NPfIT!

Mozrat, over at Beer And Speech wrote about the NPfIT, which is the National Programme for Information Technology in the NHS.  It's a good post, in which he explains that the the cost has soared to £30 billion pounds which will make patient care suffer.

The idea behind the programme is that modern computers, networking and databases will enable GPs and hospitals to become more linked, allowing GPs and hospitals easy access to the normally separate medical notes.  It will also mean that operations and consultations over an electronic booking system.  It will also provide an centrally managed email and directory service and will eventually mean that GPs can electronically send prescriptions to pharmacists.

But there are problems… 

A lot of GPs are unhappy with the system, in fact only 7% of the 500 GPs asked felt they had been adequately consulted.

As mentioned before, the original cost was estimated to be £6.2 billion, now the cost is expected to rise to between 18 and 31 billion pounds.  It has gotten so expensive, the National Audit Office is to investigate the way in which the contract was awarded.

I am personally worried about the security of the system, and my personal experience in the new system at Newham hospital doesn't inspire me.

Newham has currently implemented an EPR system (Electronic patient record from Cerner. This means that when the patient enters through the doors of A&E they are booked onto the computer, and all treatments, tests, x-rays and the like are recorded on the computer system. Instead of having to manually track the patient through the department there is a huge monitor on the wall that lets the nursing staff know where each patient is.

This was the first thing that I noticed, that the computer screen in the main area had the patients name, and what was wrong with them, which isn't too good for patient confidentiality. I told the nursing staff this, and a little later that day the 'complaint' field had disappeared.

I'll not mention how it is taking over a month for the nursing/medical staff to get used to the new system, for the first two weeks after it was implemented our Control were so distressed at the amount of ambulances sitting outside the A&E, they kept calling us up to make sure that we were 'alright' (for 'alright', read 'ready for another job'). We had to keep telling them that it was taking us much longer to hand our patients over to the nursing staff because the staff were unfamiliar with the new computer system. Extra trainers have since been brought in, and things are running a little smoother.

Finally, there is the thing that amuses me the most… Security for such a system must be high, mainly for patient confidentiality reasons, but also because you don't want some bright spark hacking the system so that they get seen out of order. The system has a number of laptops, so a wireless network has been used to link the various systems together. Admittedly I'm no hacker, or even a wireless network expert – but a little investigation with Ministumbler and my Pocket PC has shown that they aren't broadcasting their SSID, and I can only assume that they are using WEP. But, and this is the problem with any system where non-geeks are expected to use it. Every computer has magically grown a sticker, upon which is the Username and Password to log into the system.

Gah!

Hardly secure, and the implementations for patient confidentiality is terrible – can you imagine this system rolled out across the UK, with the full functionality of the NPfIT system up and running? Break into a GP's office, use the password that is conveniently stickered to the monitor, and gain access to nearly anyone's medical records. I mentioned this to the staff in the department, but they seem happy to let this huge security flaw continue.

So I'm now sending a letter to the hospital directors – hopefully they will get the message.

16 thoughts on “NPfIT!”

  1. Don't the laptop users need a “token” which generates a number valid only for a given login attempt time like people have for remote login ?

  2. Just a continuation of the 3 A4 pages of data that will be held on everyone when the identity card system finally comes into being. Geord Orwell got it all so right in '1984' – frightening!

  3. Just a continuation of the 3 A4 pages of data that will be held on everyone when the identity card system finally comes into being. Geord Orwell got it all so right in '1984' – frightening!

  4. Interesting account of the state of things from the sharp end of the nhs. However the 6.2bn is the total of the procurement contracts, the 31bn the estimated implementation cost, so there is no increase from one to the other because the figures are about different things. Access to systems that access data through the national care records service is expected to be by smart-card.

  5. As a consumer (!) of NHS services I find this quite terrifying – I have enough trouble getting some depts of my local hospital to remember ie write down facts for me, let alone enter them correctly….

  6. I have to agree. I registered at my new GP 2 weeks ago [along with the other new students in my hall]. Phoned up for an appointment on Friday and they have no record of me on the system [and no appointment until this Friday], and so doubtless will not have my medical records from my last GP when I do go in. Considering the information on my registration form is such that i'm surprised they haven't requested I have a 'New patient' consultation to get the Doctor/s up to speed, I think this new system will be a miserable failure [much as I love the concept of it]. Health professionals are exactly that. They aren't IT professionals or admin professionals, and expecting them to take on all 3 roles at once is too much….

  7. So Wot's new : When they brought out Defriblilators in 70's doctors, nurses , patients and onlookers were being sent bouncing off walls,because of the poor grounding systems, TV necklines were being ploughed up with scars and so ,on and on. The system has to be debugged [ i.e. remove the cock roaches from betweeen the contacts of relays]. and when The Prime Ministers or his buddies unmentionables are in the News of the World, Then the training will take place. Good luck with the typos and all those dialects of speech that will have to be entered. Oh well life in the fast lane. Dungbeetle

  8. Very interesting…I will contribute something of a counter-point from this side of the pond. The US government has been funding health IT pretty heavily of late. The Veterans hospital system has a very effective and well-liked EHR system called VistA that is currently being revamped for use in other government facilities. PriceWaterhouse did an analysis a while back and found it very cost effective.In terms of public hospitals, most of the work is being done by the Community Health Centers (safety net care providers, like healthcare for the homeless, etc.). They can get grants for implementation, and are of course generally strapped for cash so the idea of these systems generating savings (less staff needed) and increasing revenue (increased productivity and better billing), both of which have turned out to be very real, are quite attractive.

    In my work, we just did site visits to the real leader of the pack, a network of independent centers who've banded together and are in the process of going completely paperless. Largely because of their size, they were able to bring WebMD to the table and essentially co-design a comprehensive EHR system: prescription writing (with allergy and interactions monitoring), digitized lab submission, retrieval and approval, clinical guidelines reminders (Mrs. X hasn't had a mammogram this year, etc.), appointments, and a chart writer. The providers have all come to really love the system, and carry their tablet PCs everywhere. Security is extensive, but nobody complained about it.

    The real issues now are specialization and standardization: the WebMD product works great for the above network, but has been a disaster elsewhere, when centers have been unable to do as much customization; everybody needs a common set of codes, like HL7, to communicate between providers and payers.

    But the benefits of these systems, in so early in development, are incredible: you see real decreases in medication errors, improved follow-up, better chronic disease monitoring, etc. I can't wait till it's really happening.

  9. A hot topic at the moment. I've always worried about the lack of confidentiality within the NHS, both as a service user and an NHS professional. I find it embarressing when receptionists at GP surgeries happily shout across the waiting room to ask when your last period was. As for IT, forgive my cynicism, but when my PC at work has a filter set to prohibit a search for anything in the category of “health”, what hope is there?

  10. I wrote some software a couple of years back that is used by a few NHS hospitals and well things seem weird in the world of NHS IT. The software came originally from the idea of a hospitals IT director who really knew his stuff. He asked a known supplier to modify their software and I was brought in to write some middleware to link things together. To cut a long story short everything went to plan and fully working software was produced in less time than expected and under budget. I was pleased because 2 more NHS hospitals bought the software and things were looking good.

    Trouble is this success attracted someones attention and before long we had the whoever was the NHS IT consultants at that time bothering us. Soon we were being bombarded with requests for paperwork , minutes of meetings where technical specs were decided (we did all that by email anyway). We were later told this is all standard procedure the consultants use to attract work for their own code monkeys and in this case it worked.

    As a result no more hospitals bought the software although the ones who bought it love it and the consultants replacement was never delivered !

    232

  11. I don't want to rock the boat, but i served as a network admin with the singapore armed forces before my stint in the NHS. Many of the IT “managers” I encountered didn't now jack**** about IT, and their network implementation was clumsy to say the least. Many of the newer software pieces being developed are ludicrous ascii on screen affairs requiring intensive staff training, considering how much easier self-explanatory graphical user interfaces are for “dummies” to use. The problem stems from the NHSs propensity for employing the cheapest, rather than the most professional. Computer implementation in the NHS is substandard and amateurish, and at times just a ripoff by conmen who don't know the first thing about networks, and claim “security problems” as their stock first line of defence against real progress.

  12. Precisely.This has been and will remain a project managed in the Standard Big-5 Consultancy style and, as you're observing, it will have the Standard Random Outcome in terms of actual usability or worth.

    Yes, your security concerns are completely valid. And yes, as you'd think, they ARE phenomenally obvious and very old news to anyone who's ever actually studied and practised IT Audit/Secure Design. By “old” I mean that formal written recommendations on preventing this sort of thing haven't had to change much since the 60s. However, this skillset/training/awareness is NOT part of industry-standard Big-5 consultancies' “Methodologies” — they merely conform to their methodologies and plod mechanically through tick-a-box “project management” in isolation from the systems' business and realworld realities. And so it is quite literally outside their systems' universes.

    They get money for jam but they deliver jumble.

    Can I suggest that you add weight to your Security argument by forwarding this recent event, which at least provides a realworld example of the enormous potential impact on People (you may need to define this last term for them) of irresponsibly poor security architecture:

    State of California warns of massive ID theft due to physical Exposure of Health-Care Patients' private information: 1.4 million identities stolen

    (via WebNymph)

    cheers

    Sal

    http://go-blog-go.blogspot.com

  13. “…So I'm now sending a letter to the hospital directors – hopefully they will get the message.”They won't.

    They won't even understand the problem. These are people who probably print out all their emails, remember.

  14. Interesting. All the clinical applications should be running over SSL/TLS (Encryption protocols that you will use to access your bank accounts over the Internet), and be authenticated via a 2 tier authentication system (via a smart-card i.e.something you have, the card, and something you know a PIN, as well as a username and password). So, even if they are running wireless, you'd need to hack/crack strong encryption protocols or a some bug or bad implementation. Not an easy task.The problem is a lack of understanding: i.e. If you sniffed the traffic with your pocket pc you'd see no clear traffic,it would all be jumpled(encrypted). You most certainly wouldn't be able to access any NPfIT applications. Even if WEP is present, SSL/TLS mitigates the inherent weak implimentation of RC4(The main weakness in the flawed WEP in WiFI) in WEP.

    Also remember everything is logged, and don't forget, the Computer Misuse Act!, mainly unauthorised access is a criminal offence.

  15. NPfit willhave many human failings – security of info being ne of them. Bit like nurses etc leaving documents lying around, or people breaking-into offices and opening filing cabinets. Keep passwords secureand no crowbar can get into the system like with filing cabinets.Get admitted to A&E while on holiday and die while they wait for someone to answer the phone back at your doctors at the other end of the country.

    Accept change – it will work better than the old system. So will the next one.

  16. http://www.theregister.co.uk/2004/11/26/npfit_hearts_minds/“The appointment can be seen as a response to the medical community's lukewarm response to the programme, so far. GPs have complained that the government did not consult them sufficiently in the early stages of the project. Medical authorities have also voiced concerns over the security of patient data in many of the systems.

    Indeed, Burn's main responsibility will be to sell the NPfIT to the doctors and nurses that will be working with the new systems.”

Leave a Reply

Your email address will not be published. Required fields are marked *