FOR a couple of decades now, the Department of Health has been talking about
putting patients鈥 medical records on smart cards. Everyone in Britain will carry
their card with them, so doctors or hospitals giving emergency treatment will
quickly discover any pre-existing condition or allergy. This scheme, dubbed
Carecard in the 1980s, relies on family doctors putting their patients鈥 records
on computers instead of scrappy paper notes.
These cards have not yet come to pass, largely because people fear the
personal information they carry will get into the wrong hands. But the
computerisation of doctors鈥 surgeries is moving ahead fast, and doctors now
seldom write their notes on paper. Instead, they store them on their practice
computer system, which also lets them connect to the Internet, search for
medical news and e-mail specialists worldwide.
Wonderful, you may say. Think of the easy access, the shared information
among partners in a practice. There are big cash grants to encourage surgeries
to go online. And naturally, the national health network, NHSnet, which provides
the connection between hospitals and surgeries, is well protected against
computer viruses and hackers by firewalls and filters.
Advertisement
Not so the surgeries themselves. Infections arriving in a GP鈥檚 practice over
the Internet or from rogue discs can wipe all records and send out confidential
data in open e-mails. And the NHS is doing little to plug this loophole.
Britain鈥檚 overworked family doctors don鈥檛 have time to become IT experts.
They would prefer to treat sick patients. So when they went online, many of them
just signed the Department of Health鈥檚 tough Code of Connection document without
really reading it. They may not have realised, but in doing so they took on full
personal responsibility for keeping their surgery computers free from computer
viruses.
Local health authorities offer doctors advice on virus protection, but there
is no national policy on what that protection should be and no central source of
advice in plain English. In the interests of free-market competition, surgeries
can buy their computer hardware and software from a choice of rival suppliers.
These companies will also supply antivirus software, either preloaded on the
computers, or on discs for the doctor to install. Either way, it will be out of
date by the time it is first used.
So far, over 72,000 different viruses have been released onto the Internet,
with several new ones appearing every day. Some erase data, others gather files
from the infected computer and e-mail them off to any addresses it finds already
stored there. That鈥檚 not going to go down well with patients who find their
confidential records have been mailed to all and sundry. Antivirus software
cannot be relied on unless it is updated at least once a month, and preferably
once a week.
The Department of Health seems to have little grasp of this problem. 鈥淲e
cannot dictate the exact nature of the virus policy to practices, or the means
by which they get virus protection,鈥 says Caroline Arbon, the programme
communications manager for the NHS Information Authority, which is responsible
for NHSnet. She recommends an official booklet, Practical Guide to IT
Security. On viruses, it advises: 鈥淯pgrade your software as new versions
become available.鈥
This is utterly inadequate. What is needed is regular updating over the
Internet. One computer company, which included McAfee antivirus software in the
surgery system it supplied to a practice I know, initially assured the customer
that there was no need to update it because the surgery was not connected to the
Internet. This, of course, overlooks the risk of infection from rogue discs.
When the surgery did eventually connect to the Internet, and I nagged the
staff to sort out antivirus updating, the computer supplier (which is paid an
annual fee to maintain the system) assured the doctor that updates were
鈥渢ransmitted on a monthly basis鈥 and the system was 鈥渟et up to receive updates
via Net鈥. The supplier also said that 鈥渢hese updates are then distributed to all
workstations on the network within the practice鈥.
The surgery staff, who continued to talk to me about their never-ending
electronic problems, wanted to be satisfied. I was not. The supplier then sent
the doctor a 23-page document in which was buried the telltale admission: 鈥淚n
its role as a reseller (the company) is not able to support the McAfee product.
. . McAfee carries out that function.鈥 The surgery was expected to 鈥渁ccess their
(McAfee鈥檚) support channels鈥, at its own cost and using its own time.
Surgery staff are, in effect, being told they will have to learn how to do
something they thought was being done for them. Through the letters column of
the British Medical Journal, I asked whether doctors shared my concern.
At least a dozen wrote to me in agreement. None disagreed.
鈥淚t鈥檚 not enough just to provide folk with computers,鈥 said one. 鈥淲idespread
lack of computer security amongst NHS GPs is only an example,鈥 wrote another.
鈥淭here are similar inadequacies in policies, procedure and practice for data
backup鈥攁ll of these problems are capable of solution, but not by GPs and
their staff alone and unaided.鈥
One doctor had been employed by a local health authority to train surgery
staff on security issues, but quit in dismay once he realised just how little
his employers understood. 鈥淢y practice is regarded as idiosyncratic,鈥 he wrote,
鈥渂ecause it will not connect up to the NHS network in the routine, non-secure
way. A neighbour received 67 copies of the Love Bug virus and another downloaded
a virus which disabled all his printers. I don鈥檛 feel idiosyncratic.鈥
Perhaps if you are looking for a surgery to hold your records, it may pay to
find one that is idiosyncratic.
-
Browse a while through the websites recommended by the NHS Information
Authority and see what doctors have to wade through in between treating sick
patients: