained and friendly staff, and it's never too much hassle to email or call in or reach out to us on the company website, whichever way it may be. We are a partner with NHS, so we have very strict guidelines to follow and we do as much as we can to make sure that your appointment is seamless and also as positive and nice experiences as we can.

Thank you to my guests for spending time with me today, and thank you for listening to this episode of the Physiological Measurements podcast. I hope you enjoyed it and you found it useful. You can find out more and get in touch with the team by visiting the website physiologicalmeasurements.com.