http://www.pulsetoday.co.uk/story.asp?sectioncode=35&storycode=4123229&c=1
A massive security loophole in an NHS database containing the addresses and personal details of millions of patients was exposed this week, after a senior GP successfully accessed the personal data of patients at other practices without being detected.

NHS bosses have admitted they have no idea how many inappropriate or unauthorised accesses there could have been to the Personal Demographics Service, a national electronic database which contains demographic information such as the name, address, date of birth, NHS number and contact information on almost every patient in the country.

Dr Paul Golik, secretary of North Staffordshire LMC and a GP in Norton-in-the-Moors, Stoke on Trent, highlighted the concerns after a patient asked about NHS IT security, and Dr Golik discovered it was possible to access his own demographic record even though he was registered at another practice.

Dr Golik subsequently accessed the personal details of a number of other patients registered elsewhere, including, with their consent, staff at his practice – all without being detected.

And while no clinical information is contained in the Personal Demographics Service, Dr Golik said he was ‘appalled’ that such information was at the fingertips of tens of thousands of NHS staff with smartcard access.

(This what the good doctor could get access to:

NHS Number – The unique patient identifier

Patient Name Including any previous names, aliases and preferred name, e.g. Chris rather than Christopher

Date of birth – The patient’s date of birth. Get more information on new births and the PDS

Place of Birth – The patient’s place of birth

Additional birth information – The delivery time and birth order for multiple births

Date of death – The patient’s date of death. Get more information on recording deaths on the PDS

Death notification status – Indicates a formal death certificate has been issued for the patient and the death has been registered

Gender – Administrative gender

Address – Includes main, temporary and correspondence addresses

Alternative contacts – The patient’s legal guardian, proxy, family/close contact

Telecommunication contact details – Contact details such as telephone number, fax number and email address

Preferred contact times – Patient’s preferred contact times

Preferred contact method – The patient’s preferred contact method, e.g. telephone contact by proxy, no telephone contact, sign language required in face to face contact or minicom

Preferred written communication format – Specialised patient contact requirements, e.g. large print, Braille, audio tape

Preferred language – Information on patient’s preferred language of communication

Interpreter required – Indicates that the patient requires an interpreter

NHS Care Record consent to share status – Indicates that the patient has agreed to share their health record

Nominated dispensing contractor* – The patient’s nominated dispensing contractor that could include a community pharmacy, dispensing appliance contractor and a dispensing doctor.

Reason for Removal – Indicates that the patient is not registered with a GP

Previous NHS contact indicator – Indicates that the patient confirms they have had previous NHS treatment. This allows the PDS National Back Office to check for a duplicate of a record

Patient call-back consent status – Indicates that the patient is willing to be called back from a Choose & Book call-centre

Shared secret – An encrypted password used to validate a patient’s identity when contacted from a Choose & Book call-centre

Sensitive record indicator – Indicates that either the record is not accessible to PDS users or that the content of the record is being reviewed to ensure the data is correct

Primary Care – The GP Practice with whom the patient is registered

Date of Registration – The date the patient registered with the GP Practice

Back office location – The back office location associated with the GP Practice where the patient is registered, used for the administration of primary care

Serial change number – The mechanism for synchronising local and national records

HealthSpace status – Indicates that the patient is registered to use HealthSpace

NHAIS Information – The PDS holds certain information to allow it to interact with the NHAIS system that administers primary care. This information is not routinely accessible by the NHS

from NHS Connecting for Health

http://www.connectingforhealth.nhs.uk/systemsandservices/demographics/pds/contents/index_html

Royal Berkshire NHS Foundation Trust has handed redundancy notices to its entire electronic patient record team as it prepares to implement a Cerner system with University of Pittsburgh Medical Centre.

Royal Berkshire broke away from the National Programme for IT in the NHS to do the deal with UPMC, which is already delivering a Cerner system to Newcastle Hospitals NHS Foundation Trust.

It said it could not wait for the national programme, which has been without a local service provider for the South cluster since Fujitsu exited in May 2008.

Contracting out much reponsibility whether witin the Uk or eslewhere has been quite a hallmark of the last decade+, and accelerated under the present Gov’t. So there’s no question of principle here, surely.

Current data storage contracts that the NHS has are with private suppliers – most if not all – and the network is run by another privat(ised) company – BT – over which all that data passes, or is intended to pass. In an IP environment that can of course be routed anywhere around the world – in a helluva big cloud .

I’ll paraphrase some other general, and often made but repeatable for all that, comments:

I can contract with an offshore company to store my data and it will therefore have responsibilities directly to me.

If my data is shared or passed to a third party whether on or off-shore, by someone or organisation that purports to own it, I have no control, and there may be incentives on both to evade domestic data protection.

Companies, especially tho’ they are not alone big US corps.,, are subject to pressure from their shareholders, gov’ts and theirs agencies within whose jurisdiction they operate, and from competitors.

Just bear in mind what happened when Facebook was suspected of playing dodgy games over customers’ rights.
There is a change detectable in views on protection of data, and individual privacy, not least in the Western world.

There is increasing competition in commercial applications and services for secure on and offshore data storage with encrypted data and access mechanisms so that increasingly intrusive governments and their agencies, and hostile governments, and indeed commercial interests, can be kept out.

In the consumer area Googlemail/Gmail is considering an encrypted interface as the default setting. Microsoft and others are building secure(r) access allows anonymous authentication, isolsated verification of specific facts and even double-blind calculations.

Government (and it has to be said the politicians advised by the civil servants relying on the consultant/salespeople on behalf of the vednors) is still in the 1960s, at best. Its core administrative concepts date back to the 19th century, and its socio-economic views from the 1930s.

Only the spin is modern.

1. Giving patients absolute control over their health records as Google health does and abolishing NHS health records departments is not a good idea. I am all for people having increased access to their records but in no way should individuals be able to decide what to include or not include in their records. This would not be good for patients care nor the general health system. There is also the case that medicl records are used a lot in medical research. A central record should be maintained by the NHS.

2. The idea of outsourcing has been positioned as a cost saving measure. While abolishing medical records departments would save money, this as I have said is not a good idea. The NHS national IT programme includes provision for giving people access to their health records through an online portal however I believe this does not represent a significant portion of NPfIT’s budget. But Googles and Microsofts functionality could be useful additions. An important point here is google health and such formats rely on digital records and it is this the implementation of digital records and associated software with NHS Trusts that has cost a lot of money in the NHS and these will always be needed as trusts and GP’s will have to record patients history either for a central record or to just make available to patients to access on Google Health.

3. Another significant cost perhaps not even included in NPfIT’s budget is the digitisation of historical medical records i.e. those created and updated before digital records are implemented. This could potentially be a significant cost pressure that Google or Microsoft would not alleviate. Digitisation of historical records is essential for improved service to patients and increased efficiencies in the NHS.

In short I do not think what I understand of David Cameron’s idea will save much money for the NHS, could create a lot of problems if a central record was not maintained. I do welcome the functionality googles and the likes could bring to giving people greater access to their information and using it to link up with pharmacies or share with carers etc.

At least companies like Amazon, Google and Microsoft can build a large complicated database on budget and on time.

We would of course need a secure open standard way of interchaging our data and for exchanging ‘consents’.

The NHS PfIT has been a disaster start to finish, with most IT Professionals looking on with a combination of abject horror and sheer bemusement and the figures and timescales quoted at each stage of the way. It looks even worse when you consider that by necessity in the US (thanks to having many different healthcare providers), electronic interchange of health records (controlled by the patient) has been a reality for some time now.

The proposal isn’t just bringing in Google or Microsoft, individually, to handle records management. It’s the idea that it could be both, and others too, allowing you some degree of choice, promoting some kind of competition, and crucially, avoiding the risks inherent in a single national database.

This is a question of trust. People don’t trust government IT projects – not without justification, it must be said. But look at the brand research: Google, Microsoft and Bupa are consistently in the Top 10 most trusted brands in the UK. (Note: new Superbrands report next week.)

Personally I don’t have a problem with personal data like this being ‘in the cloud’. All my money is already ‘in the cloud’. My mortgage too. We have a small number of data stores (ie banks), and a system for exchanging data (ie cash transactions) between them. I choose the bank which I trust most, which gives me the best deal, the greatest convenience, the best customer service.

The modern world is all the better for the growth of electronic money transfer. We’ll reap the same benefits if, or when, we crack the problem of identity management. The answer has to be a federated system… and maybe this is the start of it.