Analysis: Will the electronic NHS really be secure?

IN THE next few weeks, the National Health Service will award a contract for a major project that few people beyond a small tribe of NHS IT experts will have heard of.

Yet the battle that threatens to explode around the NHS Strategic Tracing Service represents the single most dangerous threat to the government?s #1 billion plan to computerise the NHS.

One of the three hopefuls ? IBM, HBOC or Sema ? will build the most comprehensive medical database of the British population.

Dr Fleur Fisher, former head of ethics at the British Medical Association (BMA), described the service as ?a major issue that needs public discussion?.

She said: ?The tracing service represents an enormous shift for the NHS ? it sets up a national register of people where one has never existed before.?

The heart of the issue is the confidentiality of medical records.

The relentless collection and resale of personal data by banks, supermarkets, and marketeers, and the increasing sophisticated way this data is analysed, has long since ceased to shock the public. But medical records are more personal than your favourite brand of cheese.

Trefor Morris, a GP and a co-author of a forthcoming British Medical Journal article on the issue, said: ?If the security and confidentiality of the system isn?t credible, then doctors will start to boycott it. If that happens, I would advise people I know not to use it.?

So what?s causing all the fuss? Today, very little medical data flows between GPs and hospitals. When data is shared, the preferred network is still the post or fax.

The inefficiency is obvious, but its inherent security is an advantage. It?s not easy to find a celebrity?s medical record in a storeroom ? even if you know where the storeroom is. And there are no databases which an insurance company could access to identify the country?s HIV-positives.

The tracing service will be the most complete database of every man, woman and child in the UK. It will list everybody?s recent and current address, the name of their GP and health authority, and their NHS number.

Chichester GP and BMA technology spokesman Grant Kelly said: ?It?s an effective building block for a national identity card scheme.?

It is also a core building block in the NHS?s seven-year IT strategy unveiled in September. The tracing service acts as a glue which makes the central long-term goal of the strategy possible. That goal is the creation of personal ?electronic health records? by 2005.

To make that possible each person?s records need to be uniquely identified, avoiding any confusion between John Smiths. That will be done by using patients? existing NHS numbers, which are unique personal identifiers. The NHS numbers also allow records to be identified anonymously, providing a basic degree of security.

But the numbers need to be linked ? or ?traced? in the NHS jargon ? to people and vice versa. That?s the purpose of the tracing service, which is in effect a vast look-up table.

It will enable GPs to send requests for tests to hospitals using an NHS number. A hospital can carry out a test and send back the results without any hacker or snoop knowing the individual?s identity, unless, of course, they can match a number to a name by using the tracing service. The tracing service will also allow GPs to swap basic patient information, and obtain a person?s medical records if they change doctor.

The idea of the tracing service has been around since 1991. Its development (see box) has been a model of delay and confusion. So far its chief product has been software that will almost certainly be dropped by whichever IT supplier is awarded the project contract.

Ironically, what ensures the survival of the system is a row about the confidentiality of medical data between the BMA and the NHS Executive. The BMA is concerned about the amount of medical data that has a patient?s name and address attached to it, as well as the general accessibility and aggregation of personal health information.

The fight was supposed to have ended last December when the Caldicott committee issued its review of the management of patient-identifiable information.

The review established three key points about data handling. Data must be anonymous, and strict protocols must ensure authorised access only. These two conditions are to be ensured by a data ?guardian? in each health organisation ? a local senior ?health professional?.

Buttressed by the Caldicott principles, the tracing service sounds rather innocuous. But critics fear that it will break the Caldicott rules and open up doctor-patient relationships to prying eyes.

The sheer number of medical professionals who will be able to access the system causes alarm. The complex access control proposals already drawn up by the NHS Executive confirm that a large number of professionals will need to access the tracing service, from GPs through to clinical and hospital staff.

Ross Anderson, a Cambridge University security expert and former technology advisor to the BMA, uses colourful language in his attack on the tracing service.

?It is likely that some NHS staff will be corrupted or simply misled into providing information, and as a result this database will become open to private detectives, stalkers, sex abusers and even foreign intelligence agencies,? he said.

Other more mundane organisations interested in medical data would be insurance companies and banks, keen to limit lending exposure to cancer sufferers or those tested HIV-positive.

The easy answer is to tightly control access to the tracing service. This would be done through strict contractual controls and the input of an independent management board responsible for security issues.

Frank Burns, author of the NHS IT strategy document, stresses the importance of access control: ?There is no assumption that any clinician will have the right of access to any record,? he says.

The problem is that complex bureaucratic controls requiring personal intervention defeat the purpose of the tracing service which is to increase efficiency. And other databases such as the Police National Computer are governed by tight access controls, yet information routinely slips out to people who shouldn?t have it.

In response, NHS officials say that there is no clinical information held as part of the tracing service. After all, it?s just a very big list. While that is true, unauthorised access to the system will compromise the security of supposedly anonymous clinical data held by the NHS.

The final concern is ?function creep?. A database so useful ? this will be the only database that will give an up-to-date address for everyone in the UK ? is bound to be used for other things. The function creep may also extend to clinical information ? particularly after the first tracing service contract ends, which is expected to happen in around eight years, according to one bidder.

What then? Given the NHS?s strategic goal to create a single health record for each patient, it would be easy to argue that the data should actually be stored in the tracing service, or at least logically stored there by means of a database link.

Paul Goss, analyst with health IT consultancy Silicon Bridge Research, said: ?When electronic health records are so important to the overall IT strategy, you start to see the temptations in extending the tracing service.?

Real-time access to medical records isn?t actually necessary. Fisher says: ?There?s virtually no casualty situation in which immediate access to a person?s medical records is required. Sufferers of ailments where it is ? such as diabetes ? carry cards or SOS bracelets anyway.?

Behind this lies a deeper question: who owns your medical record in the information age? Today, it is the property of clinicians. Tomorrow?s patients, who will be used to owning smartcards which store data, may think otherwise. It?s a question that NHS strategists have deferred until the next IT strategy is produced sometime in 2004.

Encryption could provide a comfort blanket, but the government?s imminent Secure Electronic Commerce bill is expected to enforce key escrow ? mechanisms allowing police to tap into data which would otherwise have been locked up with unbreakable encryption. There is no specific medical exemption planned.

A true solution is most likely to be reached by strictly limiting the access and scope of the tracing service. Until that happens, it?s no wonder that doctors who understand IT are edgy. One can only speculate how the public would react if they find computerising medical records has made the NHS more efficient, but also made their data less secure.

As GP Trefor Morris said: ?People already choose not to have their names on databases such as the electoral register. I?d be very concerned if people stopped registering with a doctor because they were afraid where the data might go.?

Tracing service: A long and troubled history

April 1991 NHS internal market launched, creating the need to collect data on individual ?episodes of care? December 1992 The NHS ?Administrative Register? (AR) announced as part of a five-year information management and technology strategy. AR scheduled to launch in 1995 1996 An NHS number for every patient introduced May 1996 NHS Executive finally invite bids to manage AR, describing it as ?a key part of the infrastructure of NHS information systems?. It was to hold data relating to people (name, date of birth, NHS number) and details of NHS organisations responsible for treatment. The system now scheduled to launch in April 1997 April 1997 Project relaunched as ?the NHS Number and Tracing Service Programme? September 1998 New NHS IT strategy launched, its key goal to create electronic health records November 1998 Contract still unawarded ? remaining bidders are IBM, Sema and HBOC