"Fundamentally insecure' NHS IT systems unprepared to share patient records

Published: 25-Jun-2012

White paper reveals privacy breaches will land trusts in hot water unless urgent action is taken

A white paper published this week warns that the success of electronic health records (EHRs) in revolutionising healthcare services across the UK is being threatened by IT systems that are ‘fundamentally insecure’.

The stark warning suggests that the Department of Health’s (DH) newly-launched Information Strategy, which sets out a 10-year plan to give patients full control of their medical records, could lead to the reputation of many health trusts being ruined unless urgent action is taken to improve data security.

Concern is widespread that the large number of high-profile data security breaches in recent years are evidence that the NHS is ill equipped to enter into a new era where patients records are fully accessible online.

In an era where specific consent is increasingly necessary for the collection and use of personal details, patients must have absolute faith that the doctors, nurses and institutions that treat them will protect their information

And the white paper, released this week by data security software supplier, FairWarning, reveals the UK’s plans to bring healthcare into the 21st Century through the use of technology could be scuppered.

Entitled Make of Break – Digital Healthcare and Privacy Reach The Tipping Point , the document was informed by clinicians from 900 hospitals and 2,600 medical centres across Europe, the US and Canada, including a large number of UK NHS trusts.

It provides a fresh perspective on NHS privacy and security and details its importance in the future of patient care.

Speaking to BBH this week, Kurt Long, founder and chief executive of FairWarning, said: “Electronic healthcare is one of the most important advances of our times. Unlike drug discoveries or new surgical techniques, its value is not in the treatment of a specific disease or condition, but as an enabler, transforming how we plan and deliver care to individuals and populations.

“However, EHRs are only as good as the information they hold. Clinicians must have access to all relevant data if they are to provide the best and safest care. And, in an era where specific consent is increasingly necessary for the collection and use of personal details, patients must have absolute faith that the doctors, nurses and institutions that treat them will protect their information. Reputation is a key factor in determining the success of EHRs. Those whose reputations have been tarnished by data breaches could find patients and commissioners less willing to use their services. Lack of trust can also lead to adverse outcomes as patients are less willing to seek timely treatment, or to provide full details of certain conditions.

“In a healthcare market increasingly predicated on patients and choice, and where clinical commissioning groups can make far-reaching decisions over providers, a good reputation is an asset of incomparable value.”

The UK health service is at a tipping point. Enormous and beneficial changes are possible, but their success is threatened because vast quantities of sensitive personal information are being exchanged among large numbers of clinicians and healthcare providers through IT systems which are fundamentally insecure

The release of the paper comes just two weeks after the publication of the DH’s Information Strategy , which outlined an ambitious plan to provide all NHS patients with secure online access to their personal GP records by as early as 2015.

Long said: “The UK health service is at a tipping point. Enormous and beneficial changes are possible, but their success is threatened because vast quantities of sensitive personal information are being exchanged among large numbers of clinicians and healthcare providers through IT systems which are fundamentally insecure.

“The aim of this white paper is to provide a blueprint for NHS data security, examining the privacy issue from the perspective of chief executives, chief information officers, IT managers, security and information governance professionals, clinicians and patients. Overall, it provides an analysis of the problems faced by healthcare providers and clearly articulates a framework for the way forward.”

In a healthcare market increasingly predicated on patients and choice, and where clinical commissioning groups can make far-reaching decisions over providers, a good reputation is an asset of incomparable value

The paper states that the biggest threat is not from lost or stolen laptops, but from staff abusing their legitimate access rights to red electronic records they have no right or clinical justification to see. Recent media reports have revealed staff checking the records of celebrities, members of their family and friends.

The document adds: “Improper accessing of patient records is widespread in the UK and worldwide. It can result in immense harm to the reputation of hospitals, their senior management and their clinicians and cause irreparable damage to patients and their families. Equally it can undermine the trust of patients, and the wider public, in the specific organisation and more generally in electronic health records.”

The main findings from an independent public attitude survey of more than 1,000 people in the UK, include:

  • 86.5% of respondents think a serious breach of personal data would do severe or considerable damage to a hospital’s reputation
  • 61% were worried that a breach could allow their identity to be used to commit fraud or be used by criminals to target them, their family or their home
  • 87.2% agree the NHS should monitor who looks at their files
  • 87.1% agree chief executives and senior management should be sacked or fined if they were aware of risks, but failed to act and there is a serious breach

It highlights the approach of NHS trusts in Scotland, where a nationwide data protection solution has been procured to detect and prevent breaches by staff. The paper reveals England is lagging behind on the issue and is most at risk of failing to recognise and act on the risks. It states: “NHS Scotland has employed a well-planned strategy that combines the use of technology, internal communications and HR management to show staff that breaches can be detected and will not be permitted. Most abuse stops straight away, making way for a stronger culture of respect for privacy. Incidents do continue, but organisations are well equipped to identify and deal with them.

“English hospitals can also look to the successful piloting of privacy software in Wales to see what can be achieved, as well as the examples being set in Canada, France and the USA.

“The uncomfortable alternative, as growing numbers of NHS chief executives and their boards are finding out, is to be forced to act after experiencing the damaging and difficult process of cleaning up after a severe breach."

A breach of the Data Protection Act , for example, recently led to the chief executive of NHS Birmingham North East signing a public undertaking to ensure that adequate technical security measures were put in place to prevent unauthorised access to personal data in the future.

Improper accessing of patient records is widespread in the UK and can result in immense harm to the reputation of hospitals and can undermine the trust of patients in the specific organisation and more generally in electronic health records

And the paper urges trusts not to use a lack of cash as an excuse to cut corners, adding: “Unfortunately the Information Commissioner’s Office fears there is a danger that healthcare organisations could back away from security measures because finances are tight. This is a false economy at a time when patient and commissioner choice is growing and providers must defend their reputations. Those who do not trust an organisation with their data may simply go elsewhere. Similarly, there is an increasing chance that patients could refuse to let organisations hold data about them.

”The success of electronic healthcare also depends heavily on its acceptance by clinicians. There is a real risk that they will block, or back away from, systems they do not trust. This cannot and need not happen, so long as prompt action is taken.”

The paper goes on to set out a blueprint for protection data and uncovering access breaches through a strategy that involves:

  • Running a gap analysis to identify security weaknesses
  • Ensuring that senior management are kept fully and regularly aware of gaps in security, the risks these bring and how they can be dealt with
  • Creating and implementing a written privacy and security plan
  • Targeting the largest areas of vulnerability first
  • Beginning a remediation process – the unannounced introduction of privacy breach detection software to identify the extent and nature of the problem
  • A communications drive to inform staff that monitoring is now taking place, backed with evidence to demonstrate its effectiveness
  • A clear restatement by HR of policies and responsibilities for confidentiality

For this strategy to be effective, it says trusts must give responsibility for data protection to a specific named member of staff, train all staff in privacy issues, insist that vendors supply fully-enabled audit logs with their software, and ensure all information transferable via portable devices is encrypted.

This is an approach that has been welcomed by Debbie Terry, NHS information governance lead at the National Information Governance Board for Health and Adult Social Care. She said: “Standards must be upheld, best practice shared, and improvements made wherever healthcare providers are falling short of these expectations.

In order to be fully transparent and trusted, providers must make sure staff are properly trained in privacy policies and practice

“In order to be fully transparent and trusted, providers must make sure staff are properly trained in privacy policies and practice. Providers also need to make sure their patient record systems are fully secure. In this way they can protect trust and work in partnership with patients to deliver the best possible care.”

And Dr Zafar Chaudry, chief information officer at Liverpool Women’s NHS Foundation Trust and Alder Hey Children’s NHS Foundation Trust, said trusts would need to start copying the stringent security measures implemented across America, where the risk of sanctions has forced major improvements in monitoring.

He said: “I am convinced that early action to introduce effective electronic monitoring of patient records and breach detection is essential. It’s far better to get ahead of the game and be compliant now than to wait for a serious data breach and risk censure by the CIO or fines under the DPA.

My experience shows that this is possible and that by using the appropriate technology the NHS can not only detect and deter data breaches, but can actively strengthen the culture of confidentiality

“Soon there will be a free flow of data between primary, secondary and social care, and beyond, to patients and carers themselves. In this situation I have to be absolutely certain about who is looking at what and whether they are doing so for legitimate reasons.

“Employers, clinicians and the public fully expect that the NHS will do its utmost to keep patient information confidential. In an electronic era much of the responsibility for this rests with the chief information officer. The challenge, however, is to create monitoring systems that are both effective and sustainable. My experience shows that this is possible and that by using the appropriate technology the NHS can not only detect and deter data breaches, but can actively strengthen the culture of confidentiality.”

To read the white paper, click here

You may also like