The NHS's Care Records System (CRS) is one of three major
components of the National Programme for Information
Technology. The other two are an appointments scheduling system
and a purpose-built backbone network, the N3. The CRS is
divided geographically and primary contracts to supply hardware,
software and services have been awarded (see table overleaf).
What is the Care Records Service and how is it setup?
NHS spokesman: The NHS Care Records Service relates to all
electronic clinical records about a patient. Information will be held
in different places including GP systems, acute systems and the
Spine. The Spine is a summary of information about a patient and
pointers to more detailed information held on local systems.
Ross Anderson: This is subtly misleading. The plan is to move
records towards central control, for example by transferring GP
records from practice PCs to servers at Primary Care Trusts.
What database engine will the patient recordsystem use, or will there be more than one?
NHS: The main database engine is Oracle.
Anderson: A bit of a giveaway: the present multiplicity of
systems use products from just about all vendors you could think
of.
What application package(s) will you use?NHS: NHS CRS comprises a number of elements and a number
of different packages will be used. The main ones are: Casenotes,
Sun, Calendra, Entrust and SeeBeyond.
Anderson: Ditto. No future then for the half-dozen main
suppliers of GP systems, on whose databases are kept the records
relating to 90% of all patient encounters. (Note the tension
between the answer here and the spin in question 1).
How will initial data be fed into the database?NHS: The Spine will be fed by specific messages created from
the data held on local GP and acute systems.
Anderson: In other words, GP and hospital systems will be
modified to send records to the centre. Who will supervise the
design and implementation of these changes?
NHS: Details will be inputted onto a patient's NHS Care Record
at local level. Summary information, such as allergies, test results
or drugs prescribed will be automatically placed on the national
record via specific messages sent from the local GP or acute
system.
Anderson: So no choice then — if you opt out the data just
won't be visible, at least to your carers. It will still be there.
What data scrubbing methods will you use?NHS: Records will not be data scrubbed as one of the key
features of the NHS CRS is that all previous records will be kept.
This is vital when dealing with medical records as it is important
to be able to see what the old data was, who changed it and when.
Data will only be deleted in exceptional circumstances, such as a
court order.
Anderson: Exactly. If a future Alastair Campbell wants to see
the medical records of a troublesome journalist then they will be
there, even if she has opted out in every way possible.
How will patients/doctors/pharmacists identifythemselves to the system and how will you verifytheir identities at take-on and in normal use?
NHS: Care professionals accessing the Care Record will verify a
patient's identity through their personal details and their unique
NHS number, which will link that particular patient to their
record.
fe
at
ur
e4
0In
fosecu
rity Tod
aySeptem
ber/October 2004
It's big and bold, butis it also Big Brother?Ian Grant
Britain's 10-year project to create an electronic patient record system for some 50 million people registered onthe National Health System is one of the biggest, and at £6.1 billion, one of the most expensive IT projects theworld has seen. It is also one of the most controversial, due mainly to perceptions about the vulnerability ofpatient records to unauthorised access and abuse.The UK’s National Audit Office has announced that it will investigate the National Programme for IT in theNational Health Service, and publish its findings next summer.Infosecurity Today posed a number of questions about how the NHS plans to capture, clean and safeguardpatients' data, and asked a critic of the project, Cambridge University's Ross Anderson, to give his views on theNHS's answers.
fe
at
ur
e4
1In
fosecu
rity Tod
aySeptem
ber/October 2004
NHS staff who will use the CRS will be issued with a smartcard,
which will ensure they are authorised to access NHS Care Records.
Two factor authentication will be required. Access to the CRS will
be role based, and the smartcard will ensure the user is only able
to access the particular functions appropriate to their role.
Anderson: So why are they going to insist that every patient
carry two or three cards, if your NHS number is all you need (and
this number can be looked up by any receptionist from your name,
postcode and date of birth?)
What information about the patient's identity andtheir condition will each party have access to?
NHS: Information will be available on a role based, need to
know basis. It will take into account whether the party has a
legitimate relationship with the patient and whether the patient
has chosen to have some of their information placed in an
electronic "sealed envelope".
Every access to a patient's Care Record will be audited with the
time, date and identity of the user accessing the record. Audit trails
will pick up any suspicious activity, utilising a comprehensive
intrusion detection system.
Anderson: ‘Need to know’ was one of the sticking points in the
debate between the British Medical Association (BMA) and the
Department of Health in the mid-1990s. The DoH insisted on
‘need-to-know’ as it is the bureaucrat who determines need. The
BMA and General Medical Council (GMC) insisted on ‘patient
consent’ for obvious reasons: even if the bureaucrat claims a need
to know, the patient should be able to refuse, and if that causes the
world to break, so be it. See who won.
What will you consider normal practice in terms ofinformation availability to: a. Healthcareprofessionals? b. Healthcare managers? c.Healthcare researchers e.g. epidemiologists? d.Police? e. Other government agencies? f. Insurancecompanies?
NHS: Only those healthcare professionals who have a specific
role relevant to the type of data being accessed will be able to view
that personal data. Access to the system and what users can see
and update will be determined by the user's role, for example, a
receptionist will not have access to clinical information.
Anderson: Well, receptionists often need access to clinical data
so they can book the patient into the right clinic, organise repeat
prescriptions for signature, and so on. But then, knowledge of
actual NHS working practices never was a strong point of the
DoH mandarins.
NHS: Clinicians will have access to patient records at the point
of care and all access will be fully in accordance with the Data
Protection Act and provided in the interest of patient care.
Information, for purposes other than direct clinical care, will be
provided only in anonymised (or pseudonomynised) form, e.g. for
statistical research purposes. Access will be fully in accordance
with the Data Protection Act.
NPfIT primary contractorsCare Records Service
Contract Contractor Price (£m) Duration (y)
National application BT 620.0 10service provider
Local service provider BT 996.0 10(London)
Local service provider Accenture 1099.0 10(North-east)
Local service provider CSC 973.0 10(North-west & Midlands)
Local service provider Accenture 934.0 10(Eastern)
Local service provider Fujitsu 896.0 10(South)
New National Network BT 530.0 7(N3)
Electronic booking SchlumbergerSema 64.5 5
Total 6112.5
Source: Department of Health
Anderson: This isn't an accurate description of current and
proposed working practices. For example, the Health Act 2001
gave the DoH the duty to collect all records of cancer sufferers and
provide them to researchers in a fully identifiable form. This
probably means that if your wife had a positive smear test, her
records are sitting at a couple of universities — even if it turned
out to be a false alarm.
NHS: The privacy of patients and the interests of those
providing care will be further protected by the Data Protection Act
1998, the Human Rights Act 1998 and the common law duty of
confidence, particularly as embodied in Caldicott standards and
professional ethics.
Anderson: Mealy-mouthed: a lot of effort has gone into drawing
the Data Protection Act's fangs on healthcare, and Caldicott was a
blatant whitewash.
NHS: The NHS CRS will hold a summary of the patient record
at national level and this will be available whenever and wherever
the patient presents themselves for care or treatment in England.
More details and essential information will be held at a local level
across health communities. All information is subject to the same
high standards of security.
Anderson: I wouldn't describe them as ‘high’. They may spend
money, sure; but the access policies and the system architecture are
quite wrong from the viewpoint of patient privacy.
What procedures will you have for patients to viewtheir records/to correct errors?
NHS: In the future it is intended that patients will be able to
view their NHS Care Record via Health Space. However, the
details of how this will be implemented or a timescale are yet to be
finalised.
Anderson: Exactly — left for version 3, as Microsoft might put it.
What recourse will patients have if theconfidentiality of their records is compromised?
NHS: If an NHS organisation realises that a breach of
confidentiality has occurred, they are obliged to inform the
patient. Therefore, if it comes to the attention of a privacy officer
that a serious breach of confidentiality has occurred, the patient
will be notified.
Anderson: Define ‘serious’, and then tell me how the incentives
here are supposed to work.
NHS: If the patient requires an explanation and to prevent it
happening again or to others, the patient can bring a complaint
through the normal complaints procedure, first to the NHS
organisation itself and, if not resolved, to the second stage which
is an independent review by the Healthcare Commission.
Anderson: Community Health Councils (CHCs) were abolished
(in 2001) because they provided a more effective means of
complaint than the mandarins were comfortable with.*
NHS: If the patient wishes to treat it purely as a data protection
issue, they can complain to the Information Commissioner.
Anderson: The Information Commissioner has a history of
doing nothing, even when the Foundation for Information Policy
Research (FIPR) has forcefully brought complaints of serious
health privacy abuse, backed up with detailed evidence.
NHS: We will be asking the Healthcare Commission to monitor
how well the new reformed complaints procedure handles
complaints relating to the use of patient information to ensure
that no further measures are needed.
Anderson: A wonderfully Orwellian statement.
Footnote* In September 2000 Donna Covey, director of the Association of
Community Health Councils for England and Wales
(ACHCEW), wrote in The Guardian "The self-congratulatory
fanfare announcing the launch of the national plan for the NHS
has overshadowed real concerns about accountability."
fe
at
ur
e4
2In
fosecu
rity Tod
aySeptem
ber/October 2004
NHS workers on the frontline