1.  Symantec welcomes the opportunity offered by the Health Select Committee to submit evidence on issues relating to the use of patient data in the development of electronic record systems and the importance of ensuring the security and confidentially of individuals' sensitive medical information.

EXECUTIVE SUMMARY

  2.  Building an electronic healthcare information system in the UK presents both real opportunities and challenges. We are convinced that the implementation of information communication technology can improve the quality, efficiency and cost effectiveness of NHS operations whilst also providing more citizen centric services. However, the deployment of such an extended IT infrastructure to support the NHS objectives could raise some concerns over the security and confidentially of personal information processed, stored and shared electronically. At the same time different NHS bodies and institutions are moving towards greater interoperability and networked collaboration at varying rates and speeds; resulting in the development of a complex IT infrastructure. Symantec understands and recognizes the immense challenges being faced by the NHS in implementing technology across a vast, varied and largely decentralized organization. We believe an integrated approach to information and systems management is needed across the NHS, at both a local and national level, to ensure the security and confidentially of patient data is assured and that medical information is readily and securely accessible to a broad array of individuals including patients and staff.

What patient information will be held on the new local and national electronic record systems, including whether patients may prevent their personal data being placed on systems?

  3.  It is understood that a summary of information on each NHS patient will be held on a national database of electronic records known as the Spine. However, due to the lack of bandwidth allocated to the database, the Spine will not be able to hold all the medical information relevant to each patient. The lack of bandwidth means the amount of data able to be stored on the database will be limited and the ability to download the data in any meaningful timeframe restricted. As a result the majority of patient data will remain stored and managed at local level by NHS entities on local databases and existing record systems. Within this current NHS landscape the main responsibility for patient information will rest at the local level. As a result there is an implicit requirement on local bodies to have in place effective data management tools and security solutions currently available in the market.

  4.  However, there is a concern that the local NHS bodies responsible for storing patient data do not have adequate processes, procedures and systems in place to ensure the available, integrity and confidentially of patient information. For example, no standard policies or procedures currently exist for data management across all NHS local healthcare bodies. This has lead to a variety of approaches taken to storing data relating to patients; ranging from the storage of all data, resulting in the creation of complex and unmanageable databases, or only minimum data being stored resulting in vital patient information, for example contained in emails correspondence simply being deleted. NHS organisations need to understand and recognize the importance of a holistic approach to data security, management and storage across the NHS. This will require a change in the businesses practices of local NHS bodies and a recognition that technology alone cannot be relied upon when developing and implementing new electronic record systems. Education and training of NHS staff, at all levels, on the importance of data management will also be required.

  5.  The right of patients' to remove records from the NHS electronic record schemes presents a major barrier to the NHS realizing the full benefits from technology enabled change. The trust and buy-in of citizens to share personal information with government online databases is vital to the success of the new era of public sector delivery. It is also an aspect of regulatory compliance with the Data Protection Act for NHS. We believe having standard and common processes and procedures in place to ensure the integrity, confidentially and security of patient's information when shared, processed, accessed by the individual right holder and stored by the NHS, whether it be at a local or national level is key to gaining patients trust.

Who will have access to locally and nationally held information and under what circumstances? Can patient confidentiality be adequately protected?

  6.  Fears over unauthorised access, misuse and possible theft of medical information presents a major challenge to the successful implementation of an electronic healthcare information system in the UK. Ensuring access to patient information, whether at a local or national level, is only allowed to appropriate medical professionals is therefore a key factor in gaining the trust and buy-in of citizens. Data management solutions currently exist that can enable patient information is not only held securely but can be accessed by appropriate medical professionals when required in a way that ensure patient confidentially is maintained.

  7.  Data management systems enable data across an organization, such as an NHS Trust, to be held centrally and according to standard policies, procedures and requirements. Having a standard system in place enables access levels to be allocated to particular types and levels of data. The introduction of access controls in the NHS electronic records system would ensure only designated NHS personnel have the right to access patients sensitive information; reassuring citizens that their data is not vulnerable to unauthorized access or misuse. The access given to NHS staff could be monitored and audit trails produced, providing additional reassurance to patients that the confidentially of their data is being maintained. Access levels can also be used to dictate the information that can be shared outside an organsiation for example to another NHS body or even to the NHS Spine database itself. The introduction of effective access levels in an electronic records system would require common data management procedures and practices to be developed and implemented by all NHS bodies connected to the system. It is argued that such an approach to data access would have been easier to enforce if a national NHS data store, as originally envisaged under the NHS Spine project, had been achieved. Now that we have a situation where data is spread across many disparate systems and NHS bodies, putting a common system in place that can ensure secure access levels to patient data will be much more difficult.

  8.  While having access levels in place can ensure electronic patients records stored on databases can be held securely, there is a real concern that the confidentially of patients sensitive information is being put at risk by the increasing use of email and internet based communication tools. The NHS has come to rely on email, and increasingly Instant Messaging (IM), to improve communications within organisations and enable the sharing of patient information with partners quickly and efficiently. While this is enabling the level of patient care to be improved, Symantec is concerned that email and IM systems are increasingly becoming large repositories of patient's sensitive personal information. In particular we are concerned at the use of IM by medical staff due to the security vulnerabilities of this type of communication. IM is generally unprotected and unmonitored leaving it vulnerable to attacks. The infection of one computer with a computer virus using IM can result in messages being sent to all users in an IM contact list on that machine, creating the potential for rapid spread of security threats. We believe consideration needs to be given to the security procedures in place to protect the confidentially of patient information stored in emails and common agreed policies for the use IM by all NHS bodies. The current lack of procedures and processes for the secure management of patient data captured within emails and used in IM is resulting in patient information being open to misuse, attack and theft.

  9.  Having patient information that is readily accessible, and yet secure, to medical staff as and when required is an essential requirement of creating an effective electronic healthcare system. However, we are concerned at the lack of procedures and systems in place by NHS bodies to ensure critical information, applications and systems are continuously available. The lack of common policies and procedures for data backup by NHS bodies is regarded as a key threat to the availability and confidentially of patient data. For example, within a small doctor's surgery it is common for an office administrator—usually untrained in data management issues—to be relied upon to manage backup tapes. The offsite management of these tapes usually consisting of staff simply taking tapes home overnight. For large bodies such as NHS Trusts, few have disaster recovery systems in place that can ensure if data is lost or destroyed at one site it would be accessible from a secondary secure site. If the NHS is to have safe and secure access to patients data across a number of disparate sources and bodies, serious consideration needs to be given to the development and implementation of standard data retention policies, disaster recovery procedures and data storage and retrieval systems across all NHS bodies.

  10.  It is also considered important that patients are assured that the confidentially of data is protected even when it is no longer required. Disposal and destruction of redundant, modified or corrected data, and the legacy systems or devices that patient data may have been saved on is just as important as protecting current patients medical data. Data destruction technology exist that can ensure NHS requirements can be adhered to. However, this is an example where it is not just the technology solution that must be considered but also the processes and training needed for NHS employees to understand and recognize the need to protect patient information that is no longer required or relevant. In an era where identity theft is a key concern, it is vital that the NHS recognize the need to protect patient information from the cradle to the grave and beyond.

How data held on the new systems can and should be used for purposes other than the delivery of care eg clinical research?

  11.  The introduction of new technology provides the NHS with opportunities to provide improved services and develop new innovative ways of to addressing patient's needs. Current demographic trends suggest that the number of elderly people in the UK will increase dramatically in the coming years. As a result the NHS is expected to move towards delivering clinical services to patients away from hospital and doctor's surgeries and out into local communities and patients homes. A move away from hospital centric care means NHS staff will require remote real-time access to up-to-date and accurate patient information from mobile networked enabled devices such as laptops and PDAs. As a result the established perimeters for data usage, storage and security will disappear as information begins to flow outside hospitals. This will lead to mobile NHS workers responsible for the security of sensitive, and potentially valuable personal information, becoming increasingly targeted and vulnerable to online security attacks. If the NHS is to move towards a new of service delivery where doctors and nurses are using such mobile devices, the security of the data held and shared via these devices is an issue that must be addressed sooner rather than later.

  12.  Symantec is concerned that many NHS organisations are enabling staff to access NHS systems containing electronically stored patient records often on unmanaged laptops and other endpoint devices. There are no guarantees that these devices have the latest security patches, up-to-date antivirus definitions or a personal firewall. In addition there is also a concern that mobile NHS staff may be relying on patient's home wireless connections to access internet based databases. Without the latest security patches, up-to-date antivirus technology or even firewalls, devices being used by NHS staff may already be infected with security threats and as a result could be putting the NHS network at risk from security attacks. For example an insecure wireless connection can lead to personal sensitive medical information being open to possible unauthorized access, misuse and even theft. We believe a key priority for the NHS to ensure the confidentially of patient data is the development of common and standard IT security policies should be in placed across all NHS organisations to ensure that only compliant and secure devices are used to process sensitive patient medical data and also connect to NHS networks. There is a concern that different NHS organisations that currently collaborate and share patient information do not have adequate security policies put in place to protect information that is shared.

  13.  For example, it is understood that NHS Acute Trusts and Primary Care Trusts (PCTs) have autonomy to develop their own policies and requirements to control remote access to patient data. While it is not suggested that the autonomy granted to these authorities should be removed, it is important to note that a clinician providing services remotely to a patient, whose records are held by two different hospitals, may be required to conform to multiple policies, requirements and procedures in order to access patients data. A situation where clinicians are required to adhere to multiple sets of procedures or processes for accessing data could result in errors being made in the processing and accessing of data that may have a direct impact on the delivery of patient care. It is suggested that consideration should be given to the development of common access control procedures and policies that can enable the development of a single system for access to patient information securely and accurately. In England this system should be shared by the ten Strategic Health Authorities; similar common procedures should also be developed for use in Northern Ireland, Wales and Scotland. The development of a single, common and agreed policy that is shared by all NHS bodies could ensure the processes put in place would not need to be changed as the boundaries of the NHS map continue to evolve.

  14.  The data gathered and held by NHS bodies may be useful for the provision of other services other than treatment. However, the use of the data must not jeopadise patients right to confidently. If data is going to be used for purposes other than treatment then strong safeguards, such as informed consent and appropriate access levels, must be in place.

What is the current progress of the development of the NHS Care Records Service and the National Data Spine and why is delivery of the new systems up to two years behind schedule?

  15.  The delays that have occurred in the projects to date can be attributed to many factors including ongoing changes to the design and specification of key systems, radical project re-thinking, tensions over payments for completed development work and the departures of key project partners. It is also suggested that delays have occurred due to a lack of consultation and involvement by the NHS bodies themselves in the design and specifications of proposed systems and services. For example, a lack of consultation with local NHS bodies on the types and amount of patient data they currently hold and would need to be incorporated into a national medical records database. This resulted in the Spine database being developed without the adequate bandwidth required; resulting in the re-thinking to and significant delays experienced in the delivery of the Spine project. There is real concern that a lack of consultation with NHS staff on the development of new systems has the potential to create an aversion by local disenfranchised staff to use the new technological solutions introduced even possibly a desire to see the new mistrusted systems fail. Going forward the trust and buy-in from NHS doctors and nurses, will be just as an important to the success of technology enabled change in the NHS as will patient's willingness to share their medical information with electronic online record systems.

Susan Daley

Symantec Corporation

16 March 2007