Evidence submitted by Symantec (EPR 37)
1. Symantec welcomes the opportunity offered
by the Health Select Committee to submit evidence on issues relating
to the use of patient data in the development of electronic record
systems and the importance of ensuring the security and confidentially
of individuals' sensitive medical information.
EXECUTIVE SUMMARY
2. Building an electronic healthcare information
system in the UK presents both real opportunities and challenges.
We are convinced that the implementation of information communication
technology can improve the quality, efficiency and cost effectiveness
of NHS operations whilst also providing more citizen centric services.
However, the deployment of such an extended IT infrastructure
to support the NHS objectives could raise some concerns over the
security and confidentially of personal information processed,
stored and shared electronically. At the same time different NHS
bodies and institutions are moving towards greater interoperability
and networked collaboration at varying rates and speeds; resulting
in the development of a complex IT infrastructure. Symantec understands
and recognizes the immense challenges being faced by the NHS in
implementing technology across a vast, varied and largely decentralized
organization. We believe an integrated approach to information
and systems management is needed across the NHS, at both a local
and national level, to ensure the security and confidentially
of patient data is assured and that medical information is readily
and securely accessible to a broad array of individuals including
patients and staff.
What patient information will be held on the new
local and national electronic record systems, including whether
patients may prevent their personal data being placed on systems?
3. It is understood that a summary of information
on each NHS patient will be held on a national database of electronic
records known as the Spine. However, due to the lack of bandwidth
allocated to the database, the Spine will not be able to hold
all the medical information relevant to each patient. The lack
of bandwidth means the amount of data able to be stored on the
database will be limited and the ability to download the data
in any meaningful timeframe restricted. As a result the majority
of patient data will remain stored and managed at local level
by NHS entities on local databases and existing record systems.
Within this current NHS landscape the main responsibility for
patient information will rest at the local level. As a result
there is an implicit requirement on local bodies to have in place
effective data management tools and security solutions currently
available in the market.
4. However, there is a concern that the
local NHS bodies responsible for storing patient data do not have
adequate processes, procedures and systems in place to ensure
the available, integrity and confidentially of patient information.
For example, no standard policies or procedures currently exist
for data management across all NHS local healthcare bodies. This
has lead to a variety of approaches taken to storing data relating
to patients; ranging from the storage of all data, resulting in
the creation of complex and unmanageable databases, or only minimum
data being stored resulting in vital patient information, for
example contained in emails correspondence simply being deleted.
NHS organisations need to understand and recognize the importance
of a holistic approach to data security, management and storage
across the NHS. This will require a change in the businesses practices
of local NHS bodies and a recognition that technology alone cannot
be relied upon when developing and implementing new electronic
record systems. Education and training of NHS staff, at all levels,
on the importance of data management will also be required.
5. The right of patients' to remove records
from the NHS electronic record schemes presents a major barrier
to the NHS realizing the full benefits from technology enabled
change. The trust and buy-in of citizens to share personal information
with government online databases is vital to the success of the
new era of public sector delivery. It is also an aspect of regulatory
compliance with the Data Protection Act for NHS. We believe having
standard and common processes and procedures in place to ensure
the integrity, confidentially and security of patient's information
when shared, processed, accessed by the individual right holder
and stored by the NHS, whether it be at a local or national level
is key to gaining patients trust.
Who will have access to locally and nationally
held information and under what circumstances? Can patient confidentiality
be adequately protected?
6. Fears over unauthorised access, misuse
and possible theft of medical information presents a major challenge
to the successful implementation of an electronic healthcare information
system in the UK. Ensuring access to patient information, whether
at a local or national level, is only allowed to appropriate medical
professionals is therefore a key factor in gaining the trust and
buy-in of citizens. Data management solutions currently exist
that can enable patient information is not only held securely
but can be accessed by appropriate medical professionals when
required in a way that ensure patient confidentially is maintained.
7. Data management systems enable data across
an organization, such as an NHS Trust, to be held centrally and
according to standard policies, procedures and requirements. Having
a standard system in place enables access levels to be allocated
to particular types and levels of data. The introduction of access
controls in the NHS electronic records system would ensure only
designated NHS personnel have the right to access patients sensitive
information; reassuring citizens that their data is not vulnerable
to unauthorized access or misuse. The access given to NHS staff
could be monitored and audit trails produced, providing additional
reassurance to patients that the confidentially of their data
is being maintained. Access levels can also be used to dictate
the information that can be shared outside an organsiation for
example to another NHS body or even to the NHS Spine database
itself. The introduction of effective access levels in an electronic
records system would require common data management procedures
and practices to be developed and implemented by all NHS bodies
connected to the system. It is argued that such an approach to
data access would have been easier to enforce if a national NHS
data store, as originally envisaged under the NHS Spine project,
had been achieved. Now that we have a situation where data is
spread across many disparate systems and NHS bodies, putting a
common system in place that can ensure secure access levels to
patient data will be much more difficult.
8. While having access levels in place can
ensure electronic patients records stored on databases can be
held securely, there is a real concern that the confidentially
of patients sensitive information is being put at risk by the
increasing use of email and internet based communication tools.
The NHS has come to rely on email, and increasingly Instant Messaging
(IM), to improve communications within organisations and enable
the sharing of patient information with partners quickly and efficiently.
While this is enabling the level of patient care to be improved,
Symantec is concerned that email and IM systems are increasingly
becoming large repositories of patient's sensitive personal information.
In particular we are concerned at the use of IM by medical staff
due to the security vulnerabilities of this type of communication.
IM is generally unprotected and unmonitored leaving it vulnerable
to attacks. The infection of one computer with a computer virus
using IM can result in messages being sent to all users in an
IM contact list on that machine, creating the potential for rapid
spread of security threats. We believe consideration needs to
be given to the security procedures in place to protect the confidentially
of patient information stored in emails and common agreed policies
for the use IM by all NHS bodies. The current lack of procedures
and processes for the secure management of patient data captured
within emails and used in IM is resulting in patient information
being open to misuse, attack and theft.
9. Having patient information that is readily
accessible, and yet secure, to medical staff as and when required
is an essential requirement of creating an effective electronic
healthcare system. However, we are concerned at the lack of procedures
and systems in place by NHS bodies to ensure critical information,
applications and systems are continuously available. The lack
of common policies and procedures for data backup by NHS bodies
is regarded as a key threat to the availability and confidentially
of patient data. For example, within a small doctor's surgery
it is common for an office administratorusually untrained
in data management issuesto be relied upon to manage backup
tapes. The offsite management of these tapes usually consisting
of staff simply taking tapes home overnight. For large bodies
such as NHS Trusts, few have disaster recovery systems in place
that can ensure if data is lost or destroyed at one site it would
be accessible from a secondary secure site. If the NHS is to have
safe and secure access to patients data across a number of disparate
sources and bodies, serious consideration needs to be given to
the development and implementation of standard data retention
policies, disaster recovery procedures and data storage and retrieval
systems across all NHS bodies.
10. It is also considered important that
patients are assured that the confidentially of data is protected
even when it is no longer required. Disposal and destruction of
redundant, modified or corrected data, and the legacy systems
or devices that patient data may have been saved on is just as
important as protecting current patients medical data. Data destruction
technology exist that can ensure NHS requirements can be adhered
to. However, this is an example where it is not just the technology
solution that must be considered but also the processes and training
needed for NHS employees to understand and recognize the need
to protect patient information that is no longer required or relevant.
In an era where identity theft is a key concern, it is vital that
the NHS recognize the need to protect patient information from
the cradle to the grave and beyond.
How data held on the new systems can and should
be used for purposes other than the delivery of care eg clinical
research?
11. The introduction of new technology provides
the NHS with opportunities to provide improved services and develop
new innovative ways of to addressing patient's needs. Current
demographic trends suggest that the number of elderly people in
the UK will increase dramatically in the coming years. As a result
the NHS is expected to move towards delivering clinical services
to patients away from hospital and doctor's surgeries and out
into local communities and patients homes. A move away from hospital
centric care means NHS staff will require remote real-time access
to up-to-date and accurate patient information from mobile networked
enabled devices such as laptops and PDAs. As a result the established
perimeters for data usage, storage and security will disappear
as information begins to flow outside hospitals. This will lead
to mobile NHS workers responsible for the security of sensitive,
and potentially valuable personal information, becoming increasingly
targeted and vulnerable to online security attacks. If the NHS
is to move towards a new of service delivery where doctors and
nurses are using such mobile devices, the security of the data
held and shared via these devices is an issue that must be addressed
sooner rather than later.
12. Symantec is concerned that many NHS
organisations are enabling staff to access NHS systems containing
electronically stored patient records often on unmanaged laptops
and other endpoint devices. There are no guarantees that these
devices have the latest security patches, up-to-date antivirus
definitions or a personal firewall. In addition there is also
a concern that mobile NHS staff may be relying on patient's home
wireless connections to access internet based databases. Without
the latest security patches, up-to-date antivirus technology or
even firewalls, devices being used by NHS staff may already be
infected with security threats and as a result could be putting
the NHS network at risk from security attacks. For example an
insecure wireless connection can lead to personal sensitive medical
information being open to possible unauthorized access, misuse
and even theft. We believe a key priority for the NHS to ensure
the confidentially of patient data is the development of common
and standard IT security policies should be in placed across all
NHS organisations to ensure that only compliant and secure devices
are used to process sensitive patient medical data and also connect
to NHS networks. There is a concern that different NHS organisations
that currently collaborate and share patient information do not
have adequate security policies put in place to protect information
that is shared.
13. For example, it is understood that NHS
Acute Trusts and Primary Care Trusts (PCTs) have autonomy to develop
their own policies and requirements to control remote access to
patient data. While it is not suggested that the autonomy granted
to these authorities should be removed, it is important to note
that a clinician providing services remotely to a patient, whose
records are held by two different hospitals, may be required to
conform to multiple policies, requirements and procedures in order
to access patients data. A situation where clinicians are required
to adhere to multiple sets of procedures or processes for accessing
data could result in errors being made in the processing and accessing
of data that may have a direct impact on the delivery of patient
care. It is suggested that consideration should be given to the
development of common access control procedures and policies that
can enable the development of a single system for access to patient
information securely and accurately. In England this system should
be shared by the ten Strategic Health Authorities; similar common
procedures should also be developed for use in Northern Ireland,
Wales and Scotland. The development of a single, common and agreed
policy that is shared by all NHS bodies could ensure the processes
put in place would not need to be changed as the boundaries of
the NHS map continue to evolve.
14. The data gathered and held by NHS bodies
may be useful for the provision of other services other than treatment.
However, the use of the data must not jeopadise patients right
to confidently. If data is going to be used for purposes other
than treatment then strong safeguards, such as informed consent
and appropriate access levels, must be in place.
What is the current progress of the development
of the NHS Care Records Service and the National Data Spine and
why is delivery of the new systems up to two years behind schedule?
15. The delays that have occurred in the
projects to date can be attributed to many factors including ongoing
changes to the design and specification of key systems, radical
project re-thinking, tensions over payments for completed development
work and the departures of key project partners. It is also suggested
that delays have occurred due to a lack of consultation and involvement
by the NHS bodies themselves in the design and specifications
of proposed systems and services. For example, a lack of consultation
with local NHS bodies on the types and amount of patient data
they currently hold and would need to be incorporated into a national
medical records database. This resulted in the Spine database
being developed without the adequate bandwidth required; resulting
in the re-thinking to and significant delays experienced in the
delivery of the Spine project. There is real concern that a lack
of consultation with NHS staff on the development of new systems
has the potential to create an aversion by local disenfranchised
staff to use the new technological solutions introduced even possibly
a desire to see the new mistrusted systems fail. Going forward
the trust and buy-in from NHS doctors and nurses, will be just
as an important to the success of technology enabled change in
the NHS as will patient's willingness to share their medical information
with electronic online record systems.
Susan Daley
Symantec Corporation
16 March 2007
|