NPfIT security warning after NHS staff view celebrity record

This a longer version of an article published in Computer Weekly and on

An NHS primary care trust has warned of a new risk to the confidentiality of medical records stored under the National Programme for IT [NPfIT] after a celebrity was admitted into hospital and more than 50 staff viewed the patient’s records.

The warning by North Tees Primary Care Trust raises questions about whether hundreds of thousands of NHS staff who would be able to view electronic records under the NPfIT would have their accesses to information policed robustly.

Systems that support electronic patient records – a central part of the NPfIT – produce audit trails of who has accessed what information. But it’s unclear whether busy NHS employees would have adequate time to police audit trails

And Computer Weekly has published evidence of a culture in the NHS that is incompatible with tight lax security. Smartcards have been shared so that busy doctors can share PCs without having to log on and off each time. This means it can prove difficult to establish who has accessed confidential patient information.

North Tees Primary Care Trust says that the unauthorised access by staff of patient records presents a “new security risk” under the Department of Health’s Care Record Guarantee – which gives an undertaking to patients that their confidential data will be protected from unauthorised access.

The trust says in a paper to the Board:

“A new security risk … has been identified as part of the Care Records Guarantee. This risk is around staff inappropriately accessing [a] patient’s records who are not part of their care load. It was noted in an audit that a recent admission of a celebrity to a hospital had revealed over 50 staff viewing the patient record… Staff should only access records of patients with whom they have a legitimate relationship.”

The document paper adds that trusts have to demonstrate that regular audits are undertaken and that they have “disciplinary procedures in place to deal with breaches”.

If staff wanted to access the medical records of a well-known individual or anyone else they were interested in, the risk with paper-based medical records would be smaller because the files would ordinarily be held in one location, and may not be accessible remotely. It’s unlikely that dozens of staff could view a paper record without drawing attention to themselves.

Evidence on the security risks of electronic records was submitted to the House of Commons’ Health Committee by the UK Computing Research Committee, which is an expert panel of the British Computer Society, the Institution of of Engineering and Technology and IT-related scientists.

It said: “As a general principle, a single system accessible by all NHS employees from all trusts maximises rather than minimises the risk of a security breach. It increases … the opportunity for access to any one patient’s data from some point on the extended system… it is important that a formal analysis is carried out to identify risks and show that they have been reduced as low as reasonably practicable.”

A spokesman for North Tees Primary Care Trust said the accessing of a celebrity’s records took place elsewhere, not within the trust. The spokesman was unable to give any details of the incident or where it took place.


Smartcard sharing by an NHS trust – a breach of IT security or a practical way around slow access to the NHS Care Records Service?

Care Record Guarantee [for example on the confidentiality of patient data]

Loss of 1.3 million sensitive medical files in the US – possible implications for the NHS’s National Programme for IT

Department of Health and Connecting for Health security flaws

Major reports on NHS and NPfIT

Evidence submitted by UK Computing Research Committee to the Health Committee on the Electronic Patient Record

Report raises further NPfIT concerns – British Computer Society [Security]

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The only thing surprising about this incident is that anyone should be surprised!Ross Anderson pointed out the risks in 1995...

I *would* be interesting to know more about this incident - including whether it actually occurred.

The report was put in by Primary Care Trust but occurred in a hospital, and involved 50 staff accessing the patient record, the implication being that many of these accesses were inappropriate, and that 50 staff accessing the record was in excess of the usual number needing access: in a complex case, 50 might be conservative..

Why is the PCT involved?

I thought this sort of access by people without a legitimate relationship was to be dealt with by the employer, i.e. the hospital trust.

The story may well be true - vulgar curiosity (and worse motives) exist everywhere - and controlling access in an environment where there may be no time to authorise a legitimate relationship in a cardiac arrest must be a nightmare, both organisationally and technically: doesn't explain the PCT's involvement

This is yet another example of how technologies introduced for the greater good, allowing information sharing and more effective working, are also an Achilles Heel if not properly secured.

Historically, there has been too much emphasis on encryption and authentication of data at the expense of monitoring what authenticated users are actually doing with the data when they're given access to it. As Pirelli’s mantra goes…‘Power is nothing without control’.

The key to protecting information from internal audiences with inquisitive minds is in securing and monitoring access to the database with the use of more intelligent behavioural analysis technologies. If NHS Trusts don’t follow the lead of the more forward-thinking government departments soon, similar unfortunate news stories will be peppering the front page of Computer Weekly for years to come.

This should not come as a suprise to anyone. If Leeds Teaching hosptal can have 70,000 inaproprate access to information, including medical information, in just 1 month, then anything can happen. Having had people read through my records out of curiosity I know how much damage can be done to patients.