Appendix 1: Environmental risks

Although most of us think of security in terms of safeguarding against unauthorised access, there is another important aspect – protecting records from physical damage. Paper records in particular can be easily damaged by moisture, water, fire and insects.

And – unlike electronic records – it’s not feasible to create up-to-date copies against the chance destruction of the originals. Your paper records are therefore not only vulnerable, but irreplaceable, so it’s a good idea to carry out a risk assessment to identify ways in which you can reasonably safeguard their physical integrity. Below are some of the factors that should be considered in a risk assessment.

Fire

Install chemical fire extinguishers (do not use a sprinkler system as water can be even more damaging than fire). Smoke from fires elsewhere in the building can also do much damage, so make sure that doors are tight-fitting and kept closed. Inflammable liquids kept on the premises should be properly stored, and as far away as possible from the records. Install smoke and fire alarms, preferably a system that connects directly to the local fire service.

Important paper documents should be kept in a fire-proof safe, but do not entrust your computer back-up drive to a fire-proof safe – it can melt. Instead, use secure off-site storage.

Water

Basements are not a good place for archiving records – it is better to use professional off-site archiving services if you don’t have a suitable space for storing inactive files. If you are in a flood-prone area, store records above floor level. Think also about the risks from leaking roofs and plumbing problems. If you have sprinklers in areas that house computers, put waterproof covers on the computers before going home at night.

Gravity

Paper records can be very heavy, so get an engineer to check that the floor of your records room can carry the load.

Insects and vermin

Have regular inspections and control measures carried out by experts to keep damaging insects and rodents at bay.

Poor building maintenance

Dangerous wiring, gas leaks, plumbing problems, leaking roofs and damp walls can all cause damage to both paper and electronic records. A regular building maintenance programme can help to reduce the risk from these elements.

The risk of unauthorised access

Paper records should be kept in a room that can be securely locked when the practice is unattended. Limit the number of keys in circulation and keep a record of all key holders. If you use an electronic lock, only give the access code to staff who need it and change the code periodically.

Your records management policy and procedures should include protocols specifying the different roles of staff regarding access to records. Staff should be suitably trained so that they understand the legal and ethical principles of confidentiality and are aware of the need to keep records secure from unauthorised access.

Suitable safeguards for electronic records include firewalls, antivirus software, strong passwords, careful positioning of monitors so that information cannot be read by unauthorised people and setting access permissions on a need-to-know basis.

For basic and easily understandable guidance on safeguarding electronic medical records, you can’t do better than to read No Data No Business, published by the General Practice Information Technology group of the Irish College of General Practitioners (see the "Further Reading" section for details).

For more comprehensive guidance on all aspects of records security, the ISO standard ISO27799 – Health Informatics: Information Security Management in Health Using ISO/IEC 27002 – covers everything you need to know (and more) about averting threats to the confidentiality, integrity and availability of your records.

As the title suggests, this standard is based on ISO/IEC27002 – Code of Practice for Information Security Management – which essentially offers a menu of hundreds of suggested controls for a wide range of security issues such as staff responsibilities and training, premises, business continuity, protocols and procedures, email and internet usage policies and remote access.

The standard can be purchased via the National Standards Authority of Ireland (NSAI) (see Further reading section for links).