Whitehall officials strongly defend the security of the large centralised database that is being built as part of the Care Records Service of the National Programme for IT [NPfIT]. NHS Connecting for Health, which runs a major part of the NPfIT, points out that nobody can access it without leaving a trace in the audit trail. But who is going to police the audit trail in a busy NHS. And what if nobody polices it even if they’re supposed to?
This is what we have been saying all along.
Perhaps disciplinary action can be taken against misuses of the database, but by then it may be too late to protect the confidentiality of personal data. If the security at a local GP practice is breached, it will not affect huge numbers of files. But a national database will contain millions of records.
Precisely. And everyone who works on building this system knows this. You need to remove your data from your GPs computer as a matter of urgency. Lets say (for sake of argument) that the spine upload will be made from the latest backup set; if you delete now, long before the update, you will be left out of the upload.
This is one of the lessons of the lapse of security at the Department of Veterans Affairs. It is one of the few healthcare organisations in the world that has very large centralised and regional databases of medical records. So an apparent minor lapse of security can have major implications.
The disappearance of one external hard drive – the sort one can buy in PC World for about £100 – contained 1.3 million sensitive medical records.
In England a loss on this scale could not happen with a breach of security at a GP practice. But the NPfIT’s Care Records Service is due to store 50 million patient records.
Just like ‘Frances Stonor Saunders’ said, “These databases, which can easily fit on a storage device the size of your hand…”. All it takes is for one leak to happen for the whole system to be compromised. Now imagine trying to cobble together a database of all the NHS patients in the UK by compromising each GPs office one at a time. It would be hugely expensive, take years, and you would probably get caught. Thankfully the government is making it easy for criminals to get the job done; they are putting it all in one place for you!
The Department of Veterans Affairs had a general policy of ecrypting patient data so that if it were to go missing it could not easily be read. But the controls were not applied properly.
Even if they were encrypted, all that means is that a disc removed without taking the decrypting keys would be useless. A clever person would take the drive and make sure she had the decrypting keys too. It also doesn’t stop people copying entries on a ‘to order’ basis, something particularly sinister when you think about what ContactPoint holds: DATA ON CHILDREN.
Could the same happen in England?
Could? Lapses, leaks, abuse and thefts have have already happened in the UK. Use the Google!
a) In the NHS, password sharing is endemic and doctors do not always have the time to log on and off computers to protect the integrity of the system.
And there you have it password sharing is ‘ENDEMIC‘ : “characteristic of or prevalent in a particular field, area, or environment”. That means that it is in the nature of the NHS environment to share passwords. WHen they get a hold of ContactPoint access, they will not suddenly change their behavior.
b) If national systems are made too secure doctors and nurses will not use them.
Makes sense; in order for something to be useful, you have to be able to use it without having to think about it.
c) It’s unclear whether the Department of Health will provide enough funds to ensure that money and staff are available to police rigorously the audit trails of the Care Records Service, if a such a national system works.
Exactly. There are not enough people to watch the 330,000 people who will be making millions of accesses per week on ContactPoiint. Trying to find instances of abuse will be like looking for a needle in a haystack, and when we talk of ‘instances of abuse’ we mean paedophiles getting a hold of a child in the worst case scenario.
Perhaps these matters should have discussed openly and honestly before the NPfIT was announced in early 2002
Perhaps the whole idea should be scrapped? And by whole idea I mean the NIR, ContactPoint and the NHS Spine.