Skip to content or view mobile version

Home | Mobile | Editorial | Mission | Privacy | About | Contact | Help | Security | Support

A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.

NHS Data Base

Bill | 04.05.2006 14:29 | Health | Cambridge

As the U.K. National Health Service (NHS) begins to roll out its patient records database, one of the centerpiece projects in the massive £6 billion (US$11.4 billion) IT infrastructure upgrade, concerns are being raised about security aspects involved in the retention and distribution of sensitive personal medical information.

The U.K. has strong data protection laws, but implementation is generally viewed as patchy, leading doctors, administrators, politicians and patients alike to raise architectural and legal issues for keeping such vast amounts of information secure on a system aiming to serve 50 million patients as well as the NHS' 1.4 million employees.

The National Care Records Service (NCRS) project, being overseen by the NHS Connecting for Health (NHSCFH) division of the Department of Health, will create a database of uniformly formatted electronic records on everyone using the NHS across the U.K., be accessible by 30,000 doctors and handle five billion transactions a year by 2008. Once the system is completed, the NCRS will be one of the largest databases in the world.

The first phase of the NCRS is scheduled to be completed sometime in the third quarter, with the second phase penciled in for mid- 2006.

Despite progress in building the system, confusion remains over how the policy for the NCRS will be implemented in three respects: the technical aspects, protocols for staff access and issues over who actually owns the data being recorded, according to Richard Allan, who before becoming the Liberal Democrat Member of Parliament (MP) for Sheffield Hallam in 2001, developed computer systems for the NHS. Allan retired as MP on April 11 and returned to the private sector as an IT consultant.

"Just in terms of access to the NCRS by staff, the potential for social hacking is beyond anything we've had before just due to the scale and the nature of the project," Allan said. "I think that matching the theoretical with daily realities will be quite difficult for the government."

It is a concern shared by Richard Starnes, president of the U.K. chapter of the Information Systems Security Association. "The issues are about confidentiality, integrity and availability, with confidentiality probability being the biggest issue," he said.

Forty percent to 50 percent of all security breaches are internal, committed by those who have the greatest potential to exploit the system, and could cost up to eight times more to address than external attacks, Starnes said. "And when you're talking about such sensitive data, it becomes quite serious. Think about it: If someone with HIV or AIDS had that information made public against their will, the social stigma alone could have huge implications," Starnes said.

Currently, patient records are a combination of paper-based and computer-based records that are only available to the patient's designated GP (general practitioner) office or local NHS trust, the individual organization operating within the health system. The NCRS will allow doctors, nurses and other health-care providers access to the electronic records of nonlocal patients. Not only will patients be freed from the burden of repeatedly presenting historical information, the streamlined information flows will lead directly to improved quality of care, the NHS said.

There are multiple programs for the management and protection of existing data, including professional standards and statutory and organizational standards, such as the Caldicott Guardian role held by a board member in each trust, according to Paul Goss a director of the U.K. health IT market researcher Silicon Bridge Research Ltd.

Additionally, each organization has a "registration authority" responsible for local access control, while contractors have to follow a national design involving professional authentication for all processes and also must allow for the creation of audit trails.

"However, there are some issues about technology scaling and span of control, among other things, that suggest that procedures will have to be revised once the first generation is implemented," Goss said. Specifically, he pointed to high workforce turnover, the lack of readiness of the central employee registers and the use of third-party health providers, making data access complex to control.

Known technologies being used for the NCRS system include smart cards, encryption and PKIs (Public Key Infrastructure), but details are sketchy as the NHSCFH and Richard Granger, its chief executive and senior responsible officer for program and systems delivery, are imposing strict gag clauses on all of its contractors.

Contractors building the system did not respond to repeated requests to speak about the NCRS and neither did the NHSCFH. BT Group PLC won the 10-year, £620 million contract to design, deliver and manage the national patient record database, as well as its transactional messaging service, and Oracle Corp. is providing database software.

"Even with smart cards and audit trails there are serious practical issues," Allan said. "One person can use their smart card to log onto the system and in a busy department, such as A&E (accidents and emergency), people won't take the time to log on individually. They'll simply use one doctor's card to log on and use the system through that card the whole time."

Dr. Paul Thornton, a GP in Kingsbury, England, also believes that the hectic nature of some hospitals and local surgeries open the system up to abuse. "The problem is that once the information gets on the NHS spine, there are tremendous powers in place for that information to go all over the place," Thornton said.

The government has discussed the option of sealing the most sensitive data in an "electronic envelope," which would then be used only in emergencies and for giving patients certain rights over data being kept on them. It is unclear what information would go into those envelopes or who could open them and under what circumstances. Both Allen and Thornton say the government is only adding to the level of confusion with its conflicting statements.

Thornton said that he was so concerned about current security and privacy procedures, he queried the government directly with questions. He received an e-mail from Phil Walker, the Department of Health's head of digital information, stating that patients will lack any right to determine what information doctors record about them, or to veto how it is recorded, which seems to contradict past assurances from the government, Thornton said.

"It's true that the Health Minister John Hutton said patients would have the right not to have their medical records stored electronically at all, but what he didn't add is that patients can't opt out part way," Thornton said. "It's either all electronic or all pen and paper, and if your records are only in pen and paper, God only knows how lab results would get done."

Thornton said he would like to see a system where information is pushed from a GP to relevant people or groups, rather than the current plan for placing everything into one central database from which information is then pulled.

Another clear solution to some of the security issues, according to Allan, would be to appoint someone to be the champion of auditing the system independently. Additionally, such an information commissioner would require proper funding.

"That level of independence needs to be built in somewhere and I'm not aware of it being there," Allan said. "But there is a level of panic within the government about getting the system built at all and I believe there's a fear that such a commissioner would only make it harder to get the job done."

Bill
- Homepage: http://www.ticketytock.org

Upcoming Coverage
View and post events
Upcoming Events UK
24th October, London: 2015 London Anarchist Bookfair
2nd - 8th November: Wrexham, Wales, UK & Everywhere: Week of Action Against the North Wales Prison & the Prison Industrial Complex. Cymraeg: Wythnos o Weithredu yn Erbyn Carchar Gogledd Cymru

Ongoing UK
Every Tuesday 6pm-8pm, Yorkshire: Demo/vigil at NSA/NRO Menwith Hill US Spy Base More info: CAAB.

Every Tuesday, UK & worldwide: Counter Terror Tuesdays. Call the US Embassy nearest to you to protest Obama's Terror Tuesdays. More info here

Every day, London: Vigil for Julian Assange outside Ecuadorian Embassy

Parliament Sq Protest: see topic page
Ongoing Global
Rossport, Ireland: see topic page
Israel-Palestine: Israel Indymedia | Palestine Indymedia
Oaxaca: Chiapas Indymedia
Regions
All Regions
Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World
Other Local IMCs
Bristol/South West
Nottingham
Scotland
Social Media
You can follow @ukindymedia on indy.im and Twitter. We are working on a Twitter policy. We do not use Facebook, and advise you not to either.
Support Us
We need help paying the bills for hosting this site, please consider supporting us financially.
Other Media Projects
Schnews
Dissident Island Radio
Corporate Watch
Media Lens
VisionOnTV
Earth First! Action Update
Earth First! Action Reports
Topics
All Topics
Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista
Major Reports
NATO 2014
G8 2013
Workfare
2011 Census Resistance
Occupy Everywhere
August Riots
Dale Farm
J30 Strike
Flotilla to Gaza
Mayday 2010
Tar Sands
G20 London Summit
University Occupations for Gaza
Guantanamo
Indymedia Server Seizure
COP15 Climate Summit 2009
Carmel Agrexco
G8 Japan 2008
SHAC
Stop Sequani
Stop RWB
Climate Camp 2008
Oaxaca Uprising
Rossport Solidarity
Smash EDO
SOCPA
Past Major Reports
Encrypted Page
You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.
If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

Global IMC Network


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech