Why I Am Against The NHS Database

The last blogpost has started up a bit of a discussion about the pros and cons of the NHS database, so I thought that it wold be an idea to make my thoughts on such a system clear.

While it might make the retrieval of notes simpler and more convenient, the security risks are frankly too great. The cost will spiral and *********

We can first look at the cost, going on previous history the UK government seems to have an almost pathological aversion to being able to bring IT project in on either budget, or time. The cost has already spiralled beyond the initial estimates.

Discussion point – find governmental IT projects that have come in on time and budget.

The people who would be using the system don't particularly want it. The BMA think that it should be an opt-in system with each patient choosing to be put on the database rather than automatically being assumed to give consent. This is a fine compromise as long as the people opting in are fully informed as to the risks of being on the database. There is a way to 'opt out' of the database, but there are rumours that people who are refusing to go on the spine are having their names recorded by the government.

Discussion point – given the technical knowledge needed to understand databases and security as well as the way the NHS runs, will anyone be fully 'informed' beyond us computer geeks. Also, is the recording of opt out names just paranoid rambling.

The proposed benefit is that medical notes will no longer get lost, or that if you are unable to communicate there will be easy retrieval of your notes enabling allergies to be avoided, pre-existing medical conditions to be taken into account and next of kin to be contacted. There is an easy way in which a more secure system can be created, and that is one that points to where a person's paper medical notes are physically stored. That way the database is just a pointer to a more secure system.

As for treatment for people who present while unconscious – most causes of unconsciousness are well know and are tested for and treated, if a person has a rare condition then they will often carry such information on them. They are the protectors of their data, not a third party.

Discussion point – if someone is without a form of ID, how will this database help them? Will this tie in with a national ID database scheme.

Just looking at the security issues is enough to make someone paranoid. In more than one hospital I've seen passwords and user names stuck to mobile computers – a cleaner could 'borrow' a computer easily and in the privacy of a cupboard log onto the system and gain access to your details. Even if the log-in is tied to staff ID cards the system will not be secure, cards will be lost, or lent and borrowed. I can't imagine any ward sister sending home a nurse who is unable to do their job because of a lack of an ID card – they'd lend them their own.

Extend this to clerical staff.

Discussion point – this doesn't even include pure malicious attacks, agency nurses entering and leaving hospitals, patients stealing a glance at unattended computer screens or social manipulation attacks.

It would be trivial for me to socially hack the system and leave no trace of wrongdoing. I could sell your data on to nefarious parties for a tidy little profit.

But this is nothing more than we can do at the moment anyway – notes are lost, or looked over by people who have no right to do so. The problem is in the scale of the breach. I might have a friend in the notes section of the local hospital who can look up details for me – but that information is limited to people who have gone to that hospital. With the NHS database that 'local' become the whole of the UK.

Discussion point – part of risk analysis is how disastrous the consequences of a breach of security could be, having access to the entirety of the UK population's medical notes is pretty disastrous if you ask me.

Then there is 'function creep', we've seen this already in the use of anti-terrorism legislation enabling local councils to 'snoop' on people. What is to say that some government later on down the line decides to start selling the data to insurance companies, or to other government agencies like the census department. Even if you trust this government, do you trust every government that comes after them?

Discussion point – would legislation allay this fear, or just require a change in legislation later on down the line?

So, the NHS database would, in my view and the views of people much smarter than me, be expensive, unfit for it's purpose, horribly insecure to both technological and social attack and prone to function creep. In return there would be little benefit for most people.

Sure, have it as an opt-in system for those people who are willing to put their faith in a government system and local hospital and their ability to keep such data secure. But make it a fully informed choice, one where people are aware that it is being run by the same people that 'mislay' their normal paper notes on a regular basis.

I have a source who has let me know how insecure the proposed system is – I fully intend to opt out, and I work for the NHS.

44 thoughts on “Why I Am Against The NHS Database”

  1. I am totally FOR an NHS database. The reason is the obvious benefits a computerised system can bring which commentator Axylotl explains in his post.The problem is with how it is implemented, how it is maintained and training of users.

    The root cause of this is that project estimates are over ambitious with what is being delivered and when, to satisfy targets in political manifestos.

    The problem is very precisely that its progress is too dependent on our political system.

    The time required to properly implement an NHS database would require many many years, spanning several government terms, over several general elections. This cannot guarantee continuity over an NHS database project. Goals will be changed by each government in the interests of their own political party disrupting the progress of the project.

    Public sector can suffer from inertia having no competition to drive them. But outsourcing to private sector means profit driven and telling the client things they want to hear.

    All of the discussion points you mention Tom could apply to a paper database. Specifically, regarding ID, why not use biometrics i.e. one or a combination of finger print, voice, retina scan? Seriously! No ID to forget or forge then is there?

    As for 'having access to the entirety of the UK population's medical notes', the database does not necessary have to provide this to all users. For example, in the case of a local GP surgery, records of registered patients at that surgery only need to be provided.

    To implement a database properly would 1) require a phased approach where functions are implemented in stages 2) immune from change due to political gain and 3) totally realistic in timescales for implementation, maintenance and training.

    Think of all the mash-up possibilities that a database could bring. When I say mash-up, I mean think how it could be linked to other data, like location, time of day, so that sensible NHS targets can be formulated, including those for LAS.

  2. With the comment from Curahn about knowing who you are dealing with. Just asking the patient his name would do the job. And if it differs then that should start the alarm bells. I have more faith in asking a question than the wrong info being imputed have seen happen that all to often.

  3. OK, a lurker joins in. I'm a fairly minor player in the NPfIT, but my job revolves around data quality. All that I can say, really, but I can say that it does give me a fairly large degree of 'I know what I'm talking about'.The data quality issues that are involved here are enormous. It's even worse when you are looking from the inside. There are so many issues, in fact, that it is difficult to separate them from each other. However, Axylotl has said some things that I wish to comment on.

    Firstly, your medical record is not yours. It belongs to the Secretary of State for Health. It is data held about you, and you have a perfect right to see it (phone your GP and ask – they will make an appointment so that you can), but you cannot copy or take it away. As strange and contrary as it seems, you do not own data that relates to you. Currently, if you wish to see your hospital records, you have to contact each hospital that you have been in, since they are all held separately.

    While it might be a laudable aim to have medical records more widely available in the NHS, this raises more concerns than just the privacy that has been mentioned. I shall use me as an example. I am anaphalactic, and this is stated on my GP records, and I wear a MedicAlert bracelet (look them up and support them if you can – they're a charity that does a lot of good). You might think that I should be grateful that a centrally held electronic NHS record would contain that data, but I'm not. This is simply because my day job involves sorting out medical records that have been duplicated, confused, mislaid or lost. Those who think that putting them online will sort this out are sorely mistaken. Our workload is increasing as more NHS clerical staff have access to the national systems, and they are creating more problems than ever before. In many cases, it's not their fault – John Smith walks into a surgery, he gets matched with another one with the same date of birth, and bingo.

    How does that affect me ? Well, if I can't trust that the information on my record belongs to me, and only me, then why should I be keen to trust the decisions made on this information ?

    This is aside from the security. As Tom has said, there are or will be issues in the clinical departments with sharing of cards, passwords and computers. I have an NHS Smartcard, and work in an environment where screwing things up will result in a swift dismissal. Not everyone is – in one PCT that I know of, a Smartcard was left in a machine in a public accessible area and the password was on a postIt on the monitor. The security protocols are there, but they will not be adhered to. There are 250,000 staff that will have access to these systems, and the training and controls are simply not in place to sort this out. As to role based access, if you fancy a laugh, have a look around the web for discussions on 'sealed envelopes' in electronic medical records. If you're a developer, have a good look, because if you can come up with a solution, then you've just made a fortune ….

    Sorry, I've gone on too long. I will say, finally :o) , that I believe in the good of electronic medical records for patient care, I just have too many concerns about it's implementation in the NHS. I will be opting out as soon as the summary care record programme starts uploading data.

  4. I agree, the implementation of large scale online stores of secure data is already happening in everything from policing, banking, TV Licensing, DVLA and pretty much everything you sign up to or pay for.The problem of security is obviously something to consider, but banks have managed it admirably. I think with health care some sort of biometric system would be ideal.

    I don't work in the IT or health area but would it make sense to have the individual files only viewable and amendable when the patient was present and able to give their fingerprint or whatever. Any additions made to the notes when the patient was not present would be held as pending until the patient authorised them, again with their prescence. The locked files would be stored nationally and only able to be opened locally when the individual was present.

    It requires a bit of trust, as obviously at some point anything on computer is accessible by someone with enough access / knowledge / authority, but if people are already doing this with their cash, why not health notes too.

    Is that to easy? if it happens can I have some of the proceeds?? 😉

  5. “My body, my health, the NHS and my medical records, though…”But individuals are not always islands, for example when it comes to infectious diseases and epidemics.

    How was SARS dealt with? By a network of databases constantly updated that assisted medical staff with planning, containment, quarantine and contingency.


    May I even dare to say that it would be a moral duty to be on a records system to avoid such scenarios and similar.

    I'm using this to illustrate the point that a NHS database can have benefits when it comes to epidemics and perhaps research/bioinformatics. But I don't have an answer for the concern about all the information being in one place and accessible at lightning speed. I agree that this can be very dangerous in the wrong hands. It brings benefits and risks.

    As myself and others have said here, the problem is down to implementation and I agree with the point made here that modern computer systems and techniques today still aren't ready – that's why I originally said it would take many many years to develop.

  6. I would also opt out despite suffering from a long term chronic condition. I carry enough information for emergency service personnel to treat me correctly. With data already being “lost” then my fear that a national database would be unsecure seems to be all too real.Mad Asthmatic

  7. I have spent a lifetime in computing and know the ins and out of projects which are thus:1) Give a low estimate and short time to get the job.2) Begin with enthusiasm.3) Wait for customer to change/add to the spec.4) Give increased figure because of changes.5) Give delayed end date due to changes.6) Continue to give upgraded cost and time estimates due to failures/changes by others or 'unforeseeable' problems.7) Repeat 6 until customer become suspicious.In short, keep the job going as long as possible because it means more dosh for the contractors.

  8. The NHS lost my paper records. I certainly wouldn't trust them with digital ones. At least the number of people who might be able to access those lost paper records is somewhat limited!I've started getting pushy with my docs here in the US asking them for results of lab tests etc to be sent to me – that way I have a record. It has proven useful on at least one occasion already when, just like in the UK, moving from one town to another resulted in the loss of my records.

  9. Tom, your comment on the government passing/selling data on to insurance companies reminded me of something. A few years ago I spent a year in Russia as part of my university education. One of the prerequisites back in the old days of the year 2000 in order to get a year-long visa for the Russian Federation was to have passed an HIV test. Luckily I was in the US before I went to Russia and was able to get mine done there, with certificate to prove I was HIV negative but without my details being stored anywhere. Friends of mine who had theirs done in the UK were not so lucky. The fact that they had had the test meant they were an insurance risk and were therefore unable to get any life insurance afterwards as apparently their GPs were obliged to pass the information on to the insurance compnaies if they were asked for it (they were not, however, allowed to pass on the results). I don't know if this has since changed, but it does not have good implications for neutrality and for persuading potentially ill people to voluntarily undergo testing. I am sure other readers will be able to provide more detailed information as this is the point of view of someone in no way related to anything NHS, being as I am a lowly teacher and no longer a UK resident.

  10. I sometimes believe that we put too much faith in technology. The story goes that in the 1960's the Americans spent millions trying develop a pen that would write in space, supposedly the Russians came up with the answer for next to nothing….it was called a pencil. The story is most likely just that, a story but it does have a point. Why do we need access to this information? As part of an ambulance crew I can see that being able to see what has changed with the patient is useful. An ECG may look abnormal to us but might be perfectly normal for that patient. I would however suggest that, if we are going to spend money we should encourage people to keep their own information (in a similar way to the tubes handed out by the Lions Club). It would cost a fraction of the price of a centralised system and have few of dangers. Who knows…we might even do something really radical, we might remind people that 999 is not a substitute for a taxi home, taking your own car to hospital or visiting your GP the next day. Sorry…wandering into the realms of science fiction there.

  11. Yes, and I'd be in the same boat – having had a HIV test or two concerning my HIV exposure in my line of work.I have no idea about if it is still relevant though as the last time I checked such things were more than a few years ago.

  12. No, it goes even beyond that. An IT consultancy company called Accenture used to have the bulk of the NHS IT contract, quite probably with the usual aim of any private company – to extract the maximum amount of profit from the scenario.However as you can see from this Guardian story from 2006, they made a loss on the deal, and eventually ended up paying a 63million penalty to be allowed to withdraw from the project.

    Can you imagine a builder or a plumber or an electrician quoting for a job on your house, doing a portion of the job, and then paying you to release him from the contract and get one of his rivals to come in and do the work instead? You'd have to be the customer from hell, asking for the impossible…

    … oh.

  13. 6m to Accenture is more than made up by the profit from their other ventures. Sometimes it's a tax dodge – a write off against extreme profits from other ventures.

  14. There is an opt out website for this computer system which also has a letter you can print off and send. http://www.nhsconfidentiality.orgl printed off the letter ages ago and sent it to my Dr telling them that l did not want my details going onto any database other than the inhouse one it was already on.

    My Dr acknowledged the request with the comment that it seemed the wisest course to take.

    As to government logging our details if we opt out l should think they do that already for 1000s of other things they have dreamt up so what's new?

  15. I'm currently training as a radiographer and some of the information stored on the local database is vital to prevent the wrong patient being given a dose of radiation for an incorrect examination.For example, when I was working with another (more experienced) student, we called a patient, “Mr Hodgekinson” through. When his date of birth and address were checked against the form, we discovered we actually had “Mr Hedgekinson”. A UK database would help us to prevent irradiating patients unnecessarily when they are not from our local area. I can understand why people could be concerned, but what alternative is going to be viable to allow for pinpoint accuracy with patient identification.

  16. Agreed, 6m would be no big thing. But 63m, plus over 100m in losses (ie paying staff for work already done, equipment which had been leased, etc), ok it's not going to make or break a company of that size, but it's not exactly a rounding error either.

  17. Don't really see that it is much different to the Police PNC ?Of course the next step would be to make it available to mobile devices, so that you can see a patients history whilst in the Ambulance or even on hand-held device whilst attending – surely that's an advantage ?

    I am in high-end IT, and the technology and security exsists to maintain such a system – where it falls down is always human intervention; you can design out stupidity and fraud, but not lapse policy or authorised (and extended CRB checked!) staff intent on making a buck, or just plain nosey, but that is in all walks of life, paper or digital.

    The reality is, that if you work in a high-risk environment (and that includes ex-pats (yes, I was one for many years), then why would you not expect to be treated as high-risk by an insurer ?

    It's a personal choice, and should always be, but I for one am happy to know that my records would be available when needed if it meant keeping me alive a little longer for my family – sorry if any of the above offends, it's just my view.

  18. You are right, like many popular stories this one is a myth. Pencils were not used in space because of the likelyhood of the nib breaking and the detritus being a hazard in the machinery.

  19. /lights touch paper and stands well backDiscussion point – find governmental IT projects that have come in on time and budget.

    The contract for the National programme for IT was writen in such a way as to pay only for results. One of the reasons Accenture had to give way and admit defeat was because they didn't produce results on the core contract, only on the PACS system, which was additional functionality.

    Richard Granger (the guy in charge of the NPfIT programme at the time) has a lot to answer for, but the contracting process was one of the most stringent I have seen (and arguably one of the most inflexible for suppliers – another discussion point – is this a good thing?).

    You can only change 3 variables in a project – time, cost or quality. Given that the cost was fixed, the quality and the time were the things that suffered.

    As for an IT project that came in on cost and time – I am guessing, but maybe putting the DVLA online? I know it won a few prizes for implementation.

    Discussion point – given the technical knowledge needed to understand databases and security as well as the way the NHS runs, will anyone be fully 'informed' beyond us computer geeks. Also, is the recording of opt out names just paranoid rambling.

    Point one above – no idea, I am not a techie!

    Opt out vs. opt in. As I said in the previous thread – I want to be able to view my medical record online. I can already view my bank statement online, do my taxes online, do the majority of my shopping online.

    The medical record that has my name on is mine, not my GPs, not my local hospitals etc. I want to be able to see it, and do my own research on what it contains, to be an informed customer of the health service. Giving me my paper record is impractical, so please put it online and give me a password. If 'opting in' gives me that, then I will opt in.

    It seems chirlish that medical people are saying “Don't put it online cos systems are awful in terms of security”. What they are actually saying is that they themselves are awful at security. Like many things, this can be changed.

    How about giving people role based access, having smart cards for log-ins with encrypted passwords, logging every single keystroke that happens on the system… Oh wait – isn't that what's happening with the programme at the moment? D'oh.

    If banks had been government owned, and someone suggested putting all banking records online, there would be a furore about the size of the one for medical records. But the banks went online, and put security protocols in place, and we accept this as the de facto standard. Let's do it for health records.

  20. Re: Social hackinghttp://www.computerweekly.com/blogs/tony_collins/2007/09/bobby-robsons-medical-records-1.html

    With electronic systems, there is an audit trail of who viewed what and there is a record of anyone doing what they shouldn't. Who knows if staff were looking at his paper records, sharing those around etc before the electronic systems was introduced?

    There is a lovely quote on new technology in healthcare,

    That it will ever come into general use, notwithstanding its value, is extremely doubtful; because its beneficial application requires much time and gives a good bit of trouble both to the patient and the practitioner; because its hue and character are foreign and opposed to all our habits and associations.

    ..said of the stethoscope in the Times in 1834 🙂

  21. Online data stores are proliferating, but here we are talking about a whole new level of personal data. There is already project creep, with the talk of non-NHS organisations being allowed access to data. The consent model means that you agree to all this. I don't think that I'm the only one that has reservations about my local council (and police service, followed by JobCentrePlus/DWP, the Passport Agency, let alone private insurance firms, drug companies ….) accessing my medical record (strictly for my benefit, of course) …You make some valid suggestions about changing data only when the patient is present, but this is not workable in the system model. It also assumes that (1) everyone is honest about their details, which they often are not (drug users, alcoholics, teenage runaways, immigrants) and (2) that each patient is able to make an informed and accurate decision. Think about disability, old age and cultural (language) issues for a kick-off. What about critical care ? If I'm knocked down on holiday, the new system says that my record will be available for my care. This means that they will have to amend it to put the episode on. Oh, and the system is episodic – treatment has to be recorded in order, and there is no way of putting something in afterwards as far as I am aware.

    As to comparisons with the banking sector, I think the number of phishing emails that we are still inundated by suggests this is not the perfect solution to our banking needs. Unfortunately, the same vulnerable people that fall for phishing with banks are also those potentially most at risk with the new system. How can my girlfriend's father make an informed decision, since he suffers from Alzheimers ?

    As to how easy the system is to abuse, I don't want to scare anybody, but there will be nothing to stop me or my colleagues looking up anything we want to. Some work remotely, so add that to the equation. Now add to that to all your GP receptionists, hospital secretaries, admin departments, commisioning units, etc. etc.Yes, there will be an audit trail, but that will be shutting the stable door after the horse has bolted, put out to stud and retired three years later …

  22. Friends who were sensible and got tested were refused a mortgage, because they'd taken the test. On hearing of this (not from me) some, to my mind really irresponsible, gay aquaintances refused to be tested, despite a high risk life-style, which they presumably also kept quiet about, and got a mortgage, only for one to succumb to HIV related disease later on.I REALLY hope that situation has changed since (this was twenty-odd years ago) because though I can appreciate that someone who smokes/drinks is a higher insurance risk, surely being sensible about precautionary testing should not be penalised, which brings me to the point of this comment, though others will no doubt have expressed it better:

    just what would you be prepared to tell your GP if you know it's going on a national database, viewable by insurance companies, potential employers…I for one would keep schtum about ANY sexual mishaps, ANY form of mental illness, including PND, in short anything bar childhood innoculations.

  23. I don't want to scare anybody, but there will be nothing to stop me or my colleagues looking up anything we want to.Well, I don't know who you are or what you do, but I assume that if you have been given access to view health records you will have a legitimate reason to do so. If not, then you leave yourself open to prosecution. No change to the existing situation then.

    I liken this to the occasional trouble we have over the Official Secrets Act. If I have a legitimate reason to see something confidential, as a professional person I have to sign up to the fact that I will teat it in the manner in which it is due. The same with medical records. I know any number of people who deal with records to prep for clinics etc, and all have signed confidentiality clauses as part of their employment, and have CRB check as a matter of course. Clinician presumably have a hypocratic oath to cover this, not sure about the other checks and balances for them. So, we come bak to the question about why I would want to view something I had no reason to – back to the argument that we shouldn't have a computerised system because there are some evil people out there.

    As a wise man once said – I blame the scapegoats!

  24. Oh dear, oh dear…I was counting posts to see how long it would be before the “b” word was mentioned (sigh).

    You have been listening wide-eyed to Uncle Gordon, haven't you?

    Now I'll type this slowly: biometrics do not work. OK?

    A significant proportion of the population will be unable to be enrolled on the biometric system, simply because their markers – fingerprints or iris scans – are not of sufficient quality for the scanners to recognise.

    Oh, yes, and btw, the scanners use flat scanned prints, not full rolled prints. Flat prints are not admissible in a court of law – ever wondered why not?

    The published error rates don't match the error rates experienced in testing – the false match and false non-match thresholds are still way too far apart. If you wind the threshold up until no-one who is not on the system is recognised (i.e. approx zero false match), then you will get anything up to 25% false non-matches – i.e. your GP can't access your notes because the computer doesn't recognise his biometric identifiers.

    Don't have quotable sources to hand, but go and have a look at the discussion forums at http://wwwno2id.net and search for biometrics – more cited/referenced information there than you can easily shake a stick at.

    Besides which, spending untold millions on a database of dubious benefit and manifold hazards seems to be rather a waste of money compared with, say, employing more ambulance staff, paying them a decent wage and giving them half-decent kit?

    Now counting posts to see when someone will inevitably bleat out the, “if you have nothing to hide, you have nothing to fear” calumny.

    When that happens, I may well bite through my desk…

  25. I assume that if you have been given access to view health records you will have a legitimate reason to do so.The people who coded the system have a reason for looking at any and all parts of the system – it's because they coded it and they need to get at it to maintain, fix and secure it.

    They may be short-term contractors. None of the IT contractors I know have been CRB-checked.

    If not, then you leave yourself open to prosecution. Well yes, that's the essence of committing a criminal act. The likelihood of being caught and prosecuted and the potential sentence are things criminals tend to take into account as they plan their exit strategy.

    to see something confidential, as a professional person I have to sign up to the fact that I will treat it in the manner in which it is due… signed confidentiality clauses… CRB check… hypocratic oath…

    Sure, they have to sign a confidentiality agreement to say they won't be naughty. This would be the major difference between a nice, law-abiding person like yourself, and a criminal who wants to make a large amount of money and has already decided to do something illegal. Try as I might, I cannot imagine a criminal who would be all set to steal millions of people's records who would suddenly stop and think “oh no, I can't do that, I signed an agreement” and give up on the whole plan.

    we shouldn't have a computerised system because there are some evil people out there.

    No. That's not the argument. There's always evil people and there's always incompetent people. People are people. They screw up.

    The argument is that at present, they can screw up a limited number of people, rather than *every person in the country*.

  26. As for your constant comparison with banks.Firstly, there are several banks in the UK with the population distributed between them. There is only one NHS; it would cover everyone. It would be the jackpot.

    Barclays Bank. 1,800 UK branches and 4,750 worldwide branches.

    NHS: More than 10,000 GP practices and 2,500 hospitals. That's more than twice as many vulnerable access points.

    Barclays Bank: 147,000 employees.

    NHS: 1,500,000 employees. Even if we only count the 'clinical' ones who would have full access, that's 750,000 – five times more potential wetware problems.

    Barclays Bank income: 7,000 billion.

    NHS funding: 90billion. Doesn't even compare. And most of it is already spoken for.

    Barclays Bank reason for existence: to keep the money secure. Security is a major spend. Staff training is all about the security.

    NHS reason for existence: to provide healthcare. It cannot afford to spend billions on keeping a network secure. Staff are employed for clinical competence and security training will always be secondary.

    I for one am not happy to reduce the money available for actual real healthcare (ambulance staff, hospital beds, operating theatres) in order to fund a gigantic bespoke computer system for storing personal information.

  27. a few points…- do the benefits outweigh the risks

    – could the 12billion the project has so far cost be better spent elsewhere, or not spent at all

    -your faith in “pinpoint accuracy” is touching but misguided – think “garbage in – garbage out”. You demonstrate a very common trait wrt technology – an unwarranted faith it what it tells you which typically leads to a suspension of critical thought and common sense.

    “To err is human, to screw up on a grand scale takes a computer”

  28. Don't really see that it is much different to the Police PNC ?Scale – the NHS is IIRC the single largest employer in Europe.

    make it available to mobile devices

    Yet another piece of technology in the ambulance to distract the crew (which is likely to be unreliable due to cost constraints and mobile network issues). As our esteemed host has already pointed out those for whom immediate access to medical info is important already make the necessary provision and they have the most incentive to ensure it accurate and up to date.

    you can design out stupidity and fraud

    No you can't – good design and operational controls can minimise it, but that take time and costs money. You can design in policy controls to enforce policy, but again it takes time & money.

    I can understand why someone might be happy their medical records are available to anyone in the NHS at the touch of a button. Given the scale of the project and the real world observations of our host you're effectively making them available to anyone who chooses to make a small effort to get them. This might not cause you any concern but there are many others who may not be so sanguine.

  29. The problem of security is obviously something to consider, but banks have managed it admirably.Banks manage it because the have some of the best security experts in the world working for them… on some of the highest salaries. And they don't manage it as admirably as you seem to believe , you just don't hear about it because its not in their interest to tell you or anybody else (including the police) when they have problems.

  30. Humans are very nosy, there be three sides to this coin. heads it be good for saving a life,tails it be used to exclude all those with a genetic defect to never be covered by insurance.

    3 the edge, sell the good stuff to a juicy NoW or its friends.

    More than 120 workers at a Los Angeles hospital looked at celebrities' medical records and other personal information without permission between January 2004 and June 2006 nearly double the number initially reported, according to a state report.


  31. Not necessarily the case. Patients have been known to answer to a name that isn't theirs in an attempt to get seen quicker. Patients sometime have similar names as demonstrated in my post. Finally their might be 2 people with the same name, father and son say, living at the same address. The 3 point check we do is there for a reason.

  32. “fingerprints or iris scans – are not of sufficient quality for the scanners to recognise.”OK if biometrics don't work then use some a physical form of ID like badge, card or key along with a passcode. Sure this isn't perfect either – people forget the cards, their passwords. But we manage elsewhere with banks our houses our cars and for those who work in London, Oyster cards. People get used to remembering this stuff when they walk out the door to go to work.

    “Besides which, spending untold millions on a database of dubious benefit and manifold hazards seems to be rather a waste of money compared with, say, employing more ambulance staff, paying them a decent wage and giving them half-decent kit?”

    What about if you consider that having a database is actually integral to “half-decent kit”? For example, how about if on the way to an emergency call, the patients DNA record can be called up and a suitable drug can be synthesized or selected on-the-fly, from a standard repertoire of drugs carried on callouts, that will best suit treatment with that DNA profile. Far fetched? Could happen in maybe 30 or 40 years time. Or access to previous episodes of the patient's illness and MRI scans to determine which cause of action succeeded then and how this could be used now. Far fetched? Yes – but it could happen.

    We have to be careful not to have a luddite hypocrisy. If I'm opposed to electronic information systems, then perhaps I should get off this blog, close my Facebook account, cancel my mobile phone, cancel my email address, cancel my online banking, not play online role playing games, don't book holidays online…

    Society embraces technology, why should our dear old sacred NHS be the exception?

    Let me restate the precise problem: It is our short-termist political system, lacking continuity across 4/5year government terms, that imposes unreleastic targets to satisfy party political manifesto gain. A good database will take decades to achieve and should be done in phases. If this is done right, i.e. then the concept and design will be equipment independent and be able to take advantage of new technology.

    I can understand that health care staff who post here have a mistrust in IT systems, if they have had bad experience.

    IT systems are not bad per-se intrinsically, it's how they are implemented, how they are maintained and how well people are trained.

    “if you have nothing to hide, you have nothing to fear”

    I totally agree that we must have privacy and like you I disagree with this above statement. From standard biology text books in education, we all have a general idea of what people would look like with clothes removed and we don't say well there's nothing to hide because I know how that looks, we still choose to wear clothes and the same should apply for our data.

  33. Given that computer technology pervades just about every area of our lives I suppose it's naive to imagine the NHS can escape it's technological clutches ?The system at our place is a shambles: slow, unreliable, it requires excessive data entry [by clinicians] it is insecure [lots of locum cards, or existing users leaving cards in terminals while they go off to do something else, etc].

    I'm told that once the system is fully integrated with neighouring hospitals then further bottle-necks are anticipated, such as when a patient who needs to be admitted to hospital A has not been properly ben discharged from a previous clinic in hospital B, etc.

    Is the computer saving lives or improving standards – overall, I've yet to be convinced, I'm afraid.

  34. Why should the NHS be the exception?Because there's no choice about using it.

    I can change my email address. I can change my bank. I can cancel my cards. I can change my phone, both the physical thing and the number. I can have insurance against credit-card fraud both online and offline. I have insurance to help replace the things in my house should someone break in while I am on holiday. Almost everything in my house, almost everything in my life, is utterly replaceable.

    My body, my health, the NHS and my medical records, though… I can't just switch to a different provider or decide to stop using it. That's why the NHS is an exception.

  35. …and also, did you not spot the potential error *before* any such database has been put in use.All the radiographers that I knew had enquiring minds when it came to the patient that was about to be irradiated – checking that it was the correct foot to x-ray and the like.

    No computer system will change that – try booking in a foreign gentleman with half a dozen ways to spell his name and you'll see how easy it is for a computer system to get horribly mucked up.

  36. OK, I've steamed the teeth marks out of my desk…SECURITY.

    If my bank details get disclosed due to error or malice, then I can change my bank details. If my medical records are disclosed, I cannot change them.

    You have choice as to whether to have a Farcebook account, play online games, use a mobile phone etc. You have (almost) no choice about being entered onto this database.

    The whole point about security is that if you gather together a large quantity of valuable information like this in one place, then it immediately becomes a honeypot for hackers. IT WILL NOT BE SECURE. The quote that comes to mind is one saying (loosely), “the only secure computer is one that is disconnected from everything, switched off, locked in a steel box, encased in concrete and buried a thousand feet underground. And even then, only maybe…

    You will have a large number of access points, and an even larger number of authorised users, each of which is a potential security leak.

    The NHS database, along with the proposed NIR, is so far ahead of currently robust technology that it is almost inevitable that it will fall over and leak.

    So as far as benefiting the NHS, ambulances and staff are a far better use of the money, because they WORK. Today, now, with the current state of technology.

    When an NHS database can be created which is a. secure and b. fit for purpose, THEN the NHS should consider paying for one.

    With today's technology it will be neither, so please don't try colouring me Luddite.

    Our present government seems obsessed with high technology as the solution to all problems, to the point of having solutions looking for a problem. There appears to be no consideration of whether it is the best solution, or even if there is a problem amenable to that solution.


    Do you wish your medical records to be used for other purposes? Medical research? Sociological research? Market research? The Secondary Uses are not particularly well defined, and are being carefuly obfuscated in press releases – all the attention is being diverted onto the Summary Care Record.

    Previously, your medical records were confidential, and required your explicit consent for any party other than you or your GP to view.

    The SUS changes that, with disclosure no longer being exclusively your privilege.

    NHS Spine, containing all your medical history

    Contact Point, containing details of all children (apart from MPs and celebrities – do they know something we don't?)

    National Identity Register, logging every time the system is queried, information retained for life

    ANPR system, logging all car journeys on major routes and in all towns, information retained for 5 years

    DVLA database, linking car registrations to names and addresses, at least for the law-abiding

    Independent Safeguarding Authority/Criminal records Bureau – retaining records of offences, arrests, cautions and even unconfirmed rumour and speculations, for life

    Communications database (proposed) – containing details of all phone calls, text messages, emails and web activity

    Separate databases, yes – but functionally separate? No reason why they should be. No technical reason why queries cannot be written to cover all of them, creating a population surveillance system that would have had Dzerzinsky or Himmler salivating madly.

    Would you trust this government with that information? (Actually, no)

    The next government? (No again)

    The one after that? (Still no)

    Liberties once thought part of the fabric of our society are snipped away, little piece by little piece, always for “improved service”, or “managing your identity in a connected world”, or “think of the children”, or “protecting your security”.

    If you drop a frog in hot water, it jumps out.

    If you drop the frog into cold water then heat it slowly, it will stay until it is dead and cooked.

    We are being treated like frogs on the menu…

  37. It never fails to amaze me that Government consistently gets IT infrastructure projects wrong yet commissions the next one in exactly the same manner.The NHS is made up of a bunch of autonomous agencies all operating under a single banner. To mandate that these agencies should all use the same IT system goes against every other procurement they deal with. A better idea would be to define the data that needs to be stored, authentication and access criteria and messaging protocols. Then let the market provide solutions that meet these specifications. This would generate competition which, in turn, would provide cheaper and better solutions.

  38. the patients DNA record can be called up and a suitable drug can be synthesized or selected on-the-flyWonderful stuff, if you can do it reliably. The issue comes down to cost vs. benefit. This sort of example I would suggest is a “once in a blue moon” occurrence (Reynolds?).

    If you're a regular reader here you may have picked up on a recurring theme of cost savings at the expense of service delivery. There are numerous other NHS activities that would benefit the patients far more if given the money from this project than the database itself will ever benefit and thats assuming that this database will work properly (cancer drugs that NICE can't approve because they're too expensive for example).

    This is yet another “solution” from a government obsessed with technological solutions to people problems which will not work. I say this as someone with 25 years in the IT industry, a PC in every room (except the bathroom) and a server under the stairs so I'm no luddite.

  39. Both patients had been booked in to the system for their respective xray. When the first was called, they were not there, and being so close in name, the second patient answered. Patient error not computer error. Once in the room, so as to not blurt out patient name, date of birth and address in a packed waiting room, the other checks were done, and so the patient wasn't irradiated pointlessly.

  40. The problem is that you simply cannot spec a project that size. Rather than trying to design a central system what you should do is spec the interchange formats. In other words copy the one system known to work at the required scale – the web – rather than trying to design a one size fits all. This is much simpler, and allows for much greater flexibility within different parts of the service. It also allows for planned future expansion and progressive deployment. The NHS is far too complex to do it any other way and have it actually work. But of course, the people who come up with these insane ideas don't know the first thing about IT, not even how to procure it. As a professional system designer this makes me furious on more levels than I care to think about.

  41. I'm wary of an NHS database – though like others, I would really like to see my records online, so that I could a) print them out and save having wasted appointments where nobody has my notes and b) correct any errors.But more specifically, I have worked on the policy side of an NHS IT project that came in on time and under budget – the QMAS system for calculating and paying GPs' Quality and Outcome Framework payments. It was commissioned very late due to the negotiations with the BMA taking ages, but had an outstanding IT team working on it, and was there and working in time for the first payments. I know many GPs don't like QOF, and therefore QMAS, but it did work and it did pay them on time in the vast majority of cases. Where it didn't, it was usually because the QOF is quite complex, and we hadn't managed to train enough people on how to work the system (only two in each PCT, given the time constraints and PCTs not releasing people for training) and of course no-one reads help pages…

    PS Tom – I've now had the baby and (at 11 weeks) am just getting back into reading your blog. Its excellent, as always, keep up the good work. 🙂

  42. It has changed; it would certainly be iniquitous if it hadn't, because we offer the test routinely to all pregnant women and have been doing so for over 6 years, and now people are being recommended to have an HIV screening as part of routine health checks.

  43. Any database, anywhere, is only as good as the information input. As one who had terrible trouble sorting out when a mistake of ONE letter (D for T, presumably as a result of a phone message) meant a wrong parking ticket, I hate to think what could happen with my medical records.Moreover, the existing system itself is no quicker than carrier pigeon. Twenty years ago we were all told “No more ringing up microbiology [insert the lab of your choice] for results! You can download them from the database!” Last week I was still ringing up labs chasing urine and USS results which, days later, had been reported and were “in the system” but not “on the computer”. Multiply that by n to estimate the opportunities for delay and error when everything about every patient is on the same database.

Leave a Reply

Your email address will not be published. Required fields are marked *