Security in the NHS
posted: Thursday October 9, 2008
With IT security issues hitting the headlines
almost every day, many of you will be wondering how secure NHS IT
systems are – especially with regards to the one aspect that
is so important to us all – the security of our medical records.
If you aren’t familiar with the basic principals of computer
security, see end of this post before you read further*.
How does NHS IT security compare with best practice?
The simple answer is that the quality varies immensely from hospital
to hospital and Trust to Trust; the level of security is closely
linked to how seriously those in charge take their responsibilities.
Whilst I totally accept that most staff are absolutely
scrupulous about confidentiality, it should also be borne in mind
that wherever humans have to input, retrieve and analyse medical
records, a small minority will be tempted to look at information
about friends, family and others. It is simply not realistic to
expect 100% confidentiality. What it is realistic to expect
is that the overwhelming majority of staff are honest and discreet
– and I have no doubt they are.
On the other hand, I also believe that if management
find it in their interests to bend the rules of confidentiality
they are not reluctant to do so – nor do they hesitate to
close ranks or lean on others in the interests of hiding the fact.
Perhaps you will excuse my tendency toward cynicism if you bear
in mind that the IT equivalent of the shredder is the ‘delete’
key and that anyone with access or influence can delete pretty much
whatever they consider inconvenient…
As an ex-NHS IT employee who came into regular
contact with staff at all levels, I have seen worrying security
lapses in the Trust that employed me (and also provided IT services
to neighbouring Trusts). I cannot (and do not) infer that things
are the same across the entire NHS but it would be naïve in
the extreme to believe that my experiences are unique.
I do accept that my outlook is coloured by the
particularly dysfunctional nature of the IT department in which
I was employed. The combination of a universally loathed and senior
bad-apple reporting directly to a head of IT with no technical IT
skills at all, resulted in the bad-apple effectively doing what
he wanted with very little restraining influence. His negative effect
on the department was well recognised but, probably because the
head of IT was so dependent on him, the situation continued for
many years. Even though it was a rural area with few alternative
IT jobs, staff turnover was high and moral was low; dedication went
unappreciated and was sometimes actively discouraged, accepting
the status quo was rewarded.
Amongst the many security lapses I experienced,
the following are noteworthy; none of them, as far as I am aware,
ever resulted in any serious attempt to address the cultural shortcomings
that allowed them to happen in the first place:-
Frequent (often several times a week) backup
failures were not reported to those responsible for maintaining
various databases (myself included). When I found out I was told
that this was probably because worn tapes were not replaced –
an excuse akin to blaming broken pencils for failure to keep written
records. These failures were so frequent, and dismissed so lightly,
that I eventually created my own automatic backup system to protect
the databases for which I was responsible. This was sufficiently
well-regarded amongst other members of the IT department that
several adopted it for backing up other databases. This did not
make me flavour of the month with the bad-apple who, with the
knowledge of the head of IT, eventually made life so difficult
for me that I resigned from a job I absolutely loved…
To save effort during the changeover to another
email system, permission was given to turn off compulsory email
authentication (meaning anyone could access any email account,
including that of the chief executive, without the need to enter
a password). I happened upon this only because I habitually
collected my email from various computers and once found myself
accidentally connected to the mail account of the person previously
using the computer. This unbelievable lapse was buried very quickly
– I am fairly sure it never came to the attention of anyone
in real authority.
Email system failures occurred on a regular
basis, sometimes widespread and lasting over 24 hours. On more
than one occasion these resulted in the loss of old emails because
there was no provision whatsoever for backing up staff mailboxes.
Many staff (including at least one director)
shared passwords instead of using a proxy (the correct, authorised
and more secure way of allowing others temporary access to another
email account during annual leave or sickness).
Vital administrative passwords (which could
be used by a disgruntled IT employee to bring the entire system
to its knees) remained unchanged for years.
There was no security in place against downloading
complete databases onto portable storage devices such as pen-drives
or of emailing them to an external source, although, to be fair,
this may have been partially addressed since I left.
And despite umpteen front-page incidents over
recent years, proving just the opposite, organisations in almost
every sphere of government continue to assure us that they can be
trusted with our personal information.
feel free to comment by email
*Computer security falls largely into two areas:-
Firstly comes the need for the information held
within a computer system to be stored and retrieved under any conditions,
foreseeable or unexpected. We have all experienced the sinking feeling
that accompanies the realisation that we have lost an important
document stored on our home computer.
Because every system will fail at some time, it is essential that
failures do not result in permanent loss, complete or partial, of
that information. Every IT department worth its salt gives high
priority to ensuring that the information entrusted to its care
is properly backed up, that backups are held off-site (in case of,
say, a catastrophic fire in the on-site computer facility), and
that regularly tested procedures are in place to re-instate them
when a failure occurs.
Ideally, the main computer room hardware should also be backed up
by a ‘hot standby’ facility ready to take over instantly
and automatically should the main room be rendered unusable. However,
such a fail-safe system costs at least twice as much as a single
system and whether or not the extra cost is justified is normally
a board-level decision.
The second aspect of IT security concerns privacy
– you have an absolute right to expect that your medical records
are treated with the utmost discretion, care and respect where privacy
is concerned. Standard ways of ensuring privacy are well understood
and, on a technical level at least, fairly easy to implement by
trained IT professionals.
Only those who actually need access to medical
records should have access to them, and the level of access should
be restricted on a need-to-know basis. For instance, receptionists
only need access to simple personal details, your contact details,
attendance record and possibly an overview of your condition (arthritic
hip); but clinical staff will need to be able to look at much
more detail because they will need to base treatment on a full
and accurate picture of your clinical history (allergic to a drug).
Information should be encrypted whenever it is transmitted by
non-secure means such as public email systems, CDs sent in the
post (although personally I think this is almost criminally negligent
in any case), taken home or to other hospitals on laptop computers
etc. Properly encrypted information cannot be read without a lot
of time, skill, effort and access to very powerful computers.
Basically, encrypted information is so secure that the information
is much more easily obtained by taking advantage of human fallibility.
These so-called ‘social-engineering’ break-ins are
a lot harder to guard against.
Computers must be physically secure – no unauthorised person
should be able to wander in and steal them, use them or even see
what is on the screen.
Old computer equipment must be completely purged of any information
stored on it before it is disposed of.
None of the above should be anything other
than routine procedure for a well run IT department.