Medical records contain a wealth of information on patients, and any leak or breach of medical information is a serious one.
Scarily, an investigation has been launched into the security of a computer system that holds 26 million patients’ records. The investigation, launched by the Information Commissioner’s Office (ICO), is looking at whether the computer system complies with the data protection act.
If it wasn’t, who knows how bad this breach could be?
Concerns raised by ICO
The issue at hand is the “enhanced data sharing” function used in NHS systems. When a GP switches this function on, it can allow the medical records to be shared and/or viewed by thousands of NHS employees even if there isn’t a reason to do so. A spokesperson for the ICO said:
“…we do have data protection compliance concerns about SystmOne’s enhance data sharing function.”
The investigation centres around a system called SystmOne (owned by TPP), which is predominantly used by UK healthcare professionals. The system has been praised for ‘modernising IT in the NHS’ by simultaneously allowing GP and clinicians access to patients’ records and the patients’ contact with the healthcare service.
The investigation is looking into 2,700 GP surgeries that have been using SystmOne.
Data Protection provisions
Under the Data Protection Act (DPA), this may be seen as prohibited under Principle 2, where:
Organisations must be transparent when handling an individual’s data, and they must be clear at the outset as to why they are obtaining the information, and what they intend to do with it. It’s clear that not all NHS employees have specified or medical reasons to access the said GP records, which is where the major concerns have arisen.
Huge implications
Due to the nature and sheer size of the potential breach, BMA’s IT committee has written to GPs who use the system to take “urgent action”. BMA’s committees are officially recognised by health departments in national negotiations for NHS doctors. Chairman Paul Cundy noted his concerns, saying:
“This is a serious issue with potentially huge implications for patients, GPs and TPP. At the moment GPs are at risk of complaints being made against them.”
If the GPs and TPP don’t make immediate remedial action, they’ll face the backlash and will no doubt be in serious breach of the DPA.
According to The Times, TPP noted that they’re “making amendments” to the function, but doesn’t give further indication on what that might be.
The duty of keeping our records secure
Some have noted their disappointment in the system. One commentator on the Times notes that NHS databases never work because of their sheer size. Brian Vallance says that there’s a much easier way of keeping medical records which is “far more efficient, virtually cost-free and vastly safer”, and he notes that many public health services in Europe use this method.
Some may argue that privacy and confidentiality is dwarfing ‘clinical outcomes’. Some would rather A&E departments have easy access to records in case of emergency.
Source Info:
https://www.thetimes.co.uk/article/data-breach-fear-for-26m-gp-records-9zsjzpkwv
http://www.telegraph.co.uk/news/2017/03/17/security-breach-fears-26-million-nhs-patients/