Tighten up smartcard access to protect patient data, warn GPs

NHS national programme for IT criticised over system's security and lack of confidentiality.

NHS national programme for IT criticised over system's security and lack of confidentiality.

Whitehall officials are facing a series of new disclosures over the NHS IT programme as they try to rebuild confidence in the multibillion-pound scheme.

They had to deal last week with criticisms over IT security and the lack of confidentiality of patient information, and with a failure of the data spine "backbone" after doctors were told the service was back to normal.

It has also emerged that a planned reorganisation of the NHS by the government is likely to lead to significant changes in contracts and plans of the national programme for IT (NPfIT).

Last week staff in GP surgeries were able to use their smartcards to read the personal details of patients who were not under their care. The central "Choose and Book" system imposed no block on how much information staff could see, whatever their roles.

Although the systems do not yet contain medical records, they hold sensitive information on some disabilities and online appointments made with consultants. The personal records also showed patient passwords, and allowed the user to alter a field which indicates whether the patient refuses consent for their records to be shared nationally.

Information between patients and doctors is regarded by the British Medical Association as sensitive and confidential. Even the existence of an appointment with the GP is classed as sensitive information. But staff in GP surgeries last week looked up details of patients not registered with their practices.

In the past, GPs have been assured by officials that the system would impose restrictions on what information staff could view or change according to the role  assigned on their smartcards.

Paul Cundy, a spokesman for the BMA's GP committee, said he was concerned about the apparent lack of restrictions on viewing patient details in the Personal Demographics Service and Choose and Book screens, part of the NPfIT systems.

GP Paul Thornton, who has written a paper on the NPfIT and the need for patient records to remain confidential, said, "Proper access controls are crucially important for protecting patient information and despite the reassurances of ministers, they are not yet in place."

A spokesman for Connecting for Health, which runs the NPfIT, said, "There have not been security lapses. Only staff with the right role allocated to them can access the Patient Demographic Service with a smartcard and their own unique password."

He said access to demographic data was crucial for health professionals to ensure they are able to identify the patient correctly and access and record information on the patient they are treating. Further access rights are required to see clinical information.

But doctors were critical of Connecting for Health's response. They said their trade associations have not agreed that any employee with a smartcard can access patient demographic information.

Nor, they said, has it been agreed that anyone with a smartcard can access details of patient appointments, their passwords, information on some disabilities, or change the "consent" field to sharing records.

The Information Commissioner's Office, which polices the Data Protection Act, said it was aware of concerns among GPs over alleged security weaknesses in the systems and its staff were in talks with Connecting for Health.

Meanwhile, the national data spine, a backbone of new national systems, suffered a protracted failure last week after Connecting for Health said the service had returned to normal following serious faults in December and early January.

A Connecting for Health memo seen by Computer Weekly dated 30 January said users nationally could not authenticate smartcards and therefore could not access any spine-enabled systems. BT, the spine's supplier, was investigating the cause.

These failures are hitting confidence in the systems that have been delivered. A report for the January board meeting of Southwark NHS Primary Care Trust, for example, said there had been some successes with implementing Choose and Book systems.

But the lack of availability of systems had "damaged GPs' confidence in the system". The paper said problems were continuing.

The government's planned organisational changes in the NHS, under the banner of a "patient-led NHS" are also likely to have serious implications for the NPfIT.

A paper presented to the board of West Midlands South Strategic Health Authority, dated 25 January 2006, said, "The proposed organisational changes and mergers to implement 'Commissioning a Patient-Led NHS' will require significant rework of current NPfIT plans and contracts."

Read more on Privacy and data protection