NHS network: Time to get secure

While the NHS has made some attempts to secure its networks, the onus now falls on health trusts to make sure patient data is safe, says Alan Hunt.

Now that the Information Commissioner's Office (ICO) is promising to get tough on NHS security breaches, it's time for health trusts to secure their networks for transferring patient data. The last thing anyone wants is another data-loss scandal.

We may be five years or more away from the nirvana of having 50 million patient records on a secure national database but the NHS's national broadband network, N3, already allows health trusts to securely use some national applications such as email and Choose and Book - the software that lets patients choose which hospitals their GPs refer them to.

N3 doesn't just make it possible to share patient information. With the right technology it can help trusts in several other ways. For example, it can save time, money and unnecessary travel by letting primary care trusts provide remote support for GPs' IT systems. It also enables GPs to access patient notes from home and share them with out-of-hours doctors.

Plus N3 removes the paper trail from patient transfers from surgery to surgery, and supports patients' recently introduced right to be registered at two practices at once (dual registration).

So what's holding N3 back?

The issue the network faces now is that, until the proper security measures are in place, some patient-identifiable data (PID) may be at risk from insecure connections.

When N3 was specified, it was widely expected that PID would only ever be stored within secure datacentres (and not locally by GPs, for example). It was also expected that IT applications would make extensive use of transport layer security (TLS) to encrypt the link between a user's computer and a secure datacentre.

The reality today is somewhat different. Although NHS trusts and GP surgeries are connecting to N3 and making good use of it with some of the national applications, many GPs are storing PID in computers in their surgeries on insecure networks, and transmitting it across N3 without encryption.

Why should health trusts act now to secure their networks?

Implementing security helps boards of health trusts to avoid regulatory action from the ICO. Recently the ICO has issued a spate of warnings and taken action against several NHS trusts for being careless with patient data. Most of their actions relate to loss or inappropriate disposal of computer hardware such as USB sticks, disk drives and laptops. While secure use of removable storage media is an important issue, NHS trusts should also be aware of potential security issues with increasing use of N3.

Another reason to take every sensible precaution, and follow Department of Health guidelines, is to give patients peace of mind. Patient surveys show that there is huge public concern over NHS patient record security, and now is the time to address this by implementing network security that supports the way that health professionals use N3 today.

Many patients feel more comfortable knowing their details are stored on paper, in manila folders, but e-records are intrinsically more secure, and with smart cards it is possible to control who has access to patients' medical records - that's impossible with paper.

Public trust with patient data is imperative - trusts should look at their network security policies as well as their use of storage media, before it's too late.

Alan Hunt is director of information security at Hytec, the infrastructure products and services business of the OLM Group.