After the security storm
- 20 December 2007
“It wasn’t so much the loss of the data, it was the extent to which data was being passed around government – to an extent that people haven’t agreed.”
That was the verdict on HMRC’s data disaster from Dr Paul Thornton, a GP with a special interest in privacy and a member of the Caldicott working party whose recommendations laid the foundations for privacy policy and practice currently in force in healthcare.
“The idea of the same thing happening to their medical records is untenable,” he added.
The scandal didn’t surprise Ross Anderson, professor of security engineering at Cambridge University, who expresses no confidence in central government’s record in this area. “The NHS has long had a problem with operational security – nobody cares about patient privacy in Richmond House [Department of Health HQ],” he said.
Lack of competence is also widespread outside defence and intelligence, he believes.
Anonymising data for secondary uses
Both Dr Thornton and Professor Anderson were critical of the Secondary Uses Service (SUS), the NHS’ ‘single repository of person and care event level data’ being developed for a wide range of purposes outside direct patient care. Uses include audit, planning, research and clinical governance.
Neither was happy with arrangements for pseudonomising data in the SUS.
Dr Thornton said: “Data for secondary purposes should be anonymised at the provider unit before it goes out.” Under current plans he said the service would be collecting identifiable data in a searchable database.
He added: “We’ve had a national database for years but previously they have never allowed such easy and widespread access to it.”
Mechanisms for punishing misuse were, he said, very reliant on retrospective audit – “closing the door after the horse has bolted.”
Professor Anderson had a more radical view: “All patients should be able to opt out of SUS. It’s illegal; what we need is a rich man to go to the High Court and rip its guts out. The project is completely out of control and it has to be shot, [but] the political costs are too great.”
Security in an electronic world
The day-to-day reality, however, is that more personal health information is being stored electronically and this trend is set to continue. How can the UK move forward on that basis?
Dr Thornton’ s suggested solution was to move to smaller databases and stop ‘pushing’ patient information in an anticipatory way. If information needs to be transferred it should be ‘pulled’ – with consent.
He pointed to the example of the Dutch system, run by CSC [a prime contractor in the English NHS IT programme], which works on a system of local databases.
“The remote clinician has to have explicit patient consent. There is no single national database, though if a database is just city-wide it’s still huge,” he said.
Professor Anderson’s ideal solution to managing security in big databases was simple: “Don’t build them.” He too favoured the Dutch approach and a similar strategy in Sweden. “It’s eventually what we will have to do here.”
He doubts claims that information gathered from national databases will produce great benefits for patients and citizens.
In 1996 he and the BMA lost an argument with the government about allowing the police to access the Prescription Pricing Authority database to aid the detection of doctors mis-prescribing opiates. Despite access being granted, Professor Anderson points out that GP, Dr Harold Shipman carried on murdering patients with diamorphine for four years and was eventually caught by different mechanisms.
“It’s not good enough that officials keep saying they need data for the public benefit without providing it [evidence of benefits],” he said.
Enforcing existing policy
In the wake of the HMRC’s data loss, NHS Connecting for Health (CfH) issued a reminder to the service of the need to encrypt files sent to the NHS Strategic Tracing Service and ensure that any patient data transported on physical media is sent by courier or special delivery.
Enforcement of existing guidelines drawn up to protect patient data seems to be the order of the day so far. No doubt close attention will be paid to the first findings of the Poynter Review, due this week, into the circumstances that led to the nation’s child benefit records getting lost in the post.
CfH has made a huge investment in security and always been at pains to emphasise its new systems’ superiority over many existing systems and, of course, over those paper records photographed lying around in corridors, their security maintained by an unhelpful combination of unsearchability and illegibility.
But the stubborn question remains: while all public surveys indicate huge levels of trust for doctors,nurses and the NHS generally, does anyone trust big government with their records?
Linda Davidson
This article first appeared in EHI’s December, 2007 Security Special Report.