Which services should remain offline?

Yesterday I gave a talk on confidentiality at the EMIS annual conference. I gained yet more insights into Britain’s disaster-prone health computerisation project. Why, for example, will this cost eleven figures, when EMIS writes the software used by 60% of England’s GPs to manage their practices with an annual development budget of only 25m?

On the consent front, it turns out that patients who exercise even the mildest form of opt-out from the national database (having their addresses stop-noted, which is the equivalent of going ex-directory — designed for celebs and people in witness protection) will not be able to use many of the swish new features we’re promised, such as automatic repeat prescriptions. There are concerns that providing a degraded health service to people who tick the privacy box might undermine the validity of consent to information sharing.

On the confidentiality front, people are starting to wrestle with the implications of allowing patients online access ot their records. Vulnerable patients — for example, under-age girls who have had pregancy terminations without telling their parents — could be at risk if they can access sensitive data online. They may be coerced into accessing it, or their passwords may become known to friends and family. So there’s talk of a two-tier online record — in effect introducing multilevel security into record access. Patients would be asked whether they wanted some, all, or none of their records to be available to them online. I don’t think the Department of Health understands the difficulties of multilevel security. I can’t help wondering whether online patient access is needed at all. Very few patients ever exercise their right to view and get a copy of their records; making all records available online seems more and more like a political gimmick to get people to accept the agenda of central data collection.

We don’t seem to have good ways of deciding what services should be kept offline. There’s been much debate about elections, and here’s an interesting case from healthcare. What else will come up, and are there any general principles we’re missing?

7 thoughts on “Which services should remain offline?

  1. Unfortunatly in some parts of the country you have no chocie, dorctors ect have grouped together and put your details on line through things like chose and book.

    You get no choice, you receive a piece of paper through the post saying you have consented and that you have been through it with your doctor / consultant / who ever and that you have a password that you selected.

    Well the sad truth (in my case and many others I have spoken to) is that there was no consultation they select your password and they might remember to send it to you (or as in my case they don’t). But more importantly this same self paswword ends up on a piece of paper that gets sent to the doctor / consultants secretary….

    So much for a secure reliable system where you can make a choice….

  2. I was not at the conference although I am sitting here with an EMIS system running in front of me!
    On line access to the full medical record is still a niche product. By far the greatest requests to view records come from lawyers rather than directly from the patients themselves. The nature of consent to these requests has occasionally been questioned – along the lines mentioned above. On line access would certainly make things easier, and cheaper, for practices. From the patients point of view their representative gets the details more quickly. Still it is hardly of earth shattering significance.

    Where the systems are likely to cause problems is in partial access to medical record which is increasingly common and popular. A prime example of this is EMIS’s own system for getting repeat prescriptions. There is obviously a demand for this sort of service but the system will present you with a list of your current medication.
    Medication lists are arguably the most sensitive part of a medical record. Most chronic conditions leave a distinctive ‘footprint’. Salbutamol=asthma, fluoxetine=depression, mifepristone=termination of pregnancy or foetal death, olanzepine=psychosis etc etc.

    So certainly full access to medical records is not the top service to go on line, but the issues involved are not limited to that case.

  3. At the risk of seeming a bit obsessive another issue has arisen this week, which perhaps gives some idea as to the online thinking.
    A GP had an appointment made using the “Choose and Book” system. When a patient has a referral made under this system two sheets of paper are produced. One has booking details and a booking number (UBRN) and the second has a password. The password is in the format of all of those AOL CDs that used to fall out of magazines – two random words.
    Crucially every time that the patients details are brought up in the choose and book application – and that could be anyone with access to choose and book – at least 50,000 people – the password is displayed next to the name and address. Much of the security of the NHS system is dependant on all people in it being trustworthy.
    It probably pays to stop and consider the threat model here. The password prevents somebody guessing the UBRN and booking an appointment in that name at one of the hospitals specified in the referral in a clinic that is also specified. By guessing it would be difficult to pinpoint a specific individual and if you had access to the application to tie a UBRN to an individual you could see the password anyway.
    So back to the GP. Having some regard to security he decides to change his password. He goes to the Choose and Book website and changes his password. As with most people he has a pool of passwords which he uses. He picks one of them.
    He then discovers that his new password is visible to all through the Choose and Book application. What was previously a somewhat pointless password has been converted to something which would allow a user who was less than straight and true to get his password to other sites, email etc,etc
    But was it really pointless?
    Well this is not a one time password. This is a password for life. Its existence and use on the healthspace site suggest that it will be the key to many of the services Ross talked about above.
    Password management across 50 million people with differing and changing levels on competence and not even and email address is at best difficult at worst ignored. The foundations are in, and they are made of cardboard.

Leave a Reply

Your email address will not be published. Required fields are marked *