Presentation is loading. Please wait.

Presentation is loading. Please wait.

English NHS IT – The Three Big Mistakes Ross Anderson Cambridge University Edinburgh, February 25 2013.

Published byShona Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "English NHS IT – The Three Big Mistakes Ross Anderson Cambridge University Edinburgh, February 25 2013."— Presentation transcript:

1 English NHS IT – The Three Big Mistakes Ross Anderson Cambridge University Edinburgh, February 25 2013

2 Synopsis Over the last 20 years, the NHS in England has been an object lesson in how not to do IT, from the London Ambulance Service disaster through NPfIT to the new Information Centre At least three things keep going wrong – Architecture – Getting the incentives wrong – Failure to understand the science Let’s look at each of these Edinburgh, February 25 2013

3 First error – architecture The IM&T strategy, 1992: “A single electronic health record throughout the NHS, shared by everyone with a need-to-know” This was a slogan used in the 1980s for metropolitan repositories in the USA, since abandoned; basically an IT sales pitch It’s unmanageably complicated to have everything together and no-one has the incentive to look after it Edinburgh, February 25 2013

4 Consequences As an example of what goes wrong with the “single record”, psychiatric casenotes can be seen by receptionists in NPfIT systems Access = role + relationship The role “receptionist” needs access to some of the record So if there’s a relationship, they get all of it “Sealed records” a band-aid that was never really implemented. But we predicted this! Edinburgh, February 25 2013

5 A better way “Security in clinical information systems”, BMA, 1996 Architecture: a record is that set of data about a patient that has the same access rules So a patient has a GP record, a psychiatric record, a record with their sports coach … Just like medicine has always worked! We formalised the rules, tested them, and versions were implemented in various hospitals Edinburgh, February 25 2013

6 Example – Conquest Hospital, Hastings Properly engineering role-based access control! – A nurse can see the records of anyone who’s been on her ward in the last 30 days – A junior doctor can see all records in his department – A consultant can look at anything, but cross- department reads are notified and audited It worked well for over a decade Edinburgh, February 25 2013

7 Second error – incentives There’s a large and growing literature on the interaction between incentives, and dependability / security / fitness for purpose If Alice buys a system, it will help her do her job better than it helps Bob If Alice maintains a system, while Bob pays the cost of failure, then things will go wrong So systems bought by GPs / hospitals work better than systems bought by Whitehall Edinburgh, February 25 2013

8 How to screw up big time Tony Blair ordered a “National Programme for IT” in the English NHS in 2002 Idea: replace all IT systems with standard ones, giving “a single electronic health record” with access for everyone with a “need to know” This turned into the biggest public-sector civilian IT disaster in history Billions wasted, suppliers dropped out, huge lawsuits, and the flagship software didn’t work Edinburgh, February 25 2013

9 Chaos Hospital systems that let receptionists read all patients’ psychiatric casenotes There’s PDS, an “address book” which is widely abused as 830,000 people have access – with a lawsuit pending from a woman who was traced by her ex-husband who broke her arm (No-one knew they could opt her out, or how) Police access to prescription data “to stop opiate prescribing abuse” from 96 (didn’t stop Shipman) Edinburgh, February 25 2013

10 Scope creep We’ve had growing tussles over ‘shared care’ E.g.: giving social workers access to GP records in Oxford has made young mums reluctant to discuss post-natal depression Similar problems with social care; we killed the ‘childrens’ databases’ designed to share data between health, school, probation and social work (‘Database State’, Munro review) But last week it came back, as a service of the NHS Information Centre Edinburgh, February 25 2013

11 Third error – ignoring the science The current push to to get copies of everything at the NHS Information Centre Cameron, Jan 2012: NHS records a priceless resource for research and innovation, so must be anonymised and made available NHS IC also at the heart of the new Commissioning Board Problem: anonymisation doesn’t work (and so the strategy is contrary to ECHR) Edinburgh, February 25 2013

12 Public opinion 2,231 adults asked October 2006 on central records database with no opt out: strong support12% tend to support15% neither14% tend to oppose17% strongly oppose36% don ’ t know6% Several surveys since say the same: most don’t want wide sharing, or research use without consent And there’s the Catholic Bishops’ Conference

13 Example – Finland European law based on s8 ECHR right to privacy, clarified in the I v Finland case Ms I was a nurse in Helsinki, and was HIV+ Her hospital’s systems let all clinicians see all patients’ records So her colleagues noticed her status – and hounded her out of her job Finnish courts wouldn’t give her compensation but Strasbourg overruled them Now: we have the right to restrict our personal health information to the clinicians caring for us Edinburgh, February 25 2013

14 Transparency Edinburgh, February 25 2013

15 Research Edinburgh, February 25 2013

16 The science – inference control Also known as ‘ statistical security ’ or ‘ statistical disclosure control ’ Started about 1980 with US census Before then only totals & samples had been published, e.g. population and income per ward, plus one record out of 1000 with identifiers removed manually Move to online database system changed the game Dorothy Denning bet her boss at the US census that she could work out his salary – and won! Edinburgh, February 25 2013

17 Inference Control (2) Query set size controls are very common. E.g. in New Zealand a medical-records query must be answered from at least six records Problem: tracker attacks. Find a set of queries that reveal the target. E.g for our female prof ’ s salary –‘ Average salary professors ’ –‘ Average salary male professors ’ Or even these figures for all ‘ non-professors ’ ! On reasonable assumptions, trackers exist for almost all sensitive statistics Edinburgh, February 25 2013

18 Inference Control (3) Contextual knowledge is really hard to deal with! For example in the key UK law case, Source Informatics (sanitised prescribing data): Week 1Week 2Week 3Week 4 Doctor 1 17 21 15 19 Doctor 2 20 14 3 25 Doctor 3 18 17 26 17 Edinburgh, February 25 2013

19 Inference Control (4) Perturbation – add random noise (e.g. to mask small values) Trimming – to remove outliers (the one HIV positive patient in Chichester in 1995) We can also use different scales: practice figures for coronary artery disease, national figures for liver transplants Random sampling – answer each query with respect to a subset of records, maybe chosen by hashing the query with a secret key Edinburgh, February 25 2013

20 Inference Control (5) Modern theory: differential privacy (pessimistic) Practical problem in medical databases: context ‘ Show me all 42-yo women with 9-yo daughters where both have psoriasis ’ If you link episodes into longitudinal records, most patients can be re-identified Add demographic, family data: worse still Active attacks: worse still (Iceland example) Social-network stuff: worse still Paul Ohm’s paper has alerted lawyers at last! Edinburgh, February 25 2013

21 Example – Iceland Big row in 1998 when a startup (DeCODE) offered the health service free IT systems in return for access to records for research Funding was from Swiss drug company Roche Records to be ‘de-identified’ by encrypting the social security number, but would be linked to genetic, family data Icelandic Medical Association got 11% of citizens to opt out Eventually the supreme court ruled the system should be opt-in, and the scheme collapsed Edinburgh, February 25 2013

22 Problems building in England NGO campaign building over secondary uses We’ve already had a laptop stolen in London with 8.63m people’s records on it In September 2012, CPRD went live – a gateway for making pseudonymised data available from both primary and secondary care Kelsey promised the anonymisation mechanisms would be public, but FOI requests refused … Now the IC talks of supporting care too Edinburgh, February 25 2013

23 The very long term issue In modern service industries, you look for good practice, replicate it and deskill it My dad’s complaints about the local GPs Long-term, do doctors have a relationship with the patient, or are they interchangeable like staff at McDonald’s? What drives a patient’s care – the GP or the government computer? Patient access to data, or to a physician? Edinburgh, February 25 2013

24 Lessons Scale matters! A national system with 5,000,000 records is too big a target Think safety and privacy together Access controls are needed to limit the number of people who can read my stuff Anonymisation doesn’t work, though lots of people really want to believe it does But as well as knowing the science and fixing architecture, need the right incentives Above all don’t lose sight of where we’re going Edinburgh, February 25 2013

25 What can Scotland do? So far, we’ve avoided the centralisation trap Access control in direct care is not too hard to solve (working in Hastings since 1996) Sharing stuff with social care, schools etc is harder and requires serious attention to detail Need to work out requirements rather than be driven hither and yon by IT salesmen! What are the problems we need to solve, rather than the “solutions” they want to sell? Engage the public now, rather than fighting later Edinburgh, February 25 2013

26

Download ppt "English NHS IT – The Three Big Mistakes Ross Anderson Cambridge University Edinburgh, February 25 2013."

Similar presentations

(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.

(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.
Developing e-health solutions to improve patient safety in primary care Report on an NPSA-funded project Professor Tony Avery University of Nottingham.

Developing e-health solutions to improve patient safety in primary care Report on an NPSA-funded project Professor Tony Avery University of Nottingham.
Safer IT Systems for the NHS Dr. Maureen Baker CBE DM FRCGP Special Clinical Adviser NPSA Clinical Safety Officer CfH.

Safer IT Systems for the NHS Dr. Maureen Baker CBE DM FRCGP Special Clinical Adviser NPSA Clinical Safety Officer CfH.
The safety and privacy effects of NHS IT Ross Anderson Cambridge University and Foundation for Information Policy Research.

The safety and privacy effects of NHS IT Ross Anderson Cambridge University and Foundation for Information Policy Research.
Grid Security/Edinburgh 5 th & 6 th December 2002 Confidentiality, Consent & Access Peter Singleton - Cambridge Health Informatics.

Grid Security/Edinburgh 5 th & 6 th December 2002 Confidentiality, Consent & Access Peter Singleton - Cambridge Health Informatics.
Online patient records – safety and privacy Ross Anderson Cambridge University London, April 24 2013.

Online patient records – safety and privacy Ross Anderson Cambridge University London, April
Health Information Supplier Forum ‘Open data, a platform for change’ Garry Coleman, Health & Social Care Information Centre.

Health Information Supplier Forum ‘Open data, a platform for change’ Garry Coleman, Health & Social Care Information Centre.
Economics 20 - Prof. Anderson1 Multiple Regression Analysis y =  0 +  1 x 1 +  2 x 2 +...  k x k + u 7. Specification and Data Problems.

Economics 20 - Prof. Anderson1 Multiple Regression Analysis y =  0 +  1 x 1 +  2 x  k x k + u 7. Specification and Data Problems.
South West London Collaborative Commissioning Croydon, Kingston, Merton, Richmond, Sutton and Wandsworth NHS Clinical Commissioning Groups and NHS England.

South West London Collaborative Commissioning Croydon, Kingston, Merton, Richmond, Sutton and Wandsworth NHS Clinical Commissioning Groups and NHS England.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
03 May 2015 National Docman Conference 2014 #Docman National Docman Conference 2014 Dr Masood Nazir General Practitioner Clinical Informatics Advisor NHS.

03 May 2015 National Docman Conference 2014 #Docman National Docman Conference 2014 Dr Masood Nazir General Practitioner Clinical Informatics Advisor NHS.
Friendships & Relationships

Friendships & Relationships
The Equality Delivery System Medway. Talked to lots of different groups to make a web app to help local people find out information about different services.

The Equality Delivery System Medway. Talked to lots of different groups to make a web app to help local people find out information about different services.
What do people want, need and expect from public services?

What do people want, need and expect from public services?
Where’s the Equilibrium? Ross Anderson Cambridge.

Where’s the Equilibrium? Ross Anderson Cambridge.
Data Linkage Service Garry Coleman, Health and Social Care Information Centre.

Data Linkage Service Garry Coleman, Health and Social Care Information Centre.
Information Sharing Options Phil Walker. Outline I have been asked to present a range of options for lawful data sharing. There is unlikely to be one.

Information Sharing Options Phil Walker. Outline I have been asked to present a range of options for lawful data sharing. There is unlikely to be one.
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
NHS Databases – The Big Opt Out Ross Anderson Cambridge University and Foundation for Information Policy Research.

NHS Databases – The Big Opt Out Ross Anderson Cambridge University and Foundation for Information Policy Research.
The Children’s Databases Ross Anderson Cambridge University and Foundation for Information Policy Research.

The Children’s Databases Ross Anderson Cambridge University and Foundation for Information Policy Research.

Similar presentations

Ads by Google