NHS patient privacy: time to take action for the sake of Britain's health
01 February 2012
By Kurt LongThe NHS must protect patient data if it is to succeed in the vital task of harnessing the immense power of electronic systems in order to deliver better care, argues one privacy breach detection specialist
Dramatic changes are taking place which mean that leaders in healthcare must rapidly become leaders in patient privacy. This is essential for the reputation of their organisations and the protection of patients and staff. Events are being driven by two powerful and converging forces – demand and regulation.
The Prime Minister's announcement that telecare services will be rolled out to three million patients underlines the speed at which electronic healthcare is being mainstreamed. At the same time seismic shifts are underway in the formal rules, and public expectations, on confidentiality.
All this places a huge weight of expectation on the NHS, especially when it is battling to save billions of pounds. But it is essential that CEOs, CIOs and other senior managers seize the initiative and make the swift transition to a health service predicated on the sharing of electronic patient information. All of them will recognise that this is only possible if clinicians and patients have faith that patients' personal details are secure.Patient data is highly vulnerable
The unfortunate reality, as senior executives will also be aware, is that the enormous mass of personal information they hold about citizens is highly vulnerable. I am not referring to the regular, corrosive stories of lost laptops and memory sticks. The far greater threat comes from staff abusing their access rights to computerised records. Well-publicised examples include that of Dr Andrew Jamieson who was caught accessing the records of high profile patients while at Queen Margaret Hospital, Dunfermline.
While celebrity cases attract the biggest headlines, our evidence, from the UK and overseas, is that a typical large hospital will see staff gaining inappropriate access to patient records three to five times a day. The scale of the problem was underlined by the Guardian Healthcare Network's use of the Freedom of Information Act to reveal that 30 London trusts had recorded 899 data breaches between 2008-11.
This type of intrusion may reveal details of sexually transmitted infections, pregnancy terminations or mental health issues. A survey we carried out showed widespread public concerns across the UK about how the leaking of personal details could have a devastating effect on people's family and professional lives. In some cases information has been used for criminal purposes. In hospitals worldwide we find that snooping into patient files is frequently linked to fraud – the NHS is no exception.
The current situation with staff data breaches is serious but it could get much worse. David Cameron's 'industrial scale' telehealth scheme
makes information more vulnerable because it is shared by ever-more diverse groups and organisations. Andrew Lansley's proposed structural reforms will create a second area of vulnerability by introducing a range of new providers to the NHS.
These problems are no argument against the greater sharing of electronic information. The replacement of manual systems with electronic records, and the ability to exchange and update patient data in real time, is a fundamental necessity to the delivery of joined-up care. It will also be the critical mechanism for the growth in individually tailored healthcare. That may be in the form of more proactive measures to encourage wellbeing and manage chronic illnesses, or making full use of genetic data to mould and individualise treatment strategy for cancer patients. The free flow of data is paramount
Any obstacle to the free flow of data can hamper, even derail progress. Breaches by staff snooping represent a profound risk because they strike at the reputation of the NHS in general, and the hospital and its managers in particular. One potential consequence is that patients opt out of electronic records systems. This could be a real headache, especially as the Westminster government, and the EU, increasingly see information as the property of the patient not the system.
As traditional – and sometimes jealous – guardians of confidentiality, there is also the possibility that clinicians could refuse to use systems they see as unsafe. The issue is not only about what someone's personal details could be used for. It's about what happens to outcomes if patients lose faith in doctors. An independent survey we commissioned of 1001 respondents in the UK showed that nearly 54 per cent have, or would, withhold information about a sensitive personal medical matter from a healthcare provider with a poor record of protecting patient privacy. A little over 38 per cent have, or would, put off seeking care for a sensitive medical condition due to privacy concerns.
What is immensely positive is that there is a huge amount of trust in the NHS. This was recently underlined by a European Commission-sponsored survey into data protection attitudes. Some 83 per cent of Britons, (compared to a European average of 78 per cent) had faith in health institutions to protect their personal information, a level of confidence echoed in our own findings. However, the UK has recently seen how quickly confidence in its institutions can be damaged by issues of data misuse and allegations of fraud. MPs' expenses, media phone hacking and newspaper relationships with the police provide three examples. The same must not happen in health. Rules and reputations
The regulatory environment is becoming tougher. The Information Commissioner's Office (ICO) has just published its new strategy. The commissioner, Christopher Graham, followed this up by warning in his blog that: 'The ICO is gearing up to defend information rights in 2012'.
Meanwhile Brighton and Sussex University Trust may become the first NHS organisation to be fined by the ICO for breaching the Data Protection Act after computer hard drives ended up on eBay. The threatened £375,000 penalty is, arguably, less of a worry than the potential reputational damage in an era when patients and commissioners have growing choice over service providers, and when the public show little willingness to forgive managers when calamities occur on their watch.
The EU Commission is also toughening up measures on data protection. The proposals include a demand for explicit consent, greater rights to have information deleted and a duty to inform individuals and data controllers of breaches within 24 hours. Many UK hospitals will face major challenges in meeting new national and international requirements. More than that, they are often dependent on ineffective monitoring systems which show very clearly that they have a problem, but are too slow and resource intensive to sort it out.
Fortunately, solutions are available which can put NHS healthcare providers back in charge, allowing them to monitor, detect and deter staff breaches of patient data. Scotland is leading the way, with Wales and some far-sighted English trusts not far behind. Yet many English NHS organisations have still not decided to confront the privacy issue, effectively hoping that regulators, police and patients' lawyers never come knocking on their door.
Huge public investment is going into NHS IT systems which, because they lack sustainable data monitoring, have a hole at their heart. This needs to change. The boards of every NHS organisation need to have security high on their agendas, recognising it is a key issue for patient care and for their own reputations. Budgets and resources must also be allocated to the specific job of tackling patient record breaches by staff. Once this happens, NHS leaders will not only be able to meet their legal obligations but will have laid firm foundations on which to build ever-more sophisticated and effective forms of electronic patient care.Kurt Long is CEO and founder of global privacy breach detection specialists FairWarning