Confidentiality of millions 'at risk' as IT chief exposes security flaws
By Steve Nowottny
The confidentiality of millions of patient records is at risk under plans to use electronic care records for research purposes, according to a key NHS IT supplier.
Robert Navarro, whose firm is handling key security aspects of the rollout of the controversial care record, told Pulse of his fears as our Common Sense on IT campaign builds momentum. He warned records could be leaked unless extra safeguards are put in place.
Mr Navarro, managing director of Sapior Ltd, is a leading expert on pseudonymisation, a security technique which reduces the risk of records in a database being identified by replacing data in key fields, such as a patient's NHS number.
'BT say if it's pseudonymised, it's safe – that is just not true,' he said.
Sapior is subcontracted by BT on behalf of Connecting for Health, and developed the pseudonymisation software currently used by the Secondary Uses Service. The service currently only provides data to NHS organisations, but information is likely to be shared with researchers more widely when the care record programme has been rolled out.
Mr Navarro told Pulse that if pseudonymised records were shared beyond the NHS, they would be vulnerable to so-called 'inference attacks', whereby the identity of patients could be revealed through details in their records which remain in their electronic files after pseudonymisation.
In August last year, newspaper journalists and computer hackers used inference attacks to successfully identify thousands of internet users after online giant AOL made pseudonymised search data about more than 600,000 of its users available to researchers.
'When you're sharing beyond the current group you have to go to an extra level of protection in order to prevent the AOL kind of attack,' said Mr Navarro, who fears the same threat could be posed to NHS patients via the care record. 'Every researcher who says pseudonymising is fine is just ignoring inference attacks,' he said.
Pulse's campaign calls for a watertight anonymisation system before records are made available for research purposes.
Dr Paul Cundy, chair of the GPC IT subcommittee, said of Mr Navarro's revelations: 'This news confirms our fears about the Secondary Uses Service. 'It is now clear that the SUS must not be connected to anything new, nor external access granted to the data it holds, until we know it is anonymised.'
Dr Paul Thornton, a GP in Kingsbury in Warwickshire and IT campaigner, said sharing data with the Secondary Uses Service without explicit patient consent would be 'unlawful'.
Plans to boost NHS coffers by selling data to drug firms
Connecting for Health's subcontractor BT claims that sharing details from patient records with drugs companies would be a moneyspinner for the NHS.
In its written submission to the ongoing health select committee inquiry into the electronic patient record, BT suggested existing pseudonymisation techniques would be used to protect shared data.
'Making the aggregated data available to pharmaceutical companies would not only assist R&D but would provide the NHS with a substantial income source,' it said, adding it 'could be achieved without compromising patient confidentiality'.
Confronted with Pulse's revelation of flaws in the pseudonymisation system, a BT spokesperson said: 'If a decision were to be made to provide data to non-NHS organisations we would obviously have to work closely with Connecting for Health and our suppliers to ensure that any software solution implemented was fit for purpose and met patient confidentiality requirements.'
Connecting for Health said it was a matter for BT.