Select Committee on Health Written Evidence


Memorandum by Peter Fairbrother (EPR 43)

1.  INTRODUCTION

  My name is Peter Fairbrother. I am a cryptologist with a special interest in the design of secure systems.

1.1  The Patient and GP today

  As a patient I may tell my GP or Consultant information which I wish them to keep private—by which I mean I do not want them to tell anyone else, unless necessary. I rely on them to decide when it is necessary for them to tell anyone else, mainly if the information is of clinical significance to my treatment.

  My GP also knows less sensitive information like my address—again, I would not want him to give it out unless he thinks it is necessary or appropriate.

  GP's surgeries have now for the most part been computerised and interconnected, and it is easy for a GP to decide on a set of rules under which he gives out or does not give out different types of information, or to place a particular piece of information in a different category—for instance my address is not very secret, but that of a film star or protected witness might be much more secret.

1.2  Data security and privacy in the existing patient-GP relationship

  There are two important security/privacy aspects to this—trust, and need-to-know. I decide whether to trust my GP to decide when it is important that information be available, and to keep it secret when it is not. If I decide I cannot trust him I can choose another GP.

  Need-to-know is a very powerful security technique designed to minimise the number of people who know a data item (as a rule of thumb we consider that the security of a secret is inversely proportional to the square of the number of people who know it), and in large systems need-to-know is essential for any kind of security.

  Need to know means that only people who need to know a data item can access it—but it also implies that the person who decides whether a person has a need-to-know himself needs to know the data item in order to make that decision.

  In general, it is both necessary and convenient that the person deciding is a person who already knows the data item, ie he needs to know it for his own reasons, and the function of deciding whether another has need-to-know is given to him for that reason. In the medical context, it makes even more sense, as the GP (unlike the system operator) will be trained in medicine, and can decide when it is clinically important to give out data.

1.3  The spine

  The spine is a collection of proposals, many innouous or even sensible, but including the attempted centralisation of data and centralisation of control of access to that data. I say "attempted" because in large part it is unlikely to be feasible. This will be done by taking copies of data in GP and Hospital records, and making the copies available according to some access strategy.

  There is some remaining question of whether the GP and Hospital records might be stored centrally instead of in the GPs surgeries, but this would be very hard to do, very expensive, and would result in a record system which would be eg fragile in the case of a national emergency, so I do not think it should happen.

1.4  Patient data security and privacy after the spine

  The proposed spine, especially the PSIS and LSPs, make the decision-to-trust impossible—there is no point in choosing another doctor if I don't trust the one I have to keep secrets, as the doctor does not keep the secrets any more.

  More important, they destroy any effective need-to-know policy—if implemented, no matter what the access policy rules are, any person of criminal intent will be able to access medical records at will. This has clinical significance as well—the patient may decide not to tell the GP something relevant to his treatment.

  The next part is about the design of the spine, including some suggestions for changes. These are mostly about how the existing databases in GP's surgeries and Hospitals could be used without duplication to perform all the functions needed or proposed. These suggestion are meant to show what is possible rather then to be a prescriptive guide—if nothing else, space prevents me from attempting that.

2.  DESIGNING THE SPINE

  The Spine is the name given to the proposed national database of key information about a patient's health and care, which will form the core of the NHS Care Records Service (NHS CRS) part of NPfIT.

  The spine consists of the Transaction Messaging Service, the Spine Directory Service, the Personal Demographics Service, the Personal Spine Information Service, Local Service Providers, the Secondary Uses Service, the Clinical Spine Application, and an Access Control Framework.

  There is another function needed, some form of staff identity authentication—this varies from the NH-ID card to local authentication schemes, none of which seem to work well.

  2.1  The Transaction Messaging Service is non-contentious (as long it is solely a messaging service between Healthcare providers), and should be straightforward to implement. The N3 virtual private network could provide the required connectivity and confidentiality and the NHS card could provide convenient and reliable authentication. Whether they will in fact do so is another matter, but to do so is well within the bounds of present art.

  2.2  The Spine Directory Service is also non-contentious. It could be implemented on a single server, probably duplicated for reliability, and the information on it would not change much.

  2.3  The Personal Demographics Service (PDS) is "the central and single source forpatient demographic information, such as NHS number, name, address and date of birth". It should also contain previous address data in order to make it easy to identify patients when they move address or change GP, and the patient's registered GP.

  However, except in very unusual circumstances, which could be dealt with manually, the only information it ever needs to give out is the patient's NHS number and registered GP.

  If an enquirer wishes to know the patient's address they would request it from the patient's GP. If the patient had not requested that their address be withheld then the GP's computer would supply the address in about the time it takes an internet page to load. This would allow famous people,witnesses, and so on to hide their addresses by simply asking their GP to withhold it.

  Note that the decision whether or not to give out the address lies with the GP, in accordance with the patient's wishes. Note also that the GP's computer system does the actual work, the GP only has to enter that the address should be withheld once.

  If he address request is refused, the enquirer could send the mail to the GP's address for forwarding, or could contact the GP or his surgery to explain why the address was needed.

  2.4  The Personal Spine Information Service (PSIS) is the most obviously contentious part of the spine, partly because it is the part that is most likely not to be implementable and partly because it is the most privacy-invasive part, and the part that could be most misused.

  Initially it was intended to contain all patient records, but by about mid-2003 it was realised that that intention would be impossible to implement, and the present proposal is that the records contained in the PSIS are a summary only, with the main records held in GP's surgeries and Hospitals.

  There are two insurmountable technical problems with the present proposal—it would be impossible to ensure that the records held centrally and those held in GP's surgeries and Hospitals match, and the legacy idea that the summary should be the definitive record cannot stand. There is a third problem which is probably insurmountable, or at least very expensive, too—the methods we know about do not scale well to a database of that size.

  Leaving the insurmountable aside, there are two more problem areas—cost, and privacy issues. The cost of such a system would be huge, and the benefits are almost zero—it does basically the same job as the Personal Demographics Service.

  The only data contained in the PSIS in the latest proposal which is not in the PDS is "patient allergies" and "Courses of treatment undergone". However I see no reason why patient allergies and "Courses of treatment undergone" could not be held, like the rest of the clinical record, at the GP's surgery. Again, external access to this information is by request to the surgery.

  Thus there is no need for the PSIS at all, nor for anything to replace it—although it might be desirable to upgrade the computers in GP's surgeries for better guaranteed availability, which might cost £5,000 for each of the 8,000 surgeries involved, a total of £40 million. However as this would remove any last possible justification for the PSIS, the overall saving would be very large.

  2.5  Local Service Providers (LSPs) are also copying datasets, deciding access control strategies, and taking control of patient data away from the GP and health professional. The methods and policies vary according to region, which is another matter for concern, but as the issues are the same whether the action is performed by the PSIS or the LSP I will not comment further—except to ask why there are five of them? If they were providing off-the-shelf solutions and they had good local knowledge it might make some sense, but to have five sets of people doing simultaneous development of the same thing seems absurdly wasteful.

  2.6  The privacy issues surrounding the PSIS and LSPs are wideranging, and the main driving force here is that as planned it is technically impossible to limit the persons who have access to a patient's medical records to eg those who have the patient in their care. These issues are not just the result of the PSIS and LSP datagrabs however, they more generally concern who decides when information is revealed, and the freedom a GP and a patient has to conceal information.

  For instance if some information is embarrassing or endangering to the patient for social reasons but is of no clinical import, then there is no reason why it should be available to clinicians even when they are treating the patient. However, it might be useful to have it available for research or administrative purposes. For research it might be available in anonymised form, and for administrative purposes it might be available as part of a statistic of how many times that event had occurred.

  If the GP is free to conceal information in these circumstances, then all the privacy issues go away—ar rather they go on the shoulders of the GP, where they have always lain. Note that the GP will be required to do very little to enforce his privacy decisions and policies, the computer does almost all the work, but he will have to make decisons and policies.

2.7  Access control framework

  2.7a  A prerequisite here is some form of personal authentication, which does not seem to have been properly settled. The NHS-ID card is having speed and scaling problems, and locally issued authentications are being misallocated and misused. It is important that the authentication states not simply that the person is employed by the NHS, but in what category and where, else a cleaner or administrator could pretend to be a Doctor and access information at an inappropriate level.

  2.7b  However even with proper identification, whatever access control framework is used cannot work as well in a centralised system as in a distributed net with local control, because in a centralised system need-to-know is both almost impossible to establish and too many people need to know in order to run the system. In the present case I do not think any set of access control rules can be made to work sufficiently well to give any privacy at all—either the the rules will be too strict so the is of little use, or the rules will be less strict in order that the system can be used and then access will be runaway. In my opinion there is no possible happy medium.

  I find little benefit in talking about specific access control proposals now, as there are too many of them, often contradictory, and I can find no guidance on what the definitive proposals are.

  2.7c  There is one other point which I would like to raise, the question of the use of medical records in criminal investigations. For good reasons ("would you like your daughter to catch TB from an illegal immigrant who was too scared to see a doctor?") the Police and Criminal Evidence Act considers medical record to be "special procedure material" and limits the way it can be demanded—but it is alleged that the Police have been using medical records to find illegal immigrants.

  I do not know if this is true, or under what laws it is collected, but I would like some assurance that the same special procedure applies to all medical records, whether held on a GP's computer, in the spine, the or elsewhere. Also I would like to see a requirement that data not be given out without going through the special procedure process—at the moment the Police can ask for private information, and there is nothing to stop eg BT from giving it to them.

2.8  Secondary uses service

  2.8a  The present secondary uses service is contracted to McKesson, a US corporation. We do not know much about what they will do, or how much McKesson paid the NHS for the privilege of getting their hands on the dataset. However, I would specifically ask the committee to investigate one question—is there any guarantee that the data will be kept in the UK and not copied to the US or elsewhere, where it might be subject to a Court order, like the SWIFT data?

  2.8b  Leaving that aside, all the desired functions except secrecy of search can be easily implemented in a distributed dataset. For example, a pro-bono research request might first go to an ethics committee (perhaps run by the BMA) who would recommend that GPs run the search on their computers at night when they were idle. Most GPs would probably do this.

  For commercial searches, first the searchstring should be published, along with documents explaining whatdata is requested and why. A committee should consider the searchstring (that is the actual terms of the reque, as fed into the GPs computer) and if they approveit then GPs can run it and get paid for doing so. It should probably be an offence to run a search for payment unless approval has been granted. Note that the GP is never forced to run these searches. LHAs, PCTs and the like might be allowed to demand some searches are run for purposes of administration only.

3.  CONCLUSIONS

  CfH propose taking a dataset which is continuously generated in-house by GPs and Hospitals, copying it (there will be errors, this is a well-known property of this type of database) by force majeur and thereby taking control of the data and patient trust away from the GPs where it belongs, trying to call the copy the "definitive record" when it clearly isn't and cannot be, giving access to the copy to thousands of people without being able to effectively check need-to-know (and thus destroying any chance of even a modicum of security) and performing searches on the dataset in secret. At a cost of around £10 billion.

  This is £10 billion utterly wasted. There is no need to copy the dataset, and all the proposed functions (except the secret searches—non-secret searches are fine) could be implemented using the existing dataset in GP's and Hospital's computers, although a better N3 network might be needed—but my last broadband 2Mb/s to 8Mb/s upgrade was free. The cost of doing it this way, mostly in staff training, would be in the low hundreds of millions rather than the billions.

  So why have they done it this way? I do not know. It seems that around 2002 someone made a policy decision that all records were to be kept centrally, and a year or so later they discovered that this would not be practicable—but it's hard to find out who made the decision. CfH etc. then came up with this mixmash of proposals which not only has the privacy, security and operational disadvantages of a centralised dataset, but which also has problems of its own, like synchronising databases.

  I was originally going to title this "Redesigning the Spine", but I cannot see much evidence that it was ever designed in the first place.

Peter Fairbrother

March 2007





 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2007
Prepared 25 April 2007