110 likes | 213 Views
The safety and privacy effects of NHS IT. Ross Anderson Cambridge University and Foundation for Information Policy Research. The Story so Far …. 1910 – struggle over who owns medical records led to Lloyd George envelope
E N D
The safety and privacy effects of NHS IT Ross Anderson Cambridge University and Foundation for Information Policy Research
The Story so Far … • 1910 – struggle over who owns medical records led to Lloyd George envelope • 1992 – IM&T strategy ‘a single electronic health record available to all throughout the NHS’ • BMA resistance 95–6 once we realised what this meant; ‘Security in Clinical Information Systems’ • Calman sets up the Caldicott Committee to postpone the issue past the 1997 election • Caldicott documents many illegal information flows; HSCA s60 allows SS to legalise them
The Story so Far (2) • ‘Pretexting’ cost Hewlett-Packard chair her job • Look back at January 1996 – Anderson RJ, ‘Clinical System Security - Interim Guidelines’ BMJ 312.7023 pp 109-111 • N Yorks HA pilot – staff trained by Alan Hassey to log info requests, get them signed off, and call back to a number you can check independently • We detected 30 false-pretext calls per week! • We asked DoH to roll this protocol out nationwide – instead, NYHA were told to stop it!
The Story so Far (3) • ‘Blair moment’ in 2002 – ‘Tony wants’ • The 1990s vision of the big central database is dusted off – NPfIT, CfH,… • Government really believes this is working and they now plan to roll out the same architecture to childcare, elder care, … • What are the implications for clinical safety and privacy?
Issues of Scale • You can have functionality, or security, or scale. With good engineering you can have any two of these • We can live with the risks of a receptionist having access to the 6000 records in a practice – but if 20,000 receptionists have access to 60,000,000 records? • Secondary Uses Service will run unprotected for years – with a pious hope of eventual pseudonymisation • Blair philosophy is now that data will be accessible (MISC 31, ‘Information Sharing Vision’) • Misuse will be punished – pretexters will be liable for prison, though not careless HA staff (DCA CP 9/06)
Centralisation and Safety • First hospital to be ‘rolled out’ was the Nuffield Orthopaedic NHS Trust in Oxford • Old system – X-ray goes from radiology to theatre as a physical object • New system – it’s an electronic object sitting on a remote server • Power failure at server – no operations • Since then, a comms failure in NW • The Internet is now a safety-critical system!
Helen Wilkinson’s case • Helen is a practice manager in High Wycombe • Wrongly listed as a patient of an alcohol treatment centre • She demanded the data be corrected or removed - officials wouldn’t / couldn’t • Caroline Flint promised Parliament it had been done • It hasn’t – and the story continues…
Extending NPfIT to Kids • ‘Every Child Matters’ white paper (2003) • Children Act 2004 provided powers • Information to be shared between schools, police, social workers, probation, doctors… • The ‘SCR’ is ISA – the Information Sharing and Assessment system – which points to all services interested in your child • So schoolteachers will know if a child is known to social workers / police • IC study by FIPR (due for release real soon …)
Political Aspects • UK law and practice are increasingly at odds with European law and with the practice in Germany, France etc • Comment by one observer: UK is on a collision course with Europe • Eventually something will have to give. Will it be Britain’s EU membership, the German constitution, or what?
Conclusions • The approach to personal data management that mutated from the IM&T strategy into the ICRS Spec into NPfIT is undergoing metastasis • Secondaries are now growing vigorously in child welfare, with more planned for elder care etc • If safety and privacy problems can’t be tackled honestly in medicine, what hope have the social workers got? • Maybe the best hope is a European law case