Memorandum by Peter Fairbrother (EPR 43)
1. INTRODUCTION
My name is Peter Fairbrother. I am a cryptologist
with a special interest in the design of secure systems.
1.1 The Patient and GP today
As a patient I may tell my GP or Consultant
information which I wish them to keep private—by which I
mean I do not want them to tell anyone else, unless necessary.
I rely on them to decide when it is necessary for them to tell
anyone else, mainly if the information is of clinical significance
to my treatment.
My GP also knows less sensitive information
like my address—again, I would not want him to give it out
unless he thinks it is necessary or appropriate.
GP's surgeries have now for the most part been
computerised and interconnected, and it is easy for a GP to decide
on a set of rules under which he gives out or does not give out
different types of information, or to place a particular piece
of information in a different category—for instance my address
is not very secret, but that of a film star or protected witness
might be much more secret.
1.2 Data security and privacy in the existing
patient-GP relationship
There are two important security/privacy aspects
to this—trust, and need-to-know. I decide whether to trust
my GP to decide when it is important that information be available,
and to keep it secret when it is not. If I decide I cannot trust
him I can choose another GP.
Need-to-know is a very powerful security technique
designed to minimise the number of people who know a data item
(as a rule of thumb we consider that the security of a secret
is inversely proportional to the square of the number of people
who know it), and in large systems need-to-know is essential for
any kind of security.
Need to know means that only people who need
to know a data item can access it—but it also implies that
the person who decides whether a person has a need-to-know himself
needs to know the data item in order to make that decision.
In general, it is both necessary and convenient
that the person deciding is a person who already knows the data
item, ie he needs to know it for his own reasons, and the function
of deciding whether another has need-to-know is given to him for
that reason. In the medical context, it makes even more sense,
as the GP (unlike the system operator) will be trained in medicine,
and can decide when it is clinically important to give out data.
1.3 The spine
The spine is a collection of proposals, many
innouous or even sensible, but including the attempted centralisation
of data and centralisation of control of access to that data.
I say "attempted" because in large part it is unlikely
to be feasible. This will be done by taking copies of data in
GP and Hospital records, and making the copies available according
to some access strategy.
There is some remaining question of whether
the GP and Hospital records might be stored centrally instead
of in the GPs surgeries, but this would be very hard to do, very
expensive, and would result in a record system which would be
eg fragile in the case of a national emergency, so I do not think
it should happen.
1.4 Patient data security and privacy after
the spine
The proposed spine, especially the PSIS and
LSPs, make the decision-to-trust impossible—there is no
point in choosing another doctor if I don't trust the one I have
to keep secrets, as the doctor does not keep the secrets any more.
More important, they destroy any effective need-to-know
policy—if implemented, no matter what the access policy
rules are, any person of criminal intent will be able to access
medical records at will. This has clinical significance as well—the
patient may decide not to tell the GP something relevant to his
treatment.
The next part is about the design of the spine,
including some suggestions for changes. These are mostly about
how the existing databases in GP's surgeries and Hospitals could
be used without duplication to perform all the functions needed
or proposed. These suggestion are meant to show what is possible
rather then to be a prescriptive guide—if nothing else,
space prevents me from attempting that.
2. DESIGNING
THE SPINE
The Spine is the name given to the proposed
national database of key information about a patient's health
and care, which will form the core of the NHS Care Records Service
(NHS CRS) part of NPfIT.
The spine consists of the Transaction Messaging
Service, the Spine Directory Service, the Personal
Demographics Service, the Personal Spine Information Service,
Local Service Providers, the Secondary Uses Service,
the Clinical Spine Application, and an Access Control
Framework.
There is another function needed, some form
of staff identity authentication—this varies from the NH-ID
card to local authentication schemes, none of which seem to work
well.
2.1 The Transaction Messaging Service
is non-contentious (as long it is solely a messaging service between
Healthcare providers), and should be straightforward to implement.
The N3 virtual private network could provide the required connectivity
and confidentiality and the NHS card could provide convenient
and reliable authentication. Whether they will in fact do so is
another matter, but to do so is well within the bounds of present
art.
2.2 The Spine Directory Service is
also non-contentious. It could be implemented on a single server,
probably duplicated for reliability, and the information on it
would not change much.
2.3 The Personal Demographics Service
(PDS) is "the central and single source forpatient demographic
information, such as NHS number, name, address and date of birth".
It should also contain previous address data in order to make
it easy to identify patients when they move address or change
GP, and the patient's registered GP.
However, except in very unusual circumstances,
which could be dealt with manually, the only information it ever
needs to give out is the patient's NHS number and registered GP.
If an enquirer wishes to know the patient's
address they would request it from the patient's GP. If the patient
had not requested that their address be withheld then the GP's
computer would supply the address in about the time it takes an
internet page to load. This would allow famous people,witnesses,
and so on to hide their addresses by simply asking their GP to
withhold it.
Note that the decision whether or not to give
out the address lies with the GP, in accordance with the patient's
wishes. Note also that the GP's computer system does the actual
work, the GP only has to enter that the address should be withheld
once.
If he address request is refused, the enquirer
could send the mail to the GP's address for forwarding, or could
contact the GP or his surgery to explain why the address was needed.
2.4 The Personal Spine Information Service
(PSIS) is the most obviously contentious part of the spine, partly
because it is the part that is most likely not to be implementable
and partly because it is the most privacy-invasive part, and the
part that could be most misused.
Initially it was intended to contain all patient
records, but by about mid-2003 it was realised that that intention
would be impossible to implement, and the present proposal is
that the records contained in the PSIS are a summary only, with
the main records held in GP's surgeries and Hospitals.
There are two insurmountable technical problems
with the present proposal—it would be impossible to ensure
that the records held centrally and those held in GP's surgeries
and Hospitals match, and the legacy idea that the summary should
be the definitive record cannot stand. There is a third problem
which is probably insurmountable, or at least very expensive,
too—the methods we know about do not scale well to a database
of that size.
Leaving the insurmountable aside, there are
two more problem areas—cost, and privacy issues. The cost
of such a system would be huge, and the benefits are almost zero—it
does basically the same job as the Personal Demographics Service.
The only data contained in the PSIS in the latest
proposal which is not in the PDS is "patient allergies"
and "Courses of treatment undergone". However I see
no reason why patient allergies and "Courses of treatment
undergone" could not be held, like the rest of the clinical
record, at the GP's surgery. Again, external access to this information
is by request to the surgery.
Thus there is no need for the PSIS at all, nor
for anything to replace it—although it might be desirable
to upgrade the computers in GP's surgeries for better guaranteed
availability, which might cost £5,000 for each of the 8,000
surgeries involved, a total of £40 million. However as this
would remove any last possible justification for the PSIS, the
overall saving would be very large.
2.5 Local Service Providers (LSPs)
are also copying datasets, deciding access control strategies,
and taking control of patient data away from the GP and health
professional. The methods and policies vary according to region,
which is another matter for concern, but as the issues are the
same whether the action is performed by the PSIS or the LSP I
will not comment further—except to ask why there are five
of them? If they were providing off-the-shelf solutions and they
had good local knowledge it might make some sense, but to have
five sets of people doing simultaneous development of the same
thing seems absurdly wasteful.
2.6 The privacy issues surrounding the PSIS
and LSPs are wideranging, and the main driving force here is that
as planned it is technically impossible to limit the persons who
have access to a patient's medical records to eg those who have
the patient in their care. These issues are not just the result
of the PSIS and LSP datagrabs however, they more generally concern
who decides when information is revealed, and the freedom a GP
and a patient has to conceal information.
For instance if some information is embarrassing
or endangering to the patient for social reasons but is of no
clinical import, then there is no reason why it should be available
to clinicians even when they are treating the patient. However,
it might be useful to have it available for research or administrative
purposes. For research it might be available in anonymised form,
and for administrative purposes it might be available as part
of a statistic of how many times that event had occurred.
If the GP is free to conceal information in
these circumstances, then all the privacy issues go away—ar
rather they go on the shoulders of the GP, where they have always
lain. Note that the GP will be required to do very little to enforce
his privacy decisions and policies, the computer does almost all
the work, but he will have to make decisons and policies.
2.7 Access control framework
2.7a A prerequisite here is some form of
personal authentication, which does not seem to have been properly
settled. The NHS-ID card is having speed and scaling problems,
and locally issued authentications are being misallocated and
misused. It is important that the authentication states not simply
that the person is employed by the NHS, but in what category and
where, else a cleaner or administrator could pretend to be a Doctor
and access information at an inappropriate level.
2.7b However even with proper identification,
whatever access control framework is used cannot work as well
in a centralised system as in a distributed net with local control,
because in a centralised system need-to-know is both almost impossible
to establish and too many people need to know in order to run
the system. In the present case I do not think any set of access
control rules can be made to work sufficiently well to give any
privacy at all—either the the rules will be too strict so
the is of little use, or the rules will be less strict in order
that the system can be used and then access will be runaway. In
my opinion there is no possible happy medium.
I find little benefit in talking about specific
access control proposals now, as there are too many of them, often
contradictory, and I can find no guidance on what the definitive
proposals are.
2.7c There is one other point which I would
like to raise, the question of the use of medical records in criminal
investigations. For good reasons ("would you like your daughter
to catch TB from an illegal immigrant who was too scared to see
a doctor?") the Police and Criminal Evidence Act considers
medical record to be "special procedure material" and
limits the way it can be demanded—but it is alleged that
the Police have been using medical records to find illegal immigrants.
I do not know if this is true, or under what
laws it is collected, but I would like some assurance that the
same special procedure applies to all medical records, whether
held on a GP's computer, in the spine, the or elsewhere. Also
I would like to see a requirement that data not be given out without
going through the special procedure process—at the moment
the Police can ask for private information, and there is nothing
to stop eg BT from giving it to them.
2.8 Secondary uses service
2.8a The present secondary uses service
is contracted to McKesson, a US corporation. We do not know much
about what they will do, or how much McKesson paid the NHS for
the privilege of getting their hands on the dataset. However,
I would specifically ask the committee to investigate one question—is
there any guarantee that the data will be kept in the UK and not
copied to the US or elsewhere, where it might be subject to a
Court order, like the SWIFT data?
2.8b Leaving that aside, all the desired
functions except secrecy of search can be easily implemented in
a distributed dataset. For example, a pro-bono research
request might first go to an ethics committee (perhaps run by
the BMA) who would recommend that GPs run the search on their
computers at night when they were idle. Most GPs would probably
do this.
For commercial searches, first the searchstring
should be published, along with documents explaining whatdata
is requested and why. A committee should consider the searchstring
(that is the actual terms of the reque, as fed into the GPs computer)
and if they approveit then GPs can run it and get paid for doing
so. It should probably be an offence to run a search for payment
unless approval has been granted. Note that the GP is never forced
to run these searches. LHAs, PCTs and the like might be allowed
to demand some searches are run for purposes of administration
only.
3. CONCLUSIONS
CfH propose taking a dataset which is continuously
generated in-house by GPs and Hospitals, copying it (there will
be errors, this is a well-known property of this type of database)
by force majeur and thereby taking control of the data and patient
trust away from the GPs where it belongs, trying to call the copy
the "definitive record" when it clearly isn't and cannot
be, giving access to the copy to thousands of people without being
able to effectively check need-to-know (and thus destroying any
chance of even a modicum of security) and performing searches
on the dataset in secret. At a cost of around £10 billion.
This is £10 billion utterly wasted. There
is no need to copy the dataset, and all the proposed functions
(except the secret searches—non-secret searches are fine)
could be implemented using the existing dataset in GP's and Hospital's
computers, although a better N3 network might be needed—but
my last broadband 2Mb/s to 8Mb/s upgrade was free. The cost of
doing it this way, mostly in staff training, would be in the low
hundreds of millions rather than the billions.
So why have they done it this way? I do not
know. It seems that around 2002 someone made a policy decision
that all records were to be kept centrally, and a year or so later
they discovered that this would not be practicable—but it's
hard to find out who made the decision. CfH etc. then came up
with this mixmash of proposals which not only has the privacy,
security and operational disadvantages of a centralised dataset,
but which also has problems of its own, like synchronising databases.
I was originally going to title this "Redesigning
the Spine", but I cannot see much evidence that it was ever
designed in the first place.
Peter Fairbrother
March 2007
| 
