News

Client confidentiality and anonymity could be seriously compromised by the new NHS computer system. Roger Dobson reports

Personal records of clients and patients are highly sensitive. They are also extremely valuable to outside agencies. In the USA personal health and social records are often sold to potential employers, insurers, credit rating companies and anyone else wanting detailed personal information.

In the UK records have traditionally been more closely guarded by individual social services departments, GPs and hospitals. The arrival of the computer did compromise security to some extent, because it was more difficult to protect a computer file or disk than it was to lock away a cardboard folder in a filing cabinet.

But security and confidentiality is threatened on a much larger scale, particularly for hospital social workers and those social workers who work in GP practices, with the imminent arrival of the NHS Net, a kind of mini Internet which will link hospitals, clinics, GPs, administrators and a host of other agencies across the country.

And with the advance of continuing care, there are fears social services departments will also be linked in.

On 1 April, the NHS clearing house went on line, linking all health units in the country. It is the first step in the creation of the NHS Net, and is taking over the task of handling the massive flow of contract data between purchasers and providers as a means to support the internal NHS market.

A huge amount of data will be stored, including records, raising worries that a few unscrupulous individuals may be able to hack into it. Doctors are being advised not to work with the new system.

Social workers operating in hospitals and GP practices could discover that sensitive information they hold on clients is finding its way on to the NHS Net. This could include personal data such as a clients' psychiatric treatment and history, their HIV status, and family abuse history.

The problem for practitioners is once that kind of personal information has been put in, they lose control over who has access to it and rely on the security mechanisms built into the NHS Net to prevent indiscretions.

And there lies one of the biggest problems, and the reason why the British Medical Association has advised its members to hold fire on putting data into the system.

Sandy Macara, chairperson of the BMA, says: 'The NHS Executive's strategy to link together all NHS computer systems, and some non-NHS systems, into an NHS-wide network would permanently destroy the individual's right to privacy and alter the nature of the doctor-patient relationship.'

The Association of Directors of Social Services is holding a watching brief. Buckinghamshire social services director, Jean Jeffrey, chairperson of the ADSS information technology committee, says: 'Social workers in hospitals will be using their own departmental recording systems, and where they come in contact with the NHS Net they will be subject to its own protocol.

'As the ADSS, we have not seen the NHS Net protocol and therefore cannot comment. But we are concerned to have information about it and need to know what others are doing.'

Until now, computer systems in hospitals or surgeries were not inter-connected and therefore any leak or breaking of the security rules remained a local problem. In the NHS Net, one weak link, a computer left logged on in an office or ward, would mean that the whole system could be compromised.

Ross Anderson, University of Cambridge lecturer, and author of a BMA report on the issues involved says: 'In many hospitals all users may access all records and users also often share passwords and leave terminals permanently logged on for the use of everyone.

'The introduction of a national network may turn local vulnerability into a global problem if systems with ineffective access control are connected together. Then instead of the data being available to staff at the hospital, it might become available to anyone on the network.'

He points out a national NHS computer network contravenes the guidance put out by the General Medical Services Committee and the Royal College of General Practitioners. They advise that no patient is identifiable, other than to the GP, from any data sent to an external organisation, without the informed consent of the patient.

Abuse of the system is another concern. In one known case a psychiatric patient used a computer that had been left logged on to change the amount of medication he was getting.

There are fears that outside agencies, which have nothing to do with the health and welfare of a patient, could gain access to sensitive information. Graham Winyard, the NHS Executive's medical director, underlines the need for security. 'We must always be vigilant in ensuring personal health data are only seen by authorised people.

'But the security measures we are implementing with NHS Net are new and a substantial improvement on networks currently being used.'

The NHS Net also raises concerns about the legal implications of putting data about clients into a computer network over which the practitioner has no control. If details of abuse within a family, for example, leak out of the system, who is legally responsible - the practitioner who put it in, the operators of the system, the NHS, or the agencies which use the information?