NHS decentralisation: What will be the impact on security of data?

For the NHS this is an era of fundamental change. In January, Andrew Lansley, the Health Secretary proposed reforms which include placing the £80bn NHS commissioning budget in the hands of GP consortiums, which would decentralise power in the service.

Placing further management and IT decision making in the hands of clinicians is intended to reduce administration and place control in the hands of communities on local decisions.

What are the implications for the fundamental issues of data security, privacy and protection of sensitive, patient records? Will this increased responsibility at a local level, create additional burdens for GPs whose primary role is patient care rather than management of technical and security issues?

With the ICO cracking down on breaches of the Data Protection Act, what will the impact of these changes be, when decisions are made on security and measures to prevent data loss?

With the government plans to shake-up the NHS, there is growing concern regarding how this will affect information security as GPs become directly responsible for the majority of NHS services for their patients and are given greater say in the management of services.

Many GPs run small to medium sized practices with similarly sized IT and management teams and do not have the dedicated and experienced teams that larger existing primary care units such as hospitals have in place. It will prove difficult to replicate the IT skills from these larger, more experienced teams within smaller, more diverse networks.

The reduction in IT and management resources, and the transfer of responsibilities to GP consortia raises huge concerns as information and patient records are crucial to providing effective healthcare. Placing responsibility in the hands of local GPs and individuals with little or no experience of the processes involved in secure data handling, could potentially put sensitive patient information and confidential data at risk.

GPs will also be given the power to allot surgeries for patient referrals enabling them to refer patients to private practitioners as well as conventional NHS hospitals. As a result, the amount of money being directed back into Acute hospitals could dramatically decrease resulting in a reduction in the amount of funds available to spend on IT services within the NHS. This will again put stresses on the security of sensitive information.

Ultimately, with greater fragmentation, effective governance becomes increasingly difficult in practice and there is less central control of information as doctors and nursing staff have access to a variety of patient information. As GP practices begin to build on existing patient information and amass large amounts of confidential data, be it on laptops, email systems or USB sticks, there will be an even greater risk that the security of this data may be compromised.

Since November 2007 a total of 1011 security breaches have been reported to the ICO and, of these, 307 relate to the NHS. Given the large number of data security breaches that have occurred within the NHS, GP consortia must be fully aware of their data protection responsibilities and ensure that the new processes do not exacerbate the issue. At a time when budgets are stretched we must remember that security of confidential, patient data is paramount.

Alex Teh is Co-Founder and Commercial Director of Vigil Software. Formed in 2001, Vigil Software is a specialist UK IT Security Distributor representing vendors such as M86, Safend, LogRhythm Quest, Titus, Bit9. It carefully sources and markets information security solutions that help with today's increasing requirement to protect information comply with legislation and regulation, and improve productivity.

  • Idris Evans

    One of the big issues is going to be the fact that there will effectively be SME’s in charge of enterprise data sources and a risk that as SME’s they may procure what they see as best fit for their consortium without necessarily taking into account what may be best for all the consortia as a whole, possibly introducing vulnerabilities as people try to get interoperability between diverse systems. There may also be an increased cost for these systems unless they are purchased with the buying power something the size of the NHS currently has.
    I’m not saying that the current situation is the best it could be (NPfIT proved that it isn’t) but there are significant challenges ahead for these GP consortia and all the partners they have to share data with.