U.K. health chief defends plan for records database

by James Niccolai

December 24, 2007 —

The head of the U.K. National Health Service has defended plans to build a
centralized database of patient records following another embarrassing loss
of personal information by the government.

The U.K. Department of Health admitted this weekend that nine of its regional
NHS trusts have reported losing patient data. One of the trusts, the City and
Hackney Primary Care Trust, in east London, lost the medical records for about
160,000 children, according to newspaper reports. The total number of records
has not been disclosed.

The losses emerged as part of a wider review following similar government blunders,
and have revived questions about the security of building a centralized patient
records database, part of the U.K.'s National Programme for IT (NPfIT). But
David Nicholson, chief executive of the NHS, said the project is essential and
should go ahead.

"It's vitally important that when a doctor is sitting in front of a patient
they have all the information they need at their fingertips, and that's what's
been driving us through all this," Nicholson told BBC Radio 4's Today program
on Monday.

The proposed system will not be a single large records database, but a series
of interconnected regional databases, he said. And the security system will
be more rigorous than that used with most Internet banking systems, according
to Nicholson.

"You'd need a user name, a password and a smart card [to access patient
records] and you would have role-controlled access," he said. "So
a nurse on a ward with a smart card and a password could only access a relatively
small number of patient records."

The information that was reported lost over the weekend was encrypted and so
not vulnerable to misuse, Nicholson said.

But Ross Anderson, a security expert at the University of Cambridge, told Radio
4 that whether the data is encrypted is not the main issue.

"One of the questions you have to ask here is not whether the data was
encrypted or password protected, but why someone was able to have access to
160,000 children's records," he said. "In private industry ... if
someone tried to make off with hundreds of thousands of records the alarms would
sound."

Opposition leaders pounced on the latest misstep as evidence that the Labour
government can't be trusted with its citizens' data. They called for further
studies to show how the proposed patient records system would protect privacy.

The incident comes after the U.K.'s HM Revenue and Customs lost personal records
for 25 million Britons, and the Driving Standards Agency lost records for more
than 3 million learner drivers.

"The power of technology means it can be very easy to use the information,
but also very easy to lose the information," the Information Commissioner
Richard Thomas said on the Today program. "The events of the last few weeks
have woken up everybody to the importance of taking these matters seriously."

IDG News Service