Data safety and clinical care

The balance between keeping patient data safe and not hampering clinicians in delivering effective care was discussed at a BCSHIF meeting in July, led by Edward James, a consultant working with the Imperial College Healthcare NHS Trust.

Edward presented a series of comments intended to promote discussion, which he has summarised in the first part of this article.

Computer security is often presented as a branch of conspiracy theory. Security threats are seen as coming from a malevolent group determined to destroy. Such threats scare and encourage the provision of money to avoid them.

The perceived threats to the security of computer data are: total destruction, less significant than formerly because of cheap backup systems; and copying, so that the data can be used against the original producer.

However, I believe that dealing with perceived threats is not the best way forward, since security is basically a moral problem. The connection with legal issues comes only from trying to enforce a certain moral behaviour.

So the only real defence from data 'terrorists' is character reform. Organisations may claim that they can keep your data safe but they are really only preventing a legal comeback.

Considering data security in the NHS, we have an extra dimension of concern. The doctors that I work with are already overstretched. The application of conventional security measures involve extra time and effort from the data users, which must be balanced against the time required to study a medical situation and make decisions concerning life and death.

Consultants are already faced with increasing restrictions in the name of security, for example in restrictions concerning using patient data at home.

In general terms, the only totally secure data store is one which no-one can access. So making data available for practical use involves accepting a certain level of data loss. I would suggest that the threat of data loss is less significant than the threat to a patient of delays in accessing the data necessary to make clinical decisions.

In the meantime, new technology makes the illicit transfer of data ever easier, and detection of illegal data storage ever more difficult. My tiny camera now has internal storage sufficient to take all the patient data records of many hospitals. It is a trivial job to connect the camera to any hospital data network, and the time taken to steal the data is dropping fast.

New developments such as cross-border health support add another dimension to the threat of data loss. The new EU proposed directive on patients' rights to cross-border healthcare will involve the movement of patient data around EU member states, with the possibility of data leakage even beyond Europe’s borders.


Participants discussed whether it would be safer for an individual to take responsibility to store their own electronic medical data, rather than storing it on a centralised system. One advantage would be to make clear the responsibility for data loss.

However, the data would still need to be backed up, so the problem would not be entirely solved. Furthermore, the patient could be physically attacked in order to steal their data, although that risk could be mitigated by the patient storing data on a password-protected website, rather than carrying it on a portable device.

The individual ownership of data may not be practical, since much healthcare is delivered without the patient being present. The counter argument is that other industries have ways of handling data if a person is not present. Healthcare could look at, and learn from other sectors, such as banking, rather than assuming that it has unique problems.

A disadvantage of the use of patient records remotely from the local surgery or hospital is that it becomes less certain that a particular treatment was carried out, just as the removal of £50 from a remote cash point may not have been carried out by the account owner. The remote use of electronic health records is further complicated by the fact medical notes can sometimes be interpreted in more than one way.

Edward suggested that attempts to save security checking time, such as the use of a single sign-on smartcard providing access to all NHS systems, as being adopted by many NHS Trusts, could run counter to data safety. And concerning audit trails, how much detail of user activity should be recorded? Should it include details of every record accessed, every alteration made? If so, who would be able to monitor the situation in real time?

A participant countered that current data storage methods are not robust, citing the illegibility of hand-written paper records. What is being carried out now may not be perfect, but as long as we are improving the current situation, surely that is good?

When aiming to improve the system, new risks must not be introduced, according to another participant. One of the risks of an electronic record is being able to misinterpret the context in which data was written, unless the record is designed to allow for this.

The discussion moved on to question the value of the majority of medical records. It was claimed that hospital clinicians are usually not interested in medical records more than three days old for in-patients and one year for out-patients.

In any case, clinical judgements are often based on personal experience and intuition rather than calculations based on data records. Doctors are trained to start from a blank sheet when facing a patient, so they do not look at the notes straight away. Medical records may be no more than an intellectual aide-memoire for nurses and doctors.

In a similar vein, it was suggested that medical records never contain really important information. Co-operating doctors usually write letters, summarising the important bits of information, and they are only interested in the last two letters. On the other hand, a participant countered, letters are not a perfect system - they do sometimes get put in wrong file.

It is perhaps, however, easier to lose large amounts of electronic data. To really understand the risk, it was suggested that the value of lost data needs to be calculated, in the same way as, for example, banks work out how much money they are prepared to lose in a hold-up. The NHS could decide what data loss is acceptable and pick the best way to reduce loss to that level.

It’s important to understand that the theoretical breach isn't the same as the actual breach, pointed out another participant. If the risk is calculated and steps taken to reduce it, and trustworthy people are involved, the breach will probably never happen.

There are still issues to resolve on data safety, but it is important to recognise that some positive steps have already been taken, thought some participants. The NHS is introducing breach risk assessments. Although this does not stop information being lost, looking at what can go awry is a step in the right direction.

Also, one of the biggest problems - the actions of human beings - is being addressed to some extent. Connecting for Health is teaching information governance to people on the ground in the NHS, with individual frontline users - from receptionists upwards - receiving training.

That said, a case was cited of one organisation which had a built-in information governance process with excellent training provided, and even included in the induction programme. Yet the head of information with responsibilities for introducing information governance in the organisation had still managed to lose a laptop, on which unencrypted patient records were held.

Despite there being risks associated with electronic patient records, there are clinical benefits and therefore benefits to the health of the nation. From the health profession's point of view, one person said that, when working as a night manager, he used to hate going to the basement to the medical records store. He had to use a torch and fish amongst the spiders.

It is not possible to reach the end benefit until you know its cost, highlighted another participant. When choosing what to buy, you look at the cost, the benefit, the likelihood of something going wrong, and what discount applies. Once you know the cost and benefit, you know how to assess the risk spectrum.

Participants agreed that data needs to be shared by people working in healthcare, as it is currently so fragmented. Transfer needs to be possible without too many restrictions. Plus, the more that the risk of losing data is talked up, the more people worry.

No one knew of any empirical work that has looked at the balance of risk versus benefit. The underlying problem is that the government seeks a black and white answer, which it simply not possible. Our brains are not designed to cope with uncertainty, and we are not prepared to accept some data will be lost. The public expects perfection. In reality, all that can be done is to work out the risk and hedge against it.

At the same time, people working in healthcare are already under extreme pressure and will struggle to take on any extra loads or restrictions associated with security. The problems cannot simply be solved with a new computer system.

'There is no "quick fix" for data security,' said Edward. 'It involves the continual re-balancing of the risk of loss against the benefits of availability. And current hospital data systems are only just beginning to provide data in a really flexible, user-friendly form.'

September 2008