Select Committee on Health Written Evidence


Evidence submitted by BT (EPR 51)

EXECUTIVE SUMMARY

  The National Programme for IT (NPfIT) embraces a number of initiatives to bring modern computing to the operation of the NHS as a means of improving patient experience. BT has responsibility for two components of the system which delivers the electronic patient record; N3—the Virtual Private Network (VPN) for the electronic patient records, and the National Data Spine (Spine)—the summary data of every patient record in the UK. The Committee's Inquiry and our submission focus on the Spine programme.

  The foundations of the NPfIT system provided by BT are now built, operating and are secure. Culturally integrating these systems so they become second nature for NHS staff is well underway. Over the next five years, the goal is to complete this programme. BT believes that generations of NHS staff, patients and taxpayers will benefit as a result.

  This submission focuses on areas for which BT has responsibility and where we can bring our experience to bear in giving the Committee a supplier's perspective. The Committee's terms of reference cover five key areas of the programme. We have therefore centred our submission on these priorities.

  In summary:

    —  Putting patient records online is not a choice for the NHS, but a necessity for patients and staff and for successful healthcare, and will form an important part of the Government's overall IT reform agenda. (Para 2)

    —  We are confident about the effectiveness of the system for which we have contracts as being sufficient for what the NHS has specified. This will be a step change for the NHS in terms of the reliability and availability of its medical records. (Para 5)

    —  Even in summary form, we are told by the NHS workforce that Spine data is sufficient to give A & E clinicians an immediate opportunity to make a diagnosis or begin treatment. (Para 10)

    —  Patients with existing conditions are likely to benefit from their records being available on Spine. We understand that those without conditions will have little on their record that is not already in the public domain. Clinicians, however, will benefit equally from both as each is indicative of a patient's health. (Para 11)

    —  Added control over protection for confidential data is available to patients through the "sealed envelope"; an option we have developed which, when deployed, restricts access to individual pieces of information if this is what the patient requests. (Para 12)

    —  There are approximately 1.2 million NHS employees of whom circa 800,000 will ultimately have controlled role-based access to Spine. (Para 13)

    —  We have in place rigorous technical controls to ensure that users being registered receive the correct level of access which will be significantly more secure than the current paper-based system of collating medical records. (Para 14)

    —  It is BT's view that the specification of the system we are delivering achieves an important balance between value for money, operational effectiveness and ease of use, likely threat of infiltration and potential for damage through infiltration. (Para 19)

    —  We believe that the technical levels of security are adequate for the information being stored and the likelihood of infiltration for unlawful purposes is low. (Para 20)

    —  To ensure that the maximum benefit can be drawn from the data available on Spine, we have developed forms of aggregating and presenting the data that ensure the confidentiality of individual patients. (Para 24)

    —  Progress on delivering Spine is good. All 11 of the last Spine software releases have been deployed on or ahead of time. There are sound and sensible reasons why the timetable for delivery has changed from its original specification. Against a very ambitious timetable, considerable progress has been made. (Para 28)

    —  Cultural antipathy towards the Electronic Patient Record (EPR) and Spine is on-going but, in our view, decreasing. Public confidence has been affected by misunderstandings of what the Programme can deliver (and is already delivering) and the risk to patient confidentiality. We believe that a stronger focus on communication and training with users would accelerate the acceptance of the Programme particularly in comparison to the "paper" systems it replaces. (Para 33)

A.   The National Programme for IT (NPfIT)

  1.  The NPfIT embraces a number of initiatives to bring modern computing to the operation of the NHS as a means of improving patient experience. BT has responsibility for two components of the system which delivers the EPR; N3 and the Spine. The Committee's Inquiry and our submission focus on the Spine programme.

  2.  We believe that putting patient records online is not a choice for the NHS, but a necessity for patients and staff and successful healthcare and will form an important part of the Government's overall IT reform agenda. The programme is transforming the way the NHS works; ensuring it catches up with the technology NHS staff and patients increasingly use elsewhere in their everyday lives (eg online banking, shopping and e-government).

  3.  BT considers that the benefits of this programme significantly outweigh the risk that any IT project brings. BT has the responsibility for delivering the back-office technology that allows these benefits to be realised.

  4.  A key success criterion for this programme will be its acceptance across the NHS. We firmly believe that, in ten years' time (as with the advent of anti-biotics), NHS staff and patients will wonder how they managed without it. The success of the project will be as much about change management within the NHS as it is about technological advancement.

B.   Delivering the Electronic Patient Record (EPR)

  5.  We are confident about the effectiveness of the system for which we have contracts as being sufficient for what the NHS has specified. This will be a step change for the NHS in terms of the reliability and availability of its medical records.

  6.  Since our appointment as National Application Service Provider (NASP) in December 2003, BT has:

    —  Established N3 across the NHS—creating the largest VPN in Europe with more than 18,000 connections.

    —  Registered 330,000 of the potential 800,000 NHS staff to the appropriate level of clearance for access to Spine.

  7.  This is a permanent system which includes elements of future-proofing against IT development in the coming years. Once in place, the infrastructure will not need to be replaced on a wholesale basis. It has been designed so it can be added to as new requirements are defined and as technology evolves.

C.   Patient information and confidentiality

  8.  Patient data is owned by the NHS, the processes are owned by Connecting for Health and BT works under direction and is not responsible for the accuracy of individual data entries. BT has been assisting Connecting for Health in cleansing the data and ensuring consistency and accuracy through standardising terms used in records. This is the first "deep clean" of certain NHS records data, possibly ever, and means that clinicians across the NHS are now able to use records (that have been the subject of this data cleansing exercise) with greater confidence and without the risk of duplicated or contradictory data which has previously led to numerous errors or unnecessary administrative work in the process.

  9.  Spine contains information that can positively impact on patient care; at present in summary form but, through the Early Adopters programme, this is being extended to full medical records.

  10.  Even in summary form, we are told by the NHS workforce that Spine data is sufficient to give A & E clinicians an immediate opportunity to make a diagnosis or begin treatment, confident in the essential primary information about a patient (e.g. on allergies, pre-existing conditions etc).

  11.  Patients with existing conditions are likely to benefit from their records being available on Spine. We understand that those without conditions will have little on their record that is not already in the public domain. Clinicians, however, will benefit equally from both as each is indicative of a patient's health. The certainty of the record saves time and money and can lead to a quicker, more reliable diagnosis.

  12.  Added control over protection for confidential data is available to patients through the "sealed envelope"; an option we have developed which, when deployed, restricts access to individual pieces of information if this is what the patient requests.

RESTRICTING ACCESS TO PATIENT INFORMATION

  13.  There are approximately 1.2 million NHS employees of whom circa 800,000 will ultimately have controlled role-based access to Spine. The decision on who gets access and to what level is determined by Connecting for Health. Of these 800,000, circa 100,000 will, in time, have controlled access to more than Spine summary details.

  14.  As of 1 March 2007, BT has registered 330,000 users. We have in place rigorous technical controls to ensure that users being registered receive the correct level of access which will be significantly more secure than the current paper-based system of collating medical records.

  15.  The management of data on Spine (its uploading, accuracy and updating) is the responsibility of Connecting for Health. No BT employee has automatic or designated access to any data nor could any BT employee alter a record. However, due to BT's technical responsibility for the management of the system, between 30-40 people only who are BT employees working on Spine are able to view data. Doing so, however, is subject to stringent security procedures which would ensure that any illegitimate use would be immediately spotted. No NHS data is allowed to be stored abroad.

PROTECTING PATIENT CONFIDENTIALITY

  16.  There are two types of security system that protect patient data: Technical Security and Operational Security.

  17.  As NASP, BT is responsible for building and managing Technical Security and for developing the components necessary for Operational Security. BT is responsible for preventing infiltration of Technical Security. Policing Operational Security is the responsibility of the individual NHS authority in which the system is operating.

  18.  The levels of security involved in Spine are comparable with those of online banking. In order to infiltrate Spine, one would need to be determined, knowledgeable and able to breach both the Technical and Operational Security systems. Access would be needed into N3 through its privacy and access regimes. Any infiltration would require access to a Spine ID card and its relevant passwords. Achieving this without the assistance (intentional or accidental) of a registered user would be near impossible.

  19.  We have not become complacent as we recognise that no system is infallible. The system, therefore, is subject to ongoing security tests as standard practice. It is BT's view that the specification of the system we are delivering achieves an important balance between value for money, operational effectiveness and ease of use, likely threat of infiltration and potential for damage through infiltration. Spine has not yet been penetrated.

  20.  We believe that the technical levels of security are adequate for the information being stored and the likelihood of infiltration for unlawful purposes is low.

  21.  Whilst breaching the Technical Security system is solely dependent upon the strength of the system, there are elements of Operational Security that require additional vigilance due to the nature of the environment in which the system is being operated:

    —  Many NHS buildings are uncontrolled. Establishing failsafe procedures (e.g. on access to areas of hospitals linked to N3) would be impossible without compromising the ongoing work of the building.

    —  The NHS does not have locked down desktop systems.

    —  Within Trusts, IT security may not be properly enforced. It is, for example, unlikely to be a priority for those working in an A&E department due to the pressures of work.

    —  To cope with the workload, registered users may be tempted to lend colleagues their Spine ID Card (mutual authentication) or leave their computers logged on to the system when away from their desk.

  22.  As a result of these operational security risks we have developed a series of additional tools for maximising potential system security. These include timed logouts, strict filters on access levels and predictive algorithms to spot misuse and unusual practices.

  23.  If it had been specified that Spine needed to be on a stand alone system, Operational Security would have been enhanced. However, this would have been impractical for use by the NHS with significant on-costs and the risk of a reduced take up by staff as end users would be reluctant to switch terminals in order to access Spine.

D.   Potential uses for the data

  24.  To ensure that the maximum benefit can be drawn from the data available on Spine, we have developed forms of aggregating and presenting the data that ensure the confidentiality of individual patients. Pseudonymising the data is a further step in protecting identity.

  The Secondary User Service (SUS) pseudonymisation service is commonly referred to as P14N , this reflects the fact that SUS will pseudonymise up to 14 inbound data fields, including NHS number, address, name, postcode. The fields are contained within inbound CDS data flows, on arrival in SUS they are encrypted using an industry standard encryption algorithm (currently Blowfish and about to change to AES 128). These values are then presented to an anonymisation engine which transforms the encrypted value using a mathematical algorithm which allocates a unique value to the encrypted attribute. SUS then stores these values in a protected key store which is used as a look up for future inbound values to ensure a value is only encrypted and pseudonymised once.

  A further level of encryption is applied to the psedonymised attribute when the data is reported on or extracted, this "group encrypted value" is uniquely applied by organisation. So when SUS data is extracted by non NHS organisations the anonymised values are presented as different keys for each group.

  25.  Over the next five years, it will be possible to use Spine data as a primary determinant for UK health trends; for identifying clusters (eg to identify emerging epidemics in real time); for conducting clinical and comparative audits across Strategic Health Authorities (SHAs) and Trusts; and to predict future clinical and pharmaceutical needs.

  26.  Through Spine, monitoring the dispensing of prescriptions will become significantly cheaper[35].

  27.  Making the aggregated data available to pharmaceutical companies (as occurs in Australia) would not only assist R & D but would provide the NHS with a substantial income source. By using pseudonymised data, each of these developments could be achieved without compromising patient confidentiality.

E.   Current progress on development and delivery

  28.  Progress on delivering Spine is good. All 11 of the last Spine software releases have been deployed on or ahead of time. There are sound and sensible reasons why the timetable for delivery has changed from its original specification. Against a very ambitious timetable, considerable progress has been made.

  29.  Even at this stage, there are immeasurable benefits that have been delivered which are assisting in the cultural transformation of the NHS:

    —  A greater appreciation within the NHS of the importance of IT in its future and the benefits that will accrue for individual clinicians as well as for the NHS as a whole;

    —  90 million records already cleaned and uploaded; and

    —  The largest VPN in Europe.

  30.  Changes to the original timescale for the project have been caused by a multitude of reasons including the making of necessary modifications to the specification of what was to be delivered and by when (as, for example, Ministerial commitments are made/change), which is to be expected in a programme of this size and scope. Likewise, the Programme was subject to changes in Connecting for Health's business priorities which impacted upon BT as other programmes were progressed at the expense of Spine to meet Ministerial demands.

  31.  On an operational level, the inherited data was less consistent and of a lower quality than was estimated by all parties—hence we have conducted the first deep clean of NHS data.

  32.  Going forward, the biggest obstacle to the completion of Spine is the need for the NHS to agree the clinical terminology to be used. Despite Connecting for Health's best efforts, the adoption of SNOMED (which contains a dictionary of 800,000 terms) is still not complete. This is, in our experience, a problem not limited to the NHS and Connecting for Health's leadership in attempting to finalise a global solution is to be applauded. Until this is achieved, the full benefits of the system (for example in fully utilising aggregated data) will not be accrued. We continue to work in partnership with Connecting for Health however, to ensure that delivery is effective.

  33.  Cultural antipathy towards the EPR and Spine is on-going but, in our view, decreasing. Public confidence has been affected by misunderstandings of what the Programme can deliver (and is already delivering) and the risk to patient confidentiality. We believe that a stronger focus on communication and training with users would accelerate the acceptance of the Programme, particularly in comparison to the "paper" systems it replaces. The following are common misconceptions:

    —  Anyone in the NHS can access private medical records: There are strict parameters of access to Spine data which ensure that only those who need a patient's medical records for clinical use can access them. Patients who wish to restrict access to data about their records further can use the "sealed envelope" facility.

    —  The system "is not working and is not going to work": 90 million summary records have already been uploaded. Spine and N3 are already working well.

    —  The system will fail if only X% of the population refuse access: It is up to individual patients whether they want their summary data on Spine but using the system is fast becoming standard practice across the NHS. It is being implemented in such a way as to maximise its ease of use by authorised NHS employees.

    —  Patient care is being compromised: Patient care is being enhanced through Spine. At present, 20-40% [estimate] of care in the NHS is being delivered without notes with all the associated risks of incomplete information for diagnosis and case history. In less than a generation, we believe that NHS staff will look back and wonder how they coped.

    —  Patients could discover they have cancer by reading their record: Patient access to records will only occur when they are checking their data.

Robin Seaman

British Telecommunications plc

March 2007






35   Prescription Pricing Authority Business Plan refers to savings circa £2.4 million pa. Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2007
Prepared 25 April 2007