110 likes | 125 Views
Explore the history of NHS IT and its impact on safety and privacy, from the struggle over medical records to the expansion into child and elder care. Discover the risks and potential consequences of centralized data management.
E N D
The safety and privacy effects of NHS IT Ross Anderson Cambridge University and Foundation for Information Policy Research
The Story so Far … • 1910 – struggle over who owns medical records led to Lloyd George envelope • 1992 – IM&T strategy ‘a single electronic health record available to all throughout the NHS’ • BMA resistance 95–6 once we realised what this meant; ‘Security in Clinical Information Systems’ • Calman sets up the Caldicott Committee to postpone the issue past the 1997 election • Caldicott documents many illegal information flows; HSCA s60 allows SS to legalise them
The Story so Far (2) • ‘Pretexting’ cost Hewlett-Packard chair her job • Look back at January 1996 – Anderson RJ, ‘Clinical System Security - Interim Guidelines’ BMJ 312.7023 pp 109-111 • N Yorks HA pilot – staff trained by Alan Hassey to log info requests, get them signed off, and call back to a number you can check independently • We detected 30 false-pretext calls per week! • We asked DoH to roll this protocol out nationwide – instead, NYHA were told to stop it!
The Story so Far (3) • ‘Blair moment’ in 2002 – ‘Tony wants’ • The 1990s vision of the big central database is dusted off – NPfIT, CfH,… • Government really believes this is working and they now plan to roll out the same architecture to childcare, elder care, … • What are the implications for clinical safety and privacy?
Issues of Scale • You can have functionality, or security, or scale. With good engineering you can have any two of these • We can live with the risks of a receptionist having access to the 6000 records in a practice – but if 20,000 receptionists have access to 60,000,000 records? • Secondary Uses Service will run unprotected for years – with a pious hope of eventual pseudonymisation • Blair philosophy is now that data will be accessible (MISC 31, ‘Information Sharing Vision’) • Misuse will be punished – pretexters will be liable for prison, though not careless HA staff (DCA CP 9/06)
Centralisation and Safety • First hospital to be ‘rolled out’ was the Nuffield Orthopaedic NHS Trust in Oxford • Old system – X-ray goes from radiology to theatre as a physical object • New system – it’s an electronic object sitting on a remote server • Power failure at server – no operations • Since then, a comms failure in NW • The Internet is now a safety-critical system!
Helen Wilkinson’s case • Helen is a practice manager in High Wycombe • Wrongly listed as a patient of an alcohol treatment centre • She demanded the data be corrected or removed - officials wouldn’t / couldn’t • Caroline Flint promised Parliament it had been done • It hasn’t – and the story continues…
Extending NPfIT to Kids • ‘Every Child Matters’ white paper (2003) • Children Act 2004 provided powers • Information to be shared between schools, police, social workers, probation, doctors… • The ‘SCR’ is ISA – the Information Sharing and Assessment system – which points to all services interested in your child • So schoolteachers will know if a child is known to social workers / police • IC study by FIPR (due for release real soon …)
Political Aspects • UK law and practice are increasingly at odds with European law and with the practice in Germany, France etc • Comment by one observer: UK is on a collision course with Europe • Eventually something will have to give. Will it be Britain’s EU membership, the German constitution, or what?
Conclusions • The approach to personal data management that mutated from the IM&T strategy into the ICRS Spec into NPfIT is undergoing metastasis • Secondaries are now growing vigorously in child welfare, with more planned for elder care etc • If safety and privacy problems can’t be tackled honestly in medicine, what hope have the social workers got? • Maybe the best hope is a European law case