Sidewinder on summary care record security

Bolton is at the forefront of NHS Connecting for Health’s summary care record early adopter programme. Security is a key consideration when it comes to giving both staff and patients access to the summaries being created for the first time.

In the latest of his regular columns, Davey Winder applauds the security features being implemented, but wonders whether they will survive a wider roll out.

Bolton Primary Care Trust has successfully put more than 50,000 summary care records onto the NHS spine (which means it has uploaded records for approximately 17 per cent of the Bolton population).

Even allowing for the fact that we are talking about just one area, working with just part of the dataset that will eventually be included, this seems a good moment to sit back and reflect upon what lessons might be learned from the security perspective. "Even in the latter case, staff will only be able to access the records of those patients in whose treatment they are directly involved at the time...and every time they access the record a digital note will be kept."

There can be no doubt that brains have been wracked in the search for confidentiality and security when it comes to making these summaries available on the spine. It does seem, at first sight, that Bolton and NHS Connecting for Health are doing everything right (which is no surprise - the industry’s eyes are watching!)

Staff access

The Bolton out-of-hours service will be the first to begin accessing these records, enabling staff to deal with around 900 calls per month from patients with a summary care record and so providing them with a more efficient service when their own GP is not available.

Patients can opt out of having a summary created, opt to have one created but only allow access when they give explicit consent, and opt to have one created and to make it generally available.

Even in the latter case, staff will only be able to access the records of those patients in whose treatment they are directly involved at the time (with a few legal over-rides); and every time they access the record a digital note will be kept.

During the next few months, staff at Royal Bolton Hospital’s A&E department and the PCT’s walk-in centre are also likely to be given access, following appropriate training that stresses the importance of following strict security guidelines.

Only staff who have satisfactorily completed the training will be able to access summary care records, and to do so they must be in possession of an NHS smartcard and associated PIN code.

HealthSpace expands

Patients will also be able to access their records via the HealthSpace portal. To do so, they will also need a smartcard. Obtaining one will involve a visit to a PCT registration office with no less than three different proofs of identity such as a passport, recent utility bill and photo driving licence. "...we are talking about less than 50,000 records, or, put another way, less than 0.1 per cent of the final volume of summary care records to be stored on the spine nationwide. Security needs to scale with that growth, and that is where my concerns lie."

An activation code will be required to confirm registration online, and this will be sent by post to the patient’s registered address, once checks have been completed.

Even that’s not the end of it, because once they have entered their username and password, patients must enter correct responses to three questions relating to a grid of numbers on the smartcard before they can view their summary.

Good so far: but is it scaleable?

At the moment, this level of security may well be enough, especially as access to summary care records in Bolton will initially only be possible at a few key locations.

However, we are talking about less than 50,000 records, or, put another way, less than 0.1 per cent of the final volume of summary care records to be stored on the spine nationwide. Security needs to scale with that growth, and that is where my concerns lie.

I am not alone in this; the British Medical Association has already written to ministers asking them to refrain from a nationwide rollout of the scheme until all the pilots have been reviewed from a security and confidentiality perspective.

As the scheme grows, it is not just the number of patient records being stored that will raise confidentiality issues, but also the number of staff that will have access to them. We mustn’t forget that personnel well beyond the NHS environment may have rights to access the system - local authority social services departments, for example.

And is it actually “too secure?”

The very complexity of the triple-protection smartcard, pin and challenge response system could, ironically, be the weak link. The danger is that if the login is cumbersome and time consuming then staff will connect to the spine and stay logged in rather than repeat the process – no matter what they have been told in training.

In such a scenario, it becomes all too easy for someone else to access records through that login. I applaud the manner in which everyone involved in the Bolton pilot has approached the implementation so far.

However, I am also convinced that to rush into rolling out the system nationwide, without due care and attention to the problems inherent in scaling up such a system, would be a folly that could seriously undermine the good work done so far.

About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.