New NHS Patient Data Sharing Scheme Hack Warning

A new patient information sharing system by NHS is causing concern that it may be vulnerable to a hack, exposing millions of sensitive patient records.

The care.data programme, which is currently on hold due to concerns over its opt-out policy, will see patient records from across England stored centrally, with apparently non-identifiable data being used for clinical research and studies. Despite the concern over the security of the data, medical experts are urging patients not to opt out of because of the damaging consequences to their research work set to benefit from it.

Labour MP George Mudie had campaigned in Parliament for the data-sharing scheme to be delayed until the UK public were properly consulted. The intended opt-out system means that patients date of birth, postcode, NHS number and gender will be included in the data sharing system by default.

There will be an eventual breach of security, which is inevitable with the size of the database, the information stored in there. The human cost will be potentially disastrous to a patient whose identity and medical history is made public. Careers could be ended, jobs could be lost, insurance refused, relationships destroyed if sensitive medical facts are made public or are used by private firms or people or indeed the media. A further reason for concern is that the information will not be solely available for analysis and research in the NHS but will be made available to non-NHS organisations. George Mudie MP.

The Weakest Link

Health minister Dan Poulter promised there would be ‘robust procedures’ in place to protect patient confidentiality. However, it's the human element that is the weakest link in any implemented security. With thousands of healthcare employees having to access the data sharing system, the strength of their authentication will come under scrutiny. Typically when employees need to access business systems to carry out their job, they will adopt practices that maximise their convenience, not maximise security. Using easy-to-guess passwords, writing them down on post-it notes, or storing them on phones are all regular occurrences from employees who need to remember passwords. When those passwords protect extremely sensitive patient data, the consequences of a breach are hugely significant.

When the care.data programme is implemented in the coming months there is no doubt that it will greatly benefit diagnosis and medical research. The counterweight is that should a security breach occur, extremely sensitive patient information will be released into the public domain. While the NHS hack threat may be a high profile example, organizations of all sizes are hacked each day due to weak employee practices, with each hacking incident estimated to cost £35,000 to £65,000.