The NHS SCR Summary Care Record Scandal – Why Opt Out

Print Friendly, PDF & Email

Security and the NHS - Oil and Water?If you are concerned by the piece of paper that recently came through your door regarding the Summary Care Record the NHS want to computerise, then this article is for you. If you are concerned that the NHS might not be equipped to keep your information secure, then this article is for you. If you are worried that your personal data might fall into the wrong hands by being left on a laptop on the back seat of a car in a public car park, then this article is for you!

It is no secret within the industry that the NHS has a poor record of data security. ICO (Information Commissioner’s Office) deputy commissioner David Smith has now singled out the National Health Service (NHS) as being the worst in the UK when it comes to breaches in data security. It comes as little surprise to me. Several years experience in an NHS Health Authority (later PCT) I.T. department exposed me to staggering lapses in security of patient data, and the complacency of senior management when concerns were voiced.

When I left the NHS several years ago there were still floppy disks being couriered this way and that without any form of data encryption to protect the patient data contained on them. Laptops running Windows 98, Windows 2000, and XP were full of data sets in CSV (plain text) format and unprotected (what little use Office encryption was) Excel spreadsheets. None of these data movements were strictly controlled, or audited. In fact, control over who had access to patient data on core systems was so loose that it would have been simple as a systems engineer to have grabbed the smear test results for the population of the local borough and taken it home without ever being questioned, because audits of operator activities were practically non-existent. It would have been very easy for a corrupt individual to have provided data for cash to whoever wanted it. Of course, you have to trust your I.T. people – but they especially should not operate without any form of auditing.

(N)o (H)ope of (S)ecurity

I’m not trying to bring the NHS’s I.T. function into disrepute – they do this all on their own – I am trying to make a point here about the culture in the NHS regarding I.T. I can’t elucidate much further regarding my own involvement with the NHS, but I have heard with my own ears senior executives within an NHS trust refer to the I.T. function as a “bunch of Anoraks”. This might help you begin to understand the attitude towards technology that existed within NHS executive culture a few short years ago. If you truly believe that an organisation as big as the NHS has changed so much within less than a decade, then you should ago ahead and entrust your personal data to them – but please read on before you do.

Deputy Information Commissioner David Smith

Deputy Information Commissioner David Smith

On April 28th at the Infosecurity Europe conference in London – ICO deputy commissioner David Smith revealed that the NHS has reported the highest number of serious data breaches of any organistion since November 2007. The NHS had suffered 960 breaches in just over 2 years, which “works out round about 30 a month.” He also said, while the numbers have dipped just slightly, it’s still problematic in the sense that the NHS has been pretty consistent year in, year out. It’s hard to imagine that things will change significantly in the near future. The majority of NHS data breaches were a result of stolen data or hardware (113), followed by lost data or hardware (82).

If you have any doubts, just google for “NHS security breach” and see what you find – and this is just the stuff that has reached the public domain. There are weekly cases of NHS web services being compromised by undesirables, – only last week, it was reported that Dorset Healthcare NHS Trust’s website was taken over by your local friendly Iranian terrorists.

Smith noted that there was a lack of accountability higher up in organisations when it came to data breaches. “Data protection should be a board-level responsibility” Smith insisted. Amen to that! Maybe then, and only when their own asses are on the line, will NHS executives find the will to improve their track record.

One in Three UK data breaches thanks to the NHS

The facts from the ICO alone mean that the NHS is responsible for approximately one-third of all data breaches reported in the UK. Since reporting such breaches is still voluntary (and obviously embarrassing for the organisations concerned), one can only speculate at the real size of the problem. After all, which Chief Executive is going to own up to a breach unless it goes public?

Smith admitted there were plans to force an audit of the NHS to get a real picture on both the number of data losses and where they are occurring, but he felt all organisations needed to improve training and awareness around data protection. The size and scope of such an audit is nothing short of colossal, and if the NHS fails to turn every stone, there will always be quiet corners that don’t get the attention they deserve. This might work when spring cleaning your office, but a government can’t be seen to be so cavalier.

The £ White Elephant

The NHS has a rich history in wasting public money. Only the NHS, in the late 90’s would try to implement an X.400 based email system (covered lightly here, although the waste of the x400 project has been reasonably well buried from the internet) when SMTP had already gained dominance worldwide as an open messaging platform. Not only did they spend millions on this doomed messaging implementation, but they then wasted even more money on building gateways to the SMTP world when they realised they had ventured down another technological cul-de-sac! You can only wonder at the back room deals that led to this national mis-sale. Of course, most I.T. managers thought it was great – after all, most of them wouldn’t know the difference between ethernet and token ring, and certainly had no understanding at all of current trends. This decision alone put the uptake of email by GPs and hospitals back by years.

The NHS’s biggie, though, has to be the £12.7bn scheme to create an EPR (Electronic Patient Record). Just recently, Ruth Carnall, the chief executive of the London strategic health authority stated the EPR project will “no longer provide the comprehensive solution” originally promised. Until now, health ministers and officials only admitted that the world’s largest civilian I.T project is running four to five years late, but now say they want to make £600m savings on the £4bn or more of contracts held by CSC and BT to deliver it. Until now, no one dared concede that the programme will fail to deliver the information utopia promised in 2003 when the contracts were signed.

Following a revised deal with BT, which cut £112m or about 12 per cent off its contract – Carnall, the chief executive of the London strategic health authority, said the spending reductions mean “it will no longer be possible to provide the comprehensive solution that was anticipated in 2003″. Nicely put! The latest estimates for completion of the EPR stand at 2015 – 11 years late.

This comes as no surprise to me, or probably to anyone else that is still working within the NHS. The sheer army of NHS Project Managers that the EPR and it’s related targets and programmes hurried into NHS service is frightening. The fact that precious few of them had any commercial experience, and are generally getting a good financial shafting from the likes of BT on a daily basis is at the source of untold waste in the NHS.

For as long as I can remember NHS executives have never understood what they were buying into when dealing with astute business vendors like CSC and BT because their NHS boards were usually devoid of anyone with an I.T. background. Men in suits would come along with their glossy brochures and make the NHS feel all warm and fuzzy, and the next thing you know they were into procurement, and writing requisitions the likes of which would make many a commercial I.T. director’s toes curl. When the Government and its departments are involved and outside IT Consultancies come in who don’t know the business, and are there, after all, to turn a tidy profit then you are truly looking into the abyss.

The Mini-Me of the EPR

The EPR (Electronic Patient Record) is still a long way off. It was quite the “thing” back at the start of the millenium, and since then untold millions have been spent in trying to realise the dream of a secure, comprehensive primary care patient record. It still hasn’t been achieved – and it is currently one of the political footballs being tossed about before the general election. Under some considerable political pressure to deliver tangible benefit to human kind, we have got the mini-me of the EPR. A watered down attempt to make our most crucial medical data available to clinicians in times of crisis.

The SCR (Summary Care Record) will provide over half-a-million NHS workers with access to our medical records and therefore massively increase the chances of that data falling into the wrong hands. It is unimaginable that amongst those numbers you won’t find people willing to provide data to unauthorised recipients. I’m also doubtful if the hacking community will leave it alone either – such a ripe target is going to offer some serious brownie points to the spotty misanthrope who succeeds in posting Mrs Jones’ fungal problem to the nearest newsgroup. And let’s face it, if the likes of Microsoft can’t even secure a web browser, what on earth makes you think the NHS can run a truly secure website?

When you have NHS trusts engaged in messy, expensive PFI (more lately relabelled Public Private Partnerships or other misnomers) projects that have delivered new buildings with poor (costed to the penny) hygiene, lousy food, and all the soul and charisma of a prison cell – can you really imagine that information projects procured in the same financial environment are going to be any less of a minefield?

Even clinicians don’t want it

Even the BMA has called for the government to halt the roll-out of the SCR. I’m not going to go too far into this as I’m trying to focus on the security aspects of why the EPR and SCR are bad ideas at the moment.

The thinly veiled threats of doom – The Opt Out Form

“What does it mean if I DO NOT have a summary care record?”. Well, apparently, the medic treating you will probably inject you with demestos instead of saline solution, and replace your heart with a baked potato. Go ahead, you can download your own form here.

Seriously. The statements made on the Opt Out Form warn that unless you comply with the SCR, then you may not be treated safely and effectively – that medics won’t be able to find out about your current conditions, and that you may experience a delay or miss an opportunity for correct treatment – and most ominously that medics may administer drugs that are harmful to you.

THIS IS OUTRAGEOUS. Is this a kind of arse-covering for the NHS, because to me it sounds like a “comply with the SCR or you release us from the Hypocratic Oath” message. The fact is that the DoH has made no change in the NHS’s liability to care for you, or the way in which medics will seek your medical data in the event of an emergency. It is almost incredible that the population is being opted-in automatically – which shows a cynical belief by the government that the masses, like on general election day, will do nothing.

I will happily keep my essential, life saving, information either on a necklace around my neck, or in my wallet, thanks, where it is readable only by those people that are directly in contact with me.

For more information – have a look at

As a footnote I should say, I am a firm supporter of the NHS, and especially it’s front line staff who I believe are, by and large, most dedicated to patient care. But just as German General Max Hoffman described british soldiers as lions lead by donkeys, I can only hang my head in shame at those who preside over the squandering of cash that could so easily have been spent in more life saving areas. The Electronic Patient Record will come, and one day will truly be a valuable addition to the NHS’s services – but that day isn’t today, and the current NHS culture isn’t the one to deliver it.

Tags: , ,

3 Responses to “The NHS SCR Summary Care Record Scandal – Why Opt Out”