The debate over healthcare data security took a political turn today as the opposition called on the government to change its plans for central data storage in favour of local, interoperable services.
Shadow health secretary, Andrew Lansley, told the BBC’s Today Programme this morning that plans for the national database in England holding around 50m records should be replaced by storage on ‘local servers with interoperability between them.’
“What worries us in data security terms is if you create an enormous data base you not only create opportunities for catastrophic data loss, you also create real opportunities for people all across the country – if they have access and proper passwords – to access other people’s data,” Lansley said.
Encryption was fine, he said, but there was a risk if many people had the passwords to get into the system.
“You have to look at the risks as well as the benefits…unfortunately the government only appears to have looked at some of the benefits and has not taken advice on the risks,” he said.
The Department of Health defended the centralised approach currently being rolled out and responded to Lansley’s comments saying that the planned central system had particularly strong data protection rules and the highest standards of security control.
NHS chief executive, David Nicholson, told the Today Programme: "We are listening to what people say about data security and we have a level of security built into the system which is way above industry standards."
Lansley’s comments came as review of NHS trusts security showed nine reporting data losses, some already recorded in E-Health Insider. The trusts are: City and Hackney Primary Care Trust ; Maidstone and Tunbridge Wells; Bolton Royal Hospital; Sutton and Merton PCT; Sefton PCT; Mid-Essex Care Trust; East and North Hertfordshire; Norfolk and Norwich and Gloucester Partnership Foundation Trust.
Ross Anderson, professor of security engineering at Cambridge University, also interviewed by the programme, commented on one of the incidents at City and Hackney PCT where 160,000 children’s records were lost. Tight security ensured that the records were not accessed, but Professor Anderson asked: "How is it that somebody had access to 160,000 children’s records? Surely that’s not right."
He said that in banking, for example, no single employee would have access to so many records.
Nicholson pointed out that the National Programme for IT’s security with username, password and smartcard access plus role-based access control would ensure that individual staff had access to a relatively small number of records.
"The very thing that Ross Anderson is saying we need is exactly what we are putting into the National Programme for IT," he said.
The NHS boss defended the centralised approach to IT modernisation pointing out that previous efforts to encourage "a thousand flowers to bloom" at local level had not produced the access to information needed for patient care.