After the security storm

Tags: A Audit BMA CSC Government GP Information iS Security Solution Strategic UK

20 Dec 2007

“It wasn’t so much the loss of the data, it was the extent to which data was being passed around government - to an extent that people haven’t agreed.”

That was the verdict on HMRC’s data disaster from Dr Paul Thornton, a GP with a special interest in privacy and a member of the Caldicott working party whose recommendations laid the foundations for privacy policy and practice currently in force in healthcare.

“The idea of the same thing happening to their medical records is untenable,” he added.

The scandal didn’t surprise Ross Anderson, professor of security engineering at Cambridge University, who expresses no confidence in central government’s record in this area. “The NHS has long had a problem with operational security – nobody cares about patient privacy in Richmond House [Department of Health HQ],” he said.

Lack of competence is also widespread outside defence and intelligence, he believes.

Anonymising data for secondary uses

Both Dr Thornton and Professor Anderson were critical of the Secondary Uses Service (SUS), the NHS’ ‘single repository of person and care event level data’ being developed for a wide range of purposes outside direct patient care. Uses include audit, planning, research and clinical governance.

Neither was happy with arrangements for pseudonomising data in the SUS.

Dr Thornton said: “Data for secondary purposes should be anonymised at the provider unit before it goes out.” Under current plans he said the service would be collecting identifiable data in a searchable database.

He added: “We’ve had a national database for years but previously they have never allowed such easy and widespread access to it.”

Mechanisms for punishing misuse were, he said, very reliant on retrospective audit – “closing the door after the horse has bolted.”

Professor Anderson had a more radical view: “All patients should be able to opt out of SUS. It’s illegal; what we need is a rich man to go to the High Court and rip its guts out. The project is completely out of control and it has to be shot, [but] the political costs are too great.”

Security in an electronic world

The day-to-day reality, however, is that more personal health information is being stored electronically and this trend is set to continue. How can the UK move forward on that basis?

Dr Thornton’ s suggested solution was to move to smaller databases and stop ‘pushing’ patient information in an anticipatory way. If information needs to be transferred it should be ‘pulled’ – with consent.

He pointed to the example of the Dutch system, run by CSC [a prime contractor in the English NHS IT programme], which works on a system of local databases.

“The remote clinician has to have explicit patient consent. There is no single national database, though if a database is just city-wide it’s still huge,” he said.

Professor Anderson’s ideal solution to managing security in big databases was simple: “Don’t build them.” He too favoured the Dutch approach and a similar strategy in Sweden. “It’s eventually what we will have to do here.”

He doubts claims that information gathered from national databases will produce great benefits for patients and citizens.

In 1996 he and the BMA lost an argument with the government about allowing the police to access the Prescription Pricing Authority database to aid the detection of doctors mis-prescribing opiates. Despite access being granted, Professor Anderson points out that GP, Dr Harold Shipman carried on murdering patients with diamorphine for four years and was eventually caught by different mechanisms.

“It’s not good enough that officials keep saying they need data for the public benefit without providing it [evidence of benefits],” he said.

Enforcing existing policy

In the wake of the HMRC’s data loss, NHS Connecting for Health (CfH) issued a reminder to the service of the need to encrypt files sent to the NHS Strategic Tracing Service and ensure that any patient data transported on physical media is sent by courier or special delivery.

Enforcement of existing guidelines drawn up to protect patient data seems to be the order of the day so far. No doubt close attention will be paid to the first findings of the Poynter Review, due this week, into the circumstances that led to the nation’s child benefit records getting lost in the post.

CfH has made a huge investment in security and always been at pains to emphasise its new systems’ superiority over many existing systems and, of course, over those paper records photographed lying around in corridors, their security maintained by an unhelpful combination of unsearchability and illegibility.

But the stubborn question remains: while all public surveys indicate huge levels of trust for doctors,nurses and the NHS generally, does anyone trust big government with their records?

Linda Davidson

This article first appeared in EHI’s December, 2007 Security Special Report.

Readers Comments

One for the zealots?

21 Dec 07 10:18

“It wasn’t so much the loss of the data, it was the extent to which data was being passed around government - to an extent that people haven’t agreed.”

Although it might be useful for Dr Thornton to interpret things in the way, the reality is that it was very much the loss of data that caused public concern - along with the casual non-systematised approach to data security that this implies. I'm sure the fact that people had not given their explicit consent to HMRC passing this data to the NAO only occured to those with a particular interest in this area.

Big government

21 Dec 07 15:49

It was your closing sentence that really caught my eye – “But the stubborn question remains: while all public surveys indicate huge levels of trust for doctors, nurses and the NHS generally, does anyone trust big government with their records”. Fortunately with healthcare information, big government has relatively little of our records to do anything with (if you overlook SUS perhaps). Virtually all our detailed records are still held either in GP practices (Lloyd George envelopes or local IT systems) or scattered in whatever hospitals we may have been patients (in paper and never drawn together, rarely even in one hospital do nursing notes and doctors notes end up together). But who is it that is most lackadaisical with those records? Often those doctors and nurses we trust so much! E.g. the records on the end of the patient bed or piled outside the consulting rooms in outpatients. Roll on the EPR/EHR where the paper element disappears and roll on me being the holder of my record and deciding who gets to read it. I don’t even mind having an implanted chip to store it on so I don’t lose it if I become increasingly demented.

It all supports UKCHIP’s contention that we need more properly trained and regulated HI practitioners to work with those lovely cuddly doctors and nurses and to help them get information security right! Excellent observations and commentary – keep it up. Mik Horswell Press Officer UKCHIP

After the Storm?

nhstechie@btinternet.com

23 Dec 07 20:22

... so far I think we've only seen the beginning!

Push and pull

02 Jan 08 11:22

Unfortunately Linda Davison's detailed notes of our conversation have transposed the problem and the solution, a confusion probably arising from discussion of the Dutch system.

Concepts of privacy are incompatible with proposals for databases that hold information about an enormous number of individuals and that also have a huge number of staff who are able (if perhaps not “allowed”) to “pull” that data. Multiple small databases are intrinsically more confidential. Access can be unequivocally limited to members of the clinical team to whom it is initially divulged. Relevant and necessary information, with patient understanding and agreement, can be “pushed” securely to targeted databases of clinicians elsewhere who are involved in the care of the individual. Information can be pushed to emergency and out of hours services where there is a reasonable expectation that it might be needed.

Even under current CfH proposals, such mechanisms will become essential for the sharing of detailed current information about the large number of patients whose care is shared between clinicians who work across the boundaries of different “clusters” or “instances” who will never have access to a shared detailed care record.

Development of data “pushing” is a theme adopted by the British Computer Society.

The Dutch CSC system is based on small databases and has safeguards which seem to be more robust than CfH proposals, however it is essentially a pull system. Information can only be made more widely accessible with the explicit consent of the patient. My understanding from the scheme’s website at http://www.nictiz.nl/ is that the data can only be accessed by a small number of clinicians in the remote institution again with the further confirmation of patient identity and consent. Paul Thornton

Where is the evidence for this ?

03 Jan 08 13:20

"Multiple small databases are intrinsically more confidential" Where is the evidence for this ? Just because data is held in a small server in a practice it does not automatically mean it is secure or that access is well controlled. All the recent examples of missing data in public services have arisen as a result of information being taken out of secure systems and transferred on unsecured media between organisations. Larger systems with the correct security will reduce the need to extract and move data in this way. Stop arguing about where data sits and start focussing on how to manage access properly and create cultures which respect the record's ownership by the patient. The new CFH RBAC and Data Sharing model are good starting points - more work is needed but the can provide for the first time a common model for all patient clincial record systems. Doug Scott.

Big government

04 Jan 08 10:28

No we don't trust the government with our information (any of it). And who's to say they won't access the medical database. They are already planning to sell our data to research companies. Who knows where it will end? When I filled in my GMS1 I did not agree to any of this use of my information.