A call from the Commons Health Select Committee calling for more transparency from Connecting for Health has been rejected by the government
In its official response to the committee’s report on the Electronic Patient Record the government turns down a recommendation that more information should be made available to the public on controversial issues such as security breaches.
At two points in its response, the government rejects these recommendations, claiming the information would ‘add no value to the public understanding.’
The committee called for the outcomes of BT’s security testing on national systems to be made public.
The government responded by saying it did not agree that the “detail of the outcome should be made public as there would be a risk of compromising security arrangements and, potentially, criminal exploitation of information if details of the testing became public.”
The committee also called for suppliers to publish details of all significant reliability problems along with a full incident log, following the power failure at the Maidstone data centre, which affected 80 trusts.
Connecting for Health says it already publishes statistics on service performance and availability on its website but "there is no intention to publish them more widely."
The response adds: “However, the government does not accept that the wider publication of full incident logs represents industry practice and the technical detail would add no value to public understanding…given the proven high resilience of the systems, the government does not agree that there is a need to change the current procedures.”
Charlotte Atkins, a member of the Health Select Committee, told E-Health Insider: “We want security breaches to be given the utmost priority. They must be something that you are able to track.”
The government stresses that all suppliers must meet comprehensive and detailed security requirements including penetration testing and compliance with international standards and stress that suppliers are obliged to report any breach of security requirements and to make recommendations for the remedy of any breach.
Offering reassurances, they write: “NHS Connecting for Health may call in a third party to monitor its suppliers and make reasonable recommendations in the event of a breach and/or escalate the matter for dispute resolution if the remedy proposed by the supplier is not acceptable.
“In the event of a breach of security incapable of remedy or that is not remedied, NHS Connecting for Health has the right to terminate the relevant contract immediately without paying compensation to the supplier.”
Atkins added: “We are glad to see these serious consequences for breaches, but are disappointed that this information will not be made public. We have seen in recent months celebrity cases of security breaches of their records and it is a shame that the government do not seem to be taking this issue as seriously as we are.”
Despite the committee saying there was now a ‘perplexing lack of clarity’ about delivery plans, and calling for all LSPs to publish detailed timetables for delivery, CfH says that no firm timetable plans for implementations of key systems will be published.
They say this is because “experience shows that, when a trust is maintaining essential patient services during an implementation, there must be some flexibility and movement in dates to account for local circumstances.”
The response adds that as responsibility for deployment, including planning, has now been transferred to the local NHS, the previous uncertainty factors, including “consultation and stakeholder engagement, software development, implementation issues and NHS operational needs”, should be eliminated, with the local NHS agreeing deployments with suppliers at the time of their choosing.
“Suppliers are being asked to map their proposals against the maturity model with key milestone dates,” CfH says, adding that the National Programme for IT (NPfIT) Local Ownership Programme “will address some of the problems that the NHS and suppliers have experienced over a lack of standardised processed to date.”
The government also pledged assurances that iSoft’s Lorenzo will be delivered within the terms and life of the NPfIT contract.
“Although the delays to delivery of the Lorenzo system have been disappointing for the NHS, deployments are scheduled for early adopter sites in the summer of 2008. recent demonstrations of the Lorenzo product to NHS clinicians and managers confirm that it meets the requirements and expectations of the NHS and provides improved confidence that the current planned timetable will be achieved,” the response says.
Confusion surrounding the Detailed Care Record (DCR) still remains with the government failing to solve the ‘explanatory vacuum surrounding DCR which must be addressed if duplication of effort at local level is to be avoided.’
The government accepted the recommendation that they should publish clear information about its plans for DCR systems, but did not go into detail about what it will actually contain. They say they will wait for the evaluation of the SCR before establishing future plans and promise to communicate a consent model for the system as clearly and as early as possible – adding patients may request that information sharing is ‘turned off’.
Atkins said: “The lack of clarity greatly concerns me as without it there is bound to be more concern over privacy issues. The government has accepted the need for clarity, and we hope to see this soon, so that patients are aware of what this big transformation actually is, and what there rights are.”
Links
Health Committee report on the Electronic Patient Record
The Government response to the Health Committee report on the Electronic Patient Record