GP raises concern about PDS security

Tags: Confidentiality GP Information Commissioner PDS Pulse Security

14 Jul 2009

Renewed concerns have been raised about the security of the Personal Demographics Service after a GP was able to access details of colleagues and staff without being detected.

Dr Paul Golik, a GP in Stoke-on-Trent, Staffordshire, and secretary of North Staffordshire Local Medical Committee, told the GP magazine Pulse that he had accessed his own details and, with permission, those of several other people without the unauthorised accesses being reported.

Dr Golik told Pulse that he was “appalled” that such information was available to everyone with a smartcard. More than 600,000 smartcards have so far been issued, according to NHS Connecting for Health.

Dr Golik added: “It’s basically open – we might as well put our names and addresses on Google. If I know what your name is and roughly how old you are, within about ten seconds I can find your exact date of birth, your full name, your address, potentially your telephone number and your NHS Number.”

A spokesperson for CfH told EHI Primary Care that there were “clear procedures in place” to deal with any unauthorised access to Summary Care Records and the Personal Demographics Service.

She added: “To access a patient's clinical information, a clinician must have a legitimate reason for doing so. However, if someone deliberately accesses records without permission, this may result in disciplinary action."

However Dr Neil Bhatia, a GP in Yateley, Hampshire, and a campaigner for patient data privacy, said legitimate relationship alerts did not apply to the PDS and that the only way to detect inappropriate accesses to the PDS would be through a retrospective audit.

He told EHI primary Care: “It’s wide open to abuse and it has been for years but it’s just not talked about.”

Dr Bhatia said concerns over the PDS were underlined by current allegations that a national newspaper had regularly hacked into the mobile phones of celebrities and politicians to get stories.

Dr Bhatia added: “The PDS will tell you where someone lives, who their GP is and what their home telephone number is - and a private detective can then use that information to get more details from a surgery.”

Warnings about the market for demographic information have also been issued by the Information Commissioner, who has said that the types of information that are commonly illegally sought include current addresses and ex-directory telephone numbers.

CfH has said that in the future the PDS will generate alerts to privacy officers in specific circumstances where actions have been taken which may constitute a breach of confidentiality.

However, Dr Bhatia said it would be up to individuals to request a log of who had accessed their PDS, something which could take 40 days, or up to the NHS to run an audit following suspicious behaviour by an individual or organisation.

Patients cannot opt out of the PDS but can get their information listed as “sensitive” or “restricted”. In such cases, the only information displayed would be the patient’s NHS Number, name, date of birth and gender.

Patients with restricted records cannot be referred via Choose and Book, have their records transferred using GP2GP, or be issued with a barcoded prescription via the Electronic Prescription Service.

Fiona Barr

GP claims PDS increases information theft (06 Nov 2007) (5)
GPs and their families urged to boycott NHS 'spine' (20 Jun 2006) (63)

Reader's Comments

Appalling admission

14 Jul 09 16:07

"CfH has said that in the future the PDS will generate alerts to privacy officers in specific circumstances where actions have been taken which may constitute a breach of confidentiality."

This is 2009 not 1999 - for any credibility to be afforded to the SCR then basic security around PDS should have been implemented years ago - shoddy, shoddy, shoddy!!

Social Engineering

roseneath@ntlworld.com

14 Jul 09 21:07

I pointed this out to our area about 2 years ago but not seen as important. No-one is realistically going to be able to go through any logs created to find a pattern. to apprehend anyone. It is a superb resource for a social engineer.

The obvious answer is if an access is made by someone who is not in an obvious legitimate relationship such as a GP or a Consultant responsible for the patient, then an email is sent to the patient informing them that their record has been accessed by the named individual. It is then up to the patient to inform if the access is appropriate or not. Clearly the patient needs to have an email address and be happy for this, but it strikes me as being a simple but more effective solution than creating yet another Quango.

Nothing New

preston.demendonca@nhs.net

14 Jul 09 21:07

Sadly we seem to have learned nothing new,since us "Privacy Facists"started banging on about it some years ago.The PDS and the spine is unrestrictedly open to just too many people(currently around 250,000).In order to use Choose and Book,for even the smallest GP practice, the WHOLE PDS is available to anyone with a smart card and access to a Practice computer. I did challenge ahyone with with a smart card to find my address on the PDS using only my name: Preston de Mendonca and dob (160554)..please, you have my consent; do have another go to see how easy it is...even easier with the widely available and non-confidential nhs number. ...now how about your ex-wife/lover/chap who bullied you at school....

Patient demographics open house

14 Jul 09 22:07

This has been a major concern from day 1. It was always known that amongst the 1.2 million NHS workers due to be issued with smart cards, there will be abusers, paedophiles and blackmailers. There is no way of preventing your personal details going on the the PDS (unless you are a politician, footballer or rock star). It is not like the SCR, where you have a right to say no. Equally there is no way of policing access. The so called Caldicott Guardians have no time and no training to even cope with the reports of 'unusual patterns of access' which drop into their inbox, they will not notified of a single case of unauthorised access, and even if they were to pick one up, after the event is too late, the damage has been done.

So the paedophile who looks up a large number of children living near them may just be picked up after a while. The spouse beater tracking down their partner's new address will not, and it will be too late anyway.

But 1.2 million is still small beer if the ID database goes ahead - how can it be 'voluntary' to have a passport? It has been deemed a criminal offence not to update your personal details - and how many people in how many departments will have to have access to that one?

A Real Shame

15 Jul 09 08:07

It's a real shame that we are still having this argument. The fact is that to provide any form of joined up care (from paying GPs through to 18 week wait) we need to be able to identify the patient. This requires a database (whether grouped nationally or regionally) indexed on NHS Number.

Until patients routinely know and quote their NHS Number it is necessary to determine it from the demographics provided. This necessitates searching the national database and providing information back to an accredited member of staff. If the demographics record can't be found then neither can the medical record. If the wrong patient is selected then that's worse. This means that there is a tension between information governance and data quality. There is no answer that satisfies both parties. One wants it completely closed, the other completely open.

You can't apply the concept of legitimate relationships to demographics data as you need to find the patient before the relationship is formed. For example, if you register at a practice they need to find out your NHS Number. It is only after the demographics details have been called up that the registration can take place and so the legitimate relationship formed.

The PDS is a replacement for the various national demographics databases that went before it including the NHS Strategic Tracing Service, CHRIS and the NHS Numbers for Babies service. It provides an incremental improvement in security by using smartcards, a national audit record, access controls, etc. There are not 1.2 million smartcards in existance. There will never be that many people with access to the PDS however much this is stated.

The simple fact is that the case is now proven. There have not been a pattern of serious incidents as described above either with the PDS or the systems that go before them. Lets move on from this and solve the real issues out there.

PDS data

Neil.Bhatia@nhs.net

15 Jul 09 09:07

"There is no way of preventing your personal details going on the the PDS (unless you are a politician, footballer or rock star)"

They will have their data on PDS too, it was populated from the Exeter Database, most, if not all, would have had an NHS GP in childhood.

The only way not to would be to opt out of the NHS altogether (i.e. only ever be treated privately), which I suspect many of those professions might be doing anyway.

You - and that means anyone - can get your PDS record "restricted", which will help a bit in limiting accessibility to your details. You won't be able to be referred by your GP via Choose & Book but that's no great loss. And your FP10 prescriptions won't have that intriguing barcode on them.

Think about it sensibly!

15 Jul 09 10:07

At least the electronic record will have a log that the GP has accessed the Patients information even if currently there isn't anyone notifying the individual. Anyone could look at a Paper record and there would be no trace that they had done so. The GP clearly has far too much time on their hands if they are doing petty things like trying to access records they shouldn't be just to prove some sort of point. Its not productive or helpful and NHS staff are governed by the same rules of accessing information whether they are in paper or electronic format.

Boring.....

15 Jul 09 10:07

This type of article always seems to follow the same track: MEDICAL person complains (usually some GP brought up on a diet of "I know IT - I have Windows at HOME and I'm an administrator on my GP system!") followed by an CfH "official" (Usually a communications manager given a scripted response).

I would like to see the headline - Clinical Person - other than a GP or Consultant - shock horror - even a "NURSE" praises the PDS system in some real life situation - where up to date information was required or consistently saves on the 7 tonnes of paperwork nurse have to complete!

We may even start to get a rounded debate - where benefits are mentioned in the same sentence as PDS!

tsk..

no more talk

Neil.Bhatia@nhs.net

15 Jul 09 10:07

"Lets move on from this and solve the real issues out there."

and so again avoid talking about it....

Most NHS staff have better things to do..

15 Jul 09 12:07

..than browse the PDS looking for people. The majority of NHS staff are not blackmailers, abusers or paedophiles and whilst there will always be a risk of these people accessing information inappropriately, that risk is already there when they access their local systems. Vulnerable patients CAN have their address details hidden on the PDS so even though the data has been uploaded from Exeter, it would not be available despite what another poster has stated. And lets not forget that other agencies, such as the DVLA, will sell your demographic details for £2.50. Other than the NHS number and date of birth, the PDS holds nothing that is not available on the electoral roll. Not all staff with a smartcard will be able to access the PDS. Access will only be made available to staff that need the access TO BE ABLE TO TO THEIR JOB.

You cannot eliminate risk entirely but you can manage that risk. There should be robust systems in place locally to ensure that staff are only given appropriate access levels on their smartcards, if they are issued with a smartcard at all. This is certainly the case in my area.

Having access to the PDS has made our administration processes much more streamlined and efficient and this should be the case nationwide. That = savings. That in turn = more funds for direct patient care. Not having access to the PDS will mean a return to outdated processes and procedures and endless SUIs as patient data is transferred via other methods rather than being available through smartcard access.

PDS is secure, in comparison!

rowan.johnson@royalfree.nhs.uk

15 Jul 09 12:07

There seems to be a lot of deliberate spreading of mis-information, seemingly with an Anti-NPfIT agenda, here. Not all Smartcard users have access to PDS; so there aren't 600, 000 users with access to 'the whole PDS database'. The view into PDS is based on Roles; as such is far more secure then other parts of the National Programme; such as LC1 Cerner Millenium, for example... From what I know of SPR, there seems to be much more security & auditability RE accessing PDS/SCR records then in comparison to other systems, such as C+B & Cerner Millenium.

Also the majority of data on PDS is readily available 'over the counter', to individuals & companies who wish to purchase this sort of data; elecoral register, BT postcode files, etc...

So, sad t say this seems to very much be a storm in a teacup; designed to muddy the waters

The PDS question rarely asked

15 Jul 09 14:07

Safe between institution electonic communications about patients are potentially enabled by an accessible and accurate shared patient index and the universal use of the NHS Number.

I hold that the potential for good hugely outweighs potential for harm as long as

1. names are spelled correctly and D.O.B is right

2. duplicate and wrongly merged identities are (next to) non-existent

3. correspondence addresses are up to date.

However anyone with experience of multi-user demographics databases will know these cannot be taken for granted.

Chaos must be anticipated when any of these data are in error for a patient.

Do sample based estimates exist for the accuracy of PDS data?

Send the patient an e-mail

julianlesaux@nhs.net

15 Jul 09 20:07

I agree with Rose Neath. Send an e-mail - or an e-mail digest - to the patient to tell him/her who has been accessing their records, so that they can query it if they want to. Since everybody making an access does so via a Smart Card it should be possible for their role and organisation to be displayed on any report.

Of course there are problems with this. Not all patients have e-mail. People borrow other people's smart cards. All the same, it strikes me as a genuinely democratic idea - a big step in the direction of greater transparency.

Whom do we approach to demand its adoption as a policy?

Think differently!

glen.griffiths@interactivhealth.co.uk

16 Jul 09 17:07

Responding to calls for patients to be sent emails to indicate that their PDS has been accessed, think about it differently.

Whilst patient & public email / contact information is impossible to keep up to date, the email details of all NHS smartcard holders are known and should always be up to date.

Therefore, given that this is a continually managed environment, rather than sending the public messages that their details have been accessed it would be much more effective to send smartcard holders who have accessed PDS details in a given period, an email requesting a simple click through confirmation that requests made on specific dates / times are valid.

This approach provides 'positive confirmation' about the use of PDS and is a process that could be automated quite easily.

This would serve two purposes: 1. Fundamentally it helps to protect staff from potential bogus use of their smartcard access for unlawful purpose or at least provide an opportunity to highlight it should it happen. 2. It is a clear indication to staff that access requests are being monitored for irregularities.

The click through confirmation could then be tied back to requests made in a particular period and any exceptions could be investigated properly - patient details would not be displayed in the routine messages but smartcard holders would be able to query any accesses that seem odd.

The key thing in this approach is that as individuals we are very comfortable with detecting irregularities in patterns of our own behaviour so unusual accesses in terms of time, frequency etc., would be quickly picked up.

Whilst this approach like all others is not foolproof, providing vigilance and rigour in this way could at least act as a deterrent for the very few individuals who may be open to abusing the system - in particular from bogus use of another individuals smartcard.

glen griffiths