Everyday NPfIT security breaches - don't tell us says NHS head

The overall senior responsible owner of the NHS’s National Programme for IT [NPfIT] has said the Department of Health does not wish to be told of day-to-day breaches of security.
David Nicholson, Chief Executive of the NHS,  was being questioned by a Labour MP Don Touhig about the IT programme and the security of its databases of medical records.

At the same hearing of the Public Accounts Committee, Nicholson said that NPfIT’s systems were “more secure than internet banking”.

But Touhig, a former Labour Defence minister, said this assertion by Nicholson was “recklessly courageous”.

 Touhig is concerned that NHS organisations are not compelled to notify Connecting of Health – which runs much of the NPfIT – of all security breaches.

At the committee’s hearing into the NPfIT, Touhig asked Nicholson how Whitehall officials know when confidentiality has been compromised if NHS organisations do not tell Connecting for Health, which runs much of the NPfIT? Touhig added that Whitehall should be told of security incidents in trusts.  “How on earth do you know whether your processes are working otherwise?

Nicholson said: “In terms of the NHS as a whole what we are saying is that they [NHS trusts] should identify them [security breaches] in their annual reports and publish them –

Touhig interjected: “A bit late then.”

Nicholson said that strategic health authorities should publish breaches on their websites once a quarter and “the significant ones should be reported on the system”.

In the most serious cases the NHS can report a “Serious Untoward Incident“. He added:

 “… If many records are lost, or whatever, they [NHS trusts] would have to report to us centrally but for the day to day breaches in security of a relatively minor nature, in the sense of the scale, we would not expect to identify every single one to the centre. We cannot work on the basis that everything that happens in the NHS gets reported to the centre for us to be assured that everything that is supposed to happen does happen. That’s simply not practical.”

Touhig said:  It’s security we are talking about here. It’s a key issue”.


What follows is the exchange between Don Touhig and David Nicholson [Chief Executive of the NHS] on the security of the National Programme for IT. It took place at the Public Accounts Committee on 16 June 2008:

Don Touhig: Mr Nicholson, I see that in January 2004 you were awarded the CBE for services to the NHS. That is fact.

David Nicholson: I am sure – I think —

Touhig: I think it should be for courage because anybody who would go on Radio 4, the Today programme, as you did just before Christmas last year, and state that the
NHS care record service would be considerably more secure than internet banking is recklessly courageous. Why did you make that statement? What does it mean?

[Nicholson told the BBC “Today” programme on 24 December 2007 that NPfIT databases of medical records are more secure than internet banking. Nicholson told Today’s John Humphrys: “This is a level of security way beyond what is currently in internet banking.”] 

Nicholson: It means the levels of security and the technical mechanisms we have make it more secure than internet banking.

Touhig: I do admire your courage. It is an impressive claim to make but can you understand that doctors and patients will have some doubt and some concern about security of their records in view of the breaches that have taken place in the past?

Nicholson: Yes, I can perfectly understand why people will be concerned. That is why we have taken the time and the effort we have to get ourselves to where we are today.

Touhig: We are not quite sure where you are today, are we? The Care Record Guarantee … also seems very impressive but so did Revenue and Customs’ policy on data security before a massive data loss last year, and the MoD’s before they lost the details of 600,000 applicants who planned to join the Armed Forces. The policy always sounds good, does it not, but is it deliverable?

Nicholson: The NHS is a massive system, £1.3 million people work in it, a huge number of organisations; those organisations are responsible for the security of their data; it is hard-wired into people in the NHS around confidentiality …I think we are in a good place as far as security is concerned. There always will be circumstances, and when circumstances do take place, then we need to make sure we react rapidly, and we do.

Touhig: Revenue and Customs’ policy was: ‘We use leading technologies and encryption to safeguard your data and operate strict security standards to prevent any authorised access to it’, yet they still managed to lose 25 million people’s records not because of any failure of the system but because people failed to follow proper procedures …[quoting from a report on the NPfIT by the National Audit Office: ‘Security incidents which relate to locally managed processes … are dealt with by the local NHS” and there is no requirement for NHS Connecting to be notified of any security breaches. So how do you know?

Michael Thick, Chief Clinical Officer, NHS Connecting for Health: “Previously with manual records it was a favourite sport in secondary care hospitals for people to look up relatives’ records and members of staffs’ records and we had absolutely no way of checking whether or not it had been done. With our current security arrangements we have an audit trail so you can see who has been looking at what and when and for what purpose, and unless they have a legitimate reason for doing so then they will be called to account for doing it locally, and that is a massive advance on where we were before.”

Touhig: But does it not seem to make some sense that, if there are security incidents in a locality, within a trust, there is some warning to the centre that this has happened? How on earth do you know whether your processes are working otherwise?

Nicholson: In terms of the NHS as a whole what we are saying is that they should identify them in their annual reports and publish them.

Touhig: It is a bit late then.

Nicholson: That the Strategic Health Authority should publish them on their website once a quarter, and that for those significant ones they should be reported on the system. It is simply impractical for us in the centre to deal with the day-to-day – you know a set of case notes going missing or whatever – it is simply not practical.

Touhig: But if you are merrily working on a system that appears to be working fine with everything going swimmingly well, and you have to wait for some Trust to produce an annual report to find out it has failed somewhere, that is a bit slow, a bit late, isn’t it?

Nicholson: They obviously have to identify and set out for us if there is a serious untoward incident. If many records are lost or whatever they would have to report to us centrally, that is true, but for the day-to-day breaches in security of a relatively minor nature, in terms of the scale, we would not expect to identify every single one to the centre.

Touhig: But if the central body is not even informed of all security breaches, how will you form a clear picture as to whether or not the security measures you are putting in place that you are have talked about are actually working?

Nicholson: Because we can identify them through the annual report and the quarterly reports of the Strategic Health Authorities, and through the notification of the major system —

Touhig: But are you saying that if there was an issue that cropped up, that you would then perhaps take some action, maybe six, eight or nine months after it had occurred because that is when the annual report has come out …

Nicholson: But it is individual organisations. There are a large number of boards/organisations out there in the system who are responsible for that. They would have to report them to the Information Commissioner in the same way that we did. We cannot work on the basis that everything that happens in the NHS gets reported to the centre for us to be assured that everything that is supposed to happen does happen. It is simply not practical.

Touhig: Well, this is security we are talking about here. It is a key issue, is it not?

Nicholson: Minor security they have to report in their annual report; medium issues the Strategic Health Authorities report quarterly; and if there are major security breaches they tell the centre straight away.

Touhig: I am short of time so I would appreciate if you could keep your answers brief. I think you are putting your claim on the Today programme somewhat at risk by that approach….”


NHS password sharing and business requirements – Stuart King

Password-sharing hinders probe into serious blunder

Password-sharing: Don’t shoot the doctors as clinical lead