next up previous contents
Next: Other security threats Up: Threats and Vulnerabilities Previous: Other security requirements

Threats to clinical confidentiality

Many organisations, both public and private, have replaced dispersed manual record keeping systems with centralised or networked computer systems which give better access to data. Their experience is that the main new threat comes from insiders. For example, most of the big UK banks now let any teller access any customer's account; newspapers report that private detectives bribe tellers to get account information which they sell onwards for £ 100 or so [LB94]. This practice was made illegal in a recent amendment to the Data Protection Act, but there have still been no prosecutions of which we are aware.

The effects of aggregating data into large databases should have been expected. The likelihood that information will be improperly disclosed depends on two things: its value, and the number of people who have access to it. Aggregating records increases both these risk factors at the same time. It may also create a valuable resource which in turn brings political pressure for legalised access by interests claiming a need to know [Smu94].

Health systems are not likely to be different. At present, security depends on the fragmentation and scattering inherent in manual record systems, and these systems are already vulnerable to private detectives ringing up and pretending to be from another healthcare provider. A recent newspaper investigation showed that most people's records could be obtained for as little as £ 150 [RL95]. There are also some incidents specifically involving computer systems:

The interim guidelines issued at the same time as this policy give advice on how to make such attacks, on both manual and computer systems, less likely. However, the introduction of networking will change the risk profile, as current UK health networks are limited in scope, whether geographically or by function, and connecting them into a full-function national network will greatly increase the potential for mischief.

Put simply, we may not be much concerned that a GP's receptionist has access to the records of 2,000 patients; but we would be very concerned indeed if 32,000 GPs' receptionists all had access to the records of 56,000,000 patients. The danger of aggregating records, and the likelihood that abuse will result, is confirmed by the experience of the USA, where networking has advanced somewhat more than in Britain:

The problem was studied by the US government's Office of Technology Assessment. It confirmed that the main threats to privacy in computerised clinical record systems come from insiders rather than outsiders, and that they are exacerbated by the data aggregation which networked computer systems encourage [OTA93]. Other concomitants of data aggregation are growing claims of a need to know and treatment biased towards the interest of the corporate sponsor rather than the patient [Woo95].

The British government admits that wide access to identifiable clinical records has no ethical basis. Not even a clinician (let alone an administrator) may have access to personal health information in the absence of a need to know. In the words of David Bellamy, Principal Medical Officer at the Department of Health:

It is a commonly held view ... that I as a doctor can discuss with another doctor anything about a patient because a doctor has a duty to maintain confidentiality by reason of his ethical obligations. It is just not true and it no longer holds water. Even if it helps professionals discussing individual patients with their colleagues, they must discuss only on the basis of the information the colleague needs to know [WHC95 p 16].

There are frequent claims by insurers, social workers, policemen and administrators that they have a `need to know' personal health information. When evaluating such claims, it may be helpful to bear in mind that a surgeon's `need to know' a patient's HIV status --- so that he can take extra care to avoid needlestick injuries --- is insufficient to override the patient's right to privacy about this status. A recent court case found that even a doctor's HIV status may not be disclosed: the small risk to patients' health does not outweigh the public interest in maintaining the confidentiality that enables infected persons to seek help [DGMW94].

The BMA does not accept that `need-to-know' is an acceptable basis for access control decisions. As the EU and GMC documents make clear, it is patient consent that matters. The concept of `need-to-know' implies and encourages the surreptitious erosion of the patient's privilege for the sake of administrative convenience. In any case, needs do not confer rights: the police's need to know whether a suspect is telling the truth does not give them a right to torture him. It is also useful to bear in mind empirical surveys of patient attitudes that show strong resistance to the sharing of personal health information with NHS administrators, social workers and government statisticians [Haw95].

next up previous contents
Next: Other security threats Up: Threats and Vulnerabilities Previous: Other security requirements

Ross Anderson
Fri Jan 12 10:49:45 GMT 1996