3
T he NHS's Care Records System (CRS) is one of three major components of the National Programme for Information Technology. The other two are an appointments scheduling system and a purpose-built backbone network, the N3. The CRS is divided geographically and primary contracts to supply hardware, software and services have been awarded (see table overleaf). What is the Care Records Service and how is it set up? NHS spokesman: The NHS Care Records Service relates to all electronic clinical records about a patient. Information will be held in different places including GP systems, acute systems and the Spine. The Spine is a summary of information about a patient and pointers to more detailed information held on local systems. Ross Anderson: This is subtly misleading. The plan is to move records towards central control, for example by transferring GP records from practice PCs to servers at Primary Care Trusts. What database engine will the patient record system use, or will there be more than one? NHS: The main database engine is Oracle. Anderson: A bit of a giveaway: the present multiplicity of systems use products from just about all vendors you could think of. What application package(s) will you use? NHS: NHS CRS comprises a number of elements and a number of different packages will be used. The main ones are: Casenotes, Sun, Calendra, Entrust and SeeBeyond. Anderson: Ditto. No future then for the half-dozen main suppliers of GP systems, on whose databases are kept the records relating to 90% of all patient encounters. (Note the tension between the answer here and the spin in question 1). How will initial data be fed into the database? NHS: The Spine will be fed by specific messages created from the data held on local GP and acute systems. Anderson: In other words, GP and hospital systems will be modified to send records to the centre. Who will supervise the design and implementation of these changes? NHS: Details will be inputted onto a patient's NHS Care Record at local level. Summary information, such as allergies, test results or drugs prescribed will be automatically placed on the national record via specific messages sent from the local GP or acute system. Anderson: So no choice then — if you opt out the data just won't be visible, at least to your carers. It will still be there. What data scrubbing methods will you use? NHS: Records will not be data scrubbed as one of the key features of the NHS CRS is that all previous records will be kept. This is vital when dealing with medical records as it is important to be able to see what the old data was, who changed it and when. Data will only be deleted in exceptional circumstances, such as a court order. Anderson: Exactly. If a future Alastair Campbell wants to see the medical records of a troublesome journalist then they will be there, even if she has opted out in every way possible. How will patients/doctors/pharmacists identify themselves to the system and how will you verify their identities at take-on and in normal use? NHS: Care professionals accessing the Care Record will verify a patient's identity through their personal details and their unique NHS number, which will link that particular patient to their record. f e a t u r e 40 Infosecurity Today September/October 2004 It's big and bold, but is it also Big Brother? Ian Grant Britain's 10-year project to create an electronic patient record system for some 50 million people registered on the National Health System is one of the biggest, and at £6.1 billion, one of the most expensive IT projects the world has seen. It is also one of the most controversial, due mainly to perceptions about the vulnerability of patient records to unauthorised access and abuse. The UK’s National Audit Office has announced that it will investigate the National Programme for IT in the National Health Service, and publish its findings next summer. Infosecurity Today posed a number of questions about how the NHS plans to capture, clean and safeguard patients' data, and asked a critic of the project, Cambridge University's Ross Anderson, to give his views on the NHS's answers.

It's big and bold, but is it also Big Brother?

Embed Size (px)

Citation preview

Page 1: It's big and bold, but is it also Big Brother?

The NHS's Care Records System (CRS) is one of three major

components of the National Programme for Information

Technology. The other two are an appointments scheduling system

and a purpose-built backbone network, the N3. The CRS is

divided geographically and primary contracts to supply hardware,

software and services have been awarded (see table overleaf).

What is the Care Records Service and how is it setup?

NHS spokesman: The NHS Care Records Service relates to all

electronic clinical records about a patient. Information will be held

in different places including GP systems, acute systems and the

Spine. The Spine is a summary of information about a patient and

pointers to more detailed information held on local systems.

Ross Anderson: This is subtly misleading. The plan is to move

records towards central control, for example by transferring GP

records from practice PCs to servers at Primary Care Trusts.

What database engine will the patient recordsystem use, or will there be more than one?

NHS: The main database engine is Oracle.

Anderson: A bit of a giveaway: the present multiplicity of

systems use products from just about all vendors you could think

of.

What application package(s) will you use?NHS: NHS CRS comprises a number of elements and a number

of different packages will be used. The main ones are: Casenotes,

Sun, Calendra, Entrust and SeeBeyond.

Anderson: Ditto. No future then for the half-dozen main

suppliers of GP systems, on whose databases are kept the records

relating to 90% of all patient encounters. (Note the tension

between the answer here and the spin in question 1).

How will initial data be fed into the database?NHS: The Spine will be fed by specific messages created from

the data held on local GP and acute systems.

Anderson: In other words, GP and hospital systems will be

modified to send records to the centre. Who will supervise the

design and implementation of these changes?

NHS: Details will be inputted onto a patient's NHS Care Record

at local level. Summary information, such as allergies, test results

or drugs prescribed will be automatically placed on the national

record via specific messages sent from the local GP or acute

system.

Anderson: So no choice then — if you opt out the data just

won't be visible, at least to your carers. It will still be there.

What data scrubbing methods will you use?NHS: Records will not be data scrubbed as one of the key

features of the NHS CRS is that all previous records will be kept.

This is vital when dealing with medical records as it is important

to be able to see what the old data was, who changed it and when.

Data will only be deleted in exceptional circumstances, such as a

court order.

Anderson: Exactly. If a future Alastair Campbell wants to see

the medical records of a troublesome journalist then they will be

there, even if she has opted out in every way possible.

How will patients/doctors/pharmacists identifythemselves to the system and how will you verifytheir identities at take-on and in normal use?

NHS: Care professionals accessing the Care Record will verify a

patient's identity through their personal details and their unique

NHS number, which will link that particular patient to their

record.

fe

at

ur

e4

0In

fosecu

rity Tod

aySeptem

ber/October 2004

It's big and bold, butis it also Big Brother?Ian Grant

Britain's 10-year project to create an electronic patient record system for some 50 million people registered onthe National Health System is one of the biggest, and at £6.1 billion, one of the most expensive IT projects theworld has seen. It is also one of the most controversial, due mainly to perceptions about the vulnerability ofpatient records to unauthorised access and abuse.The UK’s National Audit Office has announced that it will investigate the National Programme for IT in theNational Health Service, and publish its findings next summer.Infosecurity Today posed a number of questions about how the NHS plans to capture, clean and safeguardpatients' data, and asked a critic of the project, Cambridge University's Ross Anderson, to give his views on theNHS's answers.

Page 2: It's big and bold, but is it also Big Brother?

fe

at

ur

e4

1In

fosecu

rity Tod

aySeptem

ber/October 2004

NHS staff who will use the CRS will be issued with a smartcard,

which will ensure they are authorised to access NHS Care Records.

Two factor authentication will be required. Access to the CRS will

be role based, and the smartcard will ensure the user is only able

to access the particular functions appropriate to their role.

Anderson: So why are they going to insist that every patient

carry two or three cards, if your NHS number is all you need (and

this number can be looked up by any receptionist from your name,

postcode and date of birth?)

What information about the patient's identity andtheir condition will each party have access to?

NHS: Information will be available on a role based, need to

know basis. It will take into account whether the party has a

legitimate relationship with the patient and whether the patient

has chosen to have some of their information placed in an

electronic "sealed envelope".

Every access to a patient's Care Record will be audited with the

time, date and identity of the user accessing the record. Audit trails

will pick up any suspicious activity, utilising a comprehensive

intrusion detection system.

Anderson: ‘Need to know’ was one of the sticking points in the

debate between the British Medical Association (BMA) and the

Department of Health in the mid-1990s. The DoH insisted on

‘need-to-know’ as it is the bureaucrat who determines need. The

BMA and General Medical Council (GMC) insisted on ‘patient

consent’ for obvious reasons: even if the bureaucrat claims a need

to know, the patient should be able to refuse, and if that causes the

world to break, so be it. See who won.

What will you consider normal practice in terms ofinformation availability to: a. Healthcareprofessionals? b. Healthcare managers? c.Healthcare researchers e.g. epidemiologists? d.Police? e. Other government agencies? f. Insurancecompanies?

NHS: Only those healthcare professionals who have a specific

role relevant to the type of data being accessed will be able to view

that personal data. Access to the system and what users can see

and update will be determined by the user's role, for example, a

receptionist will not have access to clinical information.

Anderson: Well, receptionists often need access to clinical data

so they can book the patient into the right clinic, organise repeat

prescriptions for signature, and so on. But then, knowledge of

actual NHS working practices never was a strong point of the

DoH mandarins.

NHS: Clinicians will have access to patient records at the point

of care and all access will be fully in accordance with the Data

Protection Act and provided in the interest of patient care.

Information, for purposes other than direct clinical care, will be

provided only in anonymised (or pseudonomynised) form, e.g. for

statistical research purposes. Access will be fully in accordance

with the Data Protection Act.

NPfIT primary contractorsCare Records Service

Contract Contractor Price (£m) Duration (y)

National application BT 620.0 10service provider

Local service provider BT 996.0 10(London)

Local service provider Accenture 1099.0 10(North-east)

Local service provider CSC 973.0 10(North-west & Midlands)

Local service provider Accenture 934.0 10(Eastern)

Local service provider Fujitsu 896.0 10(South)

New National Network BT 530.0 7(N3)

Electronic booking SchlumbergerSema 64.5 5

Total 6112.5

Source: Department of Health

Page 3: It's big and bold, but is it also Big Brother?

Anderson: This isn't an accurate description of current and

proposed working practices. For example, the Health Act 2001

gave the DoH the duty to collect all records of cancer sufferers and

provide them to researchers in a fully identifiable form. This

probably means that if your wife had a positive smear test, her

records are sitting at a couple of universities — even if it turned

out to be a false alarm.

NHS: The privacy of patients and the interests of those

providing care will be further protected by the Data Protection Act

1998, the Human Rights Act 1998 and the common law duty of

confidence, particularly as embodied in Caldicott standards and

professional ethics.

Anderson: Mealy-mouthed: a lot of effort has gone into drawing

the Data Protection Act's fangs on healthcare, and Caldicott was a

blatant whitewash.

NHS: The NHS CRS will hold a summary of the patient record

at national level and this will be available whenever and wherever

the patient presents themselves for care or treatment in England.

More details and essential information will be held at a local level

across health communities. All information is subject to the same

high standards of security.

Anderson: I wouldn't describe them as ‘high’. They may spend

money, sure; but the access policies and the system architecture are

quite wrong from the viewpoint of patient privacy.

What procedures will you have for patients to viewtheir records/to correct errors?

NHS: In the future it is intended that patients will be able to

view their NHS Care Record via Health Space. However, the

details of how this will be implemented or a timescale are yet to be

finalised.

Anderson: Exactly — left for version 3, as Microsoft might put it.

What recourse will patients have if theconfidentiality of their records is compromised?

NHS: If an NHS organisation realises that a breach of

confidentiality has occurred, they are obliged to inform the

patient. Therefore, if it comes to the attention of a privacy officer

that a serious breach of confidentiality has occurred, the patient

will be notified.

Anderson: Define ‘serious’, and then tell me how the incentives

here are supposed to work.

NHS: If the patient requires an explanation and to prevent it

happening again or to others, the patient can bring a complaint

through the normal complaints procedure, first to the NHS

organisation itself and, if not resolved, to the second stage which

is an independent review by the Healthcare Commission.

Anderson: Community Health Councils (CHCs) were abolished

(in 2001) because they provided a more effective means of

complaint than the mandarins were comfortable with.*

NHS: If the patient wishes to treat it purely as a data protection

issue, they can complain to the Information Commissioner.

Anderson: The Information Commissioner has a history of

doing nothing, even when the Foundation for Information Policy

Research (FIPR) has forcefully brought complaints of serious

health privacy abuse, backed up with detailed evidence.

NHS: We will be asking the Healthcare Commission to monitor

how well the new reformed complaints procedure handles

complaints relating to the use of patient information to ensure

that no further measures are needed.

Anderson: A wonderfully Orwellian statement.

Footnote* In September 2000 Donna Covey, director of the Association of

Community Health Councils for England and Wales

(ACHCEW), wrote in The Guardian "The self-congratulatory

fanfare announcing the launch of the national plan for the NHS

has overshadowed real concerns about accountability."

fe

at

ur

e4

2In

fosecu

rity Tod

aySeptem

ber/October 2004

NHS workers on the frontline


Big Brother is Watching!

Big Brother is Watching!

Documents
Big Brother 13 House Photos

Big Brother 13 House Photos

Entertainment & Humor
Big, Bright, Bold

Big, Bright, Bold

Documents
Big Brother

Big Brother

Documents
Big Data vs. Big Brother in Your Car

Big Data vs. Big Brother in Your Car

Automotive
Big Brother: Kubernetes Edition

Big Brother: Kubernetes Edition

Software
big brother media 3

big brother media 3

Documents
“Big Brother is watching.” “Down with Big Brother.”

“Big Brother is watching.” “Down with Big Brother.”

Documents
big brother media

big brother media

Documents
BIG, BOLD, CANVASES

BIG, BOLD, CANVASES

Documents
Reality Tv Big Brother

Reality Tv Big Brother

Entertainment & Humor
Big Brother - repository.tudelft.nl · Big Brother Nijmegen 3 Anton, Karim, Gunnhildur, Yingzhen, Amit, Vaidas programme . Why not stop at videos? Rules. Rules 1. 5 ECTS Big brother

Big Brother - repository.tudelft.nl · Big Brother Nijmegen 3 Anton, Karim, Gunnhildur, Yingzhen, Amit, Vaidas programme . Why not stop at videos? Rules. Rules 1. 5 ECTS Big brother

Documents
The Big Brother Law

The Big Brother Law

Documents
Big Data, Big Brother, Big Angst

Big Data, Big Brother, Big Angst

Technology
Big Brother is Watching

Big Brother is Watching

Documents
Big Brother (Jiří „Boris“ Täuber)

Big Brother (Jiří „Boris“ Täuber)

Technology
Beyond Big Brother

Beyond Big Brother

Education
Big Brother Tax - free sample

Big Brother Tax - free sample

Business
Who is Big Brother now?

Who is Big Brother now?

Education
Dreaming big, going bold

Dreaming big, going bold

Documents
Assignment Marketing Big Brother

Assignment Marketing Big Brother

Documents
Big Brother Google

Big Brother Google

Technology
Brother - Bright Lights, Big City

Brother - Bright Lights, Big City

Documents
Big Brother Rui Cadete

Big Brother Rui Cadete

Documents
DAR CDA Big Brother Helping Small Brother Cooperatives

DAR CDA Big Brother Helping Small Brother Cooperatives

Business
Big Brother Duck Shoot Viral

Big Brother Duck Shoot Viral

Documents
Big data, big Brother and property in hyderabad

Big data, big Brother and property in hyderabad

Real Estate
AAL - Big Brother vs. Big Mother (Dutch version)

AAL - Big Brother vs. Big Mother (Dutch version)

Health & Medicine
Paula Scher: Big! Bold!

Paula Scher: Big! Bold!

Documents
For Tyler, Our Big Brother

For Tyler, Our Big Brother

Art & Photos