The ability to share computerised patient information represents one of the great hopes for the NHS as it battles to build a sustainable future. Trusts across England are investing tens of millions of pounds in the latest generation of advanced electronic health record (EHR) systems to improve productivity, efficiency and outcomes. Yet along with the benefits comes risk - the immense potential damage from patient privacy breaches.
While media awareness often focuses on lost laptops and memory sticks there is a deeper problem, and it's endemic. At any given moment there are NHS employees using legitimate logins and access rights to get hold of information they have no right to see. This can, and must be, stopped immediately. Policy-makers and NHS leaders need to insist that security is baked in to every IT project involving personal data.
Nosiness or malice?
Over the years there have been disturbing cases where staff, have rifled the records of celebrities, family members, love rivals, ex-partners or colleagues who spurned their advances. NHS Bury recently warned 189 patients that their records might have been leaked, while six staff breaches were reported at Doncaster and Bassetlaw Hospitals NHS Foundation Trust - among them a nurse accessing her daughter's father's test results. In 2010 a male Hull Primary Care Trust (PCT) employee admitted accessing the records of 330 women. Previously NHS Fife contacted seven BBC journalists following claims that a doctor had been accessing their records - the newspapers claimed that he also called up the private details of Prime Minister Gordon Brown and of famous footballers.
It's sometimes argued, especially by defence lawyers, that the culprits were merely being nosey. Sometimes this is doubtless true, but years of experience in breach detection shows that malice is the close companion of rule-breaking curiosity.
Trawl through past news coverage of data breaches and you will find that confidential patient data has been used for many overtly criminal purposes from identity theft and fraud to blackmail or burglary.
And what about nosiness? Why would people who show contempt for the privacy of others, keep the details secret? What do we say to the patient who believed that hospitals kept mental health records properly secure, but now discovers they have been leaked to their boss and their career prospects are shattered?
It is unlikely there isn't an NHS chief executive, board member, or IT chief who is not aware of the ease with which many staff can inappropriately access patient data. They will also know that their existing security procedures often only identify a small percentage of the breaches regularly taking place within their organisations. Even if there are only a tiny number of bad apples among their staff, most UK hospitals are currently wide open to abuse.
Scotland's NHS shows the way ahead
Despite sounding gloomy I am fundamentally optimistic, having seen the decisiveness with which the health service can act when patient privacy rises to the top of the agenda. The Scottish NHS is a fantastic example. Its work to develop a national Emergency Care Summary, allowing clinicians instant access to the data they need to make the best possible decisions at the point of care is truly impressive. This is part of a wider appreciation that the capacity to access and update patient records any place, any time, is essential if the NHS is to deliver the best for all.
At the same time as harnessing the power of IT to improve patient services, Scotland realised that everything could be jeopardised if patient privacy was not a core issue. Various of the 14 territorial health boards had already suffered painful experiences with privacy breaches.
My company was invited to establish an advanced electronic monitoring system at certain boards that could detect abuse of records systems, identifying precisely who accesses what and when and which uses sophisticated techniques to spot suspicious activity. The levels and types of misuse were similar to those in North America, even though the UK system is public rather than private, so there is less personal financial data being stored.
The two boards which were first to set up new electronic monitoring systems understood that tackling privacy breaches is not just a technology issue: it's also about organisational culture. Once monitoring was underway, staff were informed that any abuse could be seen and that disciplinary action could be taken. The deterrent effect was enormous and brought an 80%-90% nosedive in cases of inappropriate access.
The HR teams then faced a more manageable task in dealing with those who, for whatever reason, carried on misusing the records system.
NHS Scotland saw, that in an age of connected health, they could not have disconnected security. With summary care records being made available throughout the country it would be unacceptable to slam the door on privacy breaches in one area but leave it wide open elsewhere. So a country-wide monitoring scheme is now being implemented.
Greater freedom and tough sanctions
Wales and Northern Ireland are showing a great deal of interest in protecting patients from privacy breaches. The ongoing dissolution of the National Programme for IT (NPfIT) is giving trusts in England greater autonomy over their technology. Some are moving fast to ensure their EHRs will be secure to the core - whilst others are less agile.
Government and regulators are treating data issues with increasing seriousness. The 2010 NHS Constitution enshrines the right to privacy and to expect the NHS to keep confidential information secure. In July the Information Commissioner announced that he was determined to counter the 'disturbing' culture of NHS data losses and breaches. The Information Commissioner's Office (ICO) website contains numerous examples of action taken to force trusts to comply with the DPA after data losses, including one from this April where the CEO of NHS Birmingham East and North had to sign an undertaking after it was found that staff could access electronic files unrelated to their work.
Sadly, patient privacy has often failed to get the priority it deserves as the NHS rushes forward, eager to harvest the great goods offered by EHRs. This is problematic because confidentiality and clinical practice are linked. Patients worried about privacy will sometimes delay seeking treatment, or fail to give the full facts. So privacy can affect outcomes.
Confidence is vital
Data disasters can shake public faith in an entire hospital or trust. As the government increasingly pushes an agenda of patient choice in England, this could mean that news of breaches will push people elsewhere for treatment.
The seriousness of the situation was made clear in 2010 with the Information Commissioner's Office revelation that the NHS was responsible for a third of reported data security breaches. In May details were revealed of 899 breaches (of many different kinds) at 30 London trusts from 2008 to early 2011. The numbers were highest at NHS Barnet and Chelsea and Westminster Hospital Foundation Trust.
As the NHS undergoes immense transformations, and information sharing spreads, the need to comply with the regulations will keep growing. So too will public anger about staff breaches of security, especially in organisations which knew their systems were vulnerable.
The fact that solutions are readily available means that the patient data security problem is a relative doddle for senior management teams to solve. Repairing a battered reputation after a serious breach is much tougher.
Then there's the bigger picture. The future delivery of effective and sustainable services demands the rapid development of e-health. The storing and exchange of confidential information is its foundation. If the public, and policy makers, are confident that the health service can be trusted with sensitive information then impressive things can be achieved. If not then the integrity of the NHS comes into doubt and some of our greatest hopes for better healthcare could fail and crumble.
About FairWarning®
FairWarning® invented and is a global leader in “privacy breach detection” solutions for electronic health records (EHRs). Founded in 2005, FairWarning® has grown 100 % or more in every subsequent year. The company’s privacy breach detection software solutions are compatible with over 125 electronic health record systems and are delivered as a turn-key appliance with over 200 proprietary privacy breach analytics included.
FairWarning's healthcare customers represent 600 hospitals and 2,200 clinics across the United States, Canada and the United Kingdom. Customers consider FairWarning® privacy auditing solutions essential for compliance with healthcare privacy regulations such as ARRA HITECH privacy and meaningful use criteria, HIPAA, and other regulatory responsibilities, as well as for avoiding the risks and costs associated with a major patient privacy breach.
FairWarning® has offices in the United States, London, England and Paris, France.