IT Security in the NHS
posted: Thursday October 9, 2008

With IT security issues hitting the headlines almost every day, many of you will be wondering how secure NHS IT systems are – especially with regards to the one aspect that is so important to us all – the security of our medical records. If you aren’t familiar with the basic principals of computer security, see end of this post before you read further*.

How does NHS IT security compare with best practice? The simple answer is that the quality varies immensely from hospital to hospital and Trust to Trust; the level of security is closely linked to how seriously those in charge take their responsibilities.

Whilst I totally accept that most staff are absolutely scrupulous about confidentiality, it should also be borne in mind that wherever humans have to input, retrieve and analyse medical records, a small minority will be tempted to look at information about friends, family and others. It is simply not realistic to expect 100% confidentiality. What it is realistic to expect is that the overwhelming majority of staff are honest and discreet – and I have no doubt they are.

On the other hand, I also believe that if management find it in their interests to bend the rules of confidentiality they are not reluctant to do so – nor do they hesitate to close ranks or lean on others in the interests of hiding the fact. Perhaps you will excuse my tendency toward cynicism if you bear in mind that the IT equivalent of the shredder is the ‘delete’ key and that anyone with access or influence can delete pretty much whatever they consider inconvenient…

As an ex-NHS IT employee who came into regular contact with staff at all levels, I have seen worrying security lapses in the Trust that employed me (and also provided IT services to neighbouring Trusts). I cannot (and do not) infer that things are the same across the entire NHS but it would be naïve in the extreme to believe that my experiences are unique.

I do accept that my outlook is coloured by the particularly dysfunctional nature of the IT department in which I was employed. The combination of a universally loathed and senior bad-apple reporting directly to a head of IT with no technical IT skills at all, resulted in the bad-apple effectively doing what he wanted with very little restraining influence. His negative effect on the department was well recognised but, probably because the head of IT was so dependent on him, the situation continued for many years. Even though it was a rural area with few alternative IT jobs, staff turnover was high and moral was low; dedication went unappreciated and was sometimes actively discouraged, accepting the status quo was rewarded.

Amongst the many security lapses I experienced, the following are noteworthy; none of them, as far as I am aware, ever resulted in any serious attempt to address the cultural shortcomings that allowed them to happen in the first place:-

Frequent (often several times a week) backup failures were not reported to those responsible for maintaining various databases (myself included). When I found out I was told that this was probably because worn tapes were not replaced – an excuse akin to blaming broken pencils for failure to keep written records. These failures were so frequent, and dismissed so lightly, that I eventually created my own automatic backup system to protect the databases for which I was responsible. This was sufficiently well-regarded amongst other members of the IT department that several adopted it for backing up other databases. This did not make me flavour of the month with the bad-apple who, with the knowledge of the head of IT, eventually made life so difficult for me that I resigned from a job I absolutely loved…

To save effort during the changeover to another email system, permission was given to turn off compulsory email authentication (meaning anyone could access any email account, including that of the chief executive, without the need to enter a password). I happened upon this only because I habitually collected my email from various computers and once found myself accidentally connected to the mail account of the person previously using the computer. This unbelievable lapse was buried very quickly – I am fairly sure it never came to the attention of anyone in real authority.

Email system failures occurred on a regular basis, sometimes widespread and lasting over 24 hours. On more than one occasion these resulted in the loss of old emails because there was no provision whatsoever for backing up staff mailboxes.

Many staff (including at least one director) shared passwords instead of using a proxy (the correct, authorised and more secure way of allowing others temporary access to another email account during annual leave or sickness).

Vital administrative passwords (which could be used by a disgruntled IT employee to bring the entire system to its knees) remained unchanged for years.

There was no security in place against downloading complete databases onto portable storage devices such as pen-drives or of emailing them to an external source, although, to be fair, this may have been partially addressed since I left.

And despite umpteen front-page incidents over recent years, proving just the opposite, organisations in almost every sphere of government continue to assure us that they can be trusted with our personal information.

Dream on.

Please feel free to comment by email

____________________________________________________

*Computer security falls largely into two areas:-

Firstly comes the need for the information held within a computer system to be stored and retrieved under any conditions, foreseeable or unexpected. We have all experienced the sinking feeling that accompanies the realisation that we have lost an important document stored on our home computer.
Because every system will fail at some time, it is essential that failures do not result in permanent loss, complete or partial, of that information. Every IT department worth its salt gives high priority to ensuring that the information entrusted to its care is properly backed up, that backups are held off-site (in case of, say, a catastrophic fire in the on-site computer facility), and that regularly tested procedures are in place to re-instate them when a failure occurs.
Ideally, the main computer room hardware should also be backed up by a ‘hot standby’ facility ready to take over instantly and automatically should the main room be rendered unusable. However, such a fail-safe system costs at least twice as much as a single system and whether or not the extra cost is justified is normally a board-level decision.

The second aspect of IT security concerns privacy – you have an absolute right to expect that your medical records are treated with the utmost discretion, care and respect where privacy is concerned. Standard ways of ensuring privacy are well understood and, on a technical level at least, fairly easy to implement by trained IT professionals.

Only those who actually need access to medical records should have access to them, and the level of access should be restricted on a need-to-know basis. For instance, receptionists only need access to simple personal details, your contact details, attendance record and possibly an overview of your condition (arthritic hip); but clinical staff will need to be able to look at much more detail because they will need to base treatment on a full and accurate picture of your clinical history (allergic to a drug).

Information should be encrypted whenever it is transmitted by non-secure means such as public email systems, CDs sent in the post (although personally I think this is almost criminally negligent in any case), taken home or to other hospitals on laptop computers etc. Properly encrypted information cannot be read without a lot of time, skill, effort and access to very powerful computers. Basically, encrypted information is so secure that the information is much more easily obtained by taking advantage of human fallibility. These so-called ‘social-engineering’ break-ins are a lot harder to guard against.

Computers must be physically secure – no unauthorised person should be able to wander in and steal them, use them or even see what is on the screen.

Old computer equipment must be completely purged of any information stored on it before it is disposed of.

None of the above should be anything other than routine procedure for a well run IT department.