Sweating over UK's NHS patient record database

Doctors, administrators, politicians and patients point to security of personal information as issue

As the U.K. National Health Service (NHS) begins to roll out its patient records database, one of the centerpiece projects in the massive £6 billion (US$11.4 billion) IT infrastructure upgrade, concerns are being raised about security aspects involved in the retention and distribution of sensitive personal medical information.

The U.K. has strong data protection laws, but implementation is generally viewed as patchy, leading doctors, administrators, politicians and patients alike to raise architectural and legal issues for keeping such vast amounts of information secure on a system aiming to serve 50 million patients as well as the NHS' 1.4 million employees.

The National Care Records Service (NCRS) project, being overseen by the NHS Connecting for Health (NHSCFH) division of the Department of Health, will create a database of uniformly formatted electronic records on everyone using the NHS across the U.K., be accessible by 30,000 doctors and handle five billion transactions a year by 2008. Once the system is completed, the NCRS will be one of the largest databases in the world.

The first phase of the NCRS is scheduled to be completed sometime in the third quarter, with the second phase penciled in for mid- 2006.

Despite progress in building the system, confusion remains over how the policy for the NCRS will be implemented in three respects: the technical aspects, protocols for staff access and issues over who actually owns the data being recorded, according to Richard Allan, who before becoming the Liberal Democrat Member of Parliament (MP) for Sheffield Hallam in 2001, developed computer systems for the NHS. Allan retired as MP on April 11 and returned to the private sector as an IT consultant.

"Just in terms of access to the NCRS by staff, the potential for social hacking is beyond anything we've had before just due to the scale and the nature of the project," Allan said. "I think that matching the theoretical with daily realities will be quite difficult for the government."

It is a concern shared by Richard Starnes, president of the U.K. chapter of the Information Systems Security Association. "The issues are about confidentiality, integrity and availability, with confidentiality probability being the biggest issue," he said.

Forty percent to 50 percent of all security breaches are internal, committed by those who have the greatest potential to exploit the system, and could cost up to eight times more to address than external attacks, Starnes said. "And when you're talking about such sensitive data, it becomes quite serious. Think about it: If someone with HIV or AIDS had that information made public against their will, the social stigma alone could have huge implications," Starnes said.

Currently, patient records are a combination of paper-based and computer-based records that are only available to the patient's designated GP (general practitioner) office or local NHS trust, the individual organization operating within the health system. The NCRS will allow doctors, nurses and other health-care providers access to the electronic records of nonlocal patients. Not only will patients be freed from the burden of repeatedly presenting historical information, the streamlined information flows will lead directly to improved quality of care, the NHS said.

There are multiple programs for the management and protection of existing data, including professional standards and statutory and organizational standards, such as the Caldicott Guardian role held by a board member in each trust, according to Paul Goss a director of the U.K. health IT market researcher Silicon Bridge Research Ltd.

Additionally, each organization has a "registration authority" responsible for local access control, while contractors have to follow a national design involving professional authentication for all processes and also must allow for the creation of audit trails.

"However, there are some issues about technology scaling and span of control, among other things, that suggest that procedures will have to be revised once the first generation is implemented," Goss said. Specifically, he pointed to high workforce turnover, the lack of readiness of the central employee registers and the use of third-party health providers, making data access complex to control.

Known technologies being used for the NCRS system include smart cards, encryption and PKIs (Public Key Infrastructure), but details are sketchy as the NHSCFH and Richard Granger, its chief executive and senior responsible officer for program and systems delivery, are imposing strict gag clauses on all of its contractors.

Contractors building the system did not respond to repeated requests to speak about the NCRS and neither did the NHSCFH. BT Group PLC won the 10-year, £620 million contract to design, deliver and manage the national patient record database, as well as its transactional messaging service, and Oracle Corp. is providing database software.

"Even with smart cards and audit trails there are serious practical issues," Allan said. "One person can use their smart card to log onto the system and in a busy department, such as A&E (accidents and emergency), people won't take the time to log on individually. They'll simply use one doctor's card to log on and use the system through that card the whole time."

Dr. Paul Thornton, a GP in Kingsbury, England, also believes that the hectic nature of some hospitals and local surgeries open the system up to abuse. "The problem is that once the information gets on the NHS spine, there are tremendous powers in place for that information to go all over the place," Thornton said.

The government has discussed the option of sealing the most sensitive data in an "electronic envelope," which would then be used only in emergencies and for giving patients certain rights over data being kept on them. It is unclear what information would go into those envelopes or who could open them and under what circumstances. Both Allen and Thornton say the government is only adding to the level of confusion with its conflicting statements.

Thornton said that he was so concerned about current security and privacy procedures, he queried the government directly with questions. He received an e-mail from Phil Walker, the Department of Health's head of digital information, stating that patients will lack any right to determine what information doctors record about them, or to veto how it is recorded, which seems to contradict past assurances from the government, Thornton said.

"It's true that the Health Minister John Hutton said patients would have the right not to have their medical records stored electronically at all, but what he didn't add is that patients can't opt out part way," Thornton said. "It's either all electronic or all pen and paper, and if your records are only in pen and paper, God only knows how lab results would get done."

Thornton said he would like to see a system where information is pushed from a GP to relevant people or groups, rather than the current plan for placing everything into one central database from which information is then pulled.

Another clear solution to some of the security issues, according to Allan, would be to appoint someone to be the champion of auditing the system independently. Additionally, such an information commissioner would require proper funding.

"That level of independence needs to be built in somewhere and I'm not aware of it being there," Allan said. "But there is a level of panic within the government about getting the system built at all and I believe there's a fear that such a commissioner would only make it harder to get the job done."

Copyright © 2005 IDG Communications, Inc.