The success of the NHS’s 10-year digitalisation strategy hinges on adequate security measures, says OmniIndex
October 2024 by OmniIndex
As the government announces the latest attempt to digitalise the UK’s public health service, Simon Bain, CEO at OmniIndex calls for transparency on protection protocols.
The NHS is set to undergo a digital revolution, with the full medical records of all of its users set to be made available via the official NHS app. As part of its new 10-year strategy, all users of the NHS will have a single patient record that will include a patient’s test results and doctor’s letters as well as any other medical information.
The government argues that the process will speed up patient care, reduce the need for repeated medical tests and cut down the number of patients being given the wrong medication.
According to OmniIndex CEO and founder Simon Bain, while a modernisation project such as this is perhaps overdue, digitalising sensitive records does come with a number of risks, and it’s vital that the public aren’t left in the dark about how their data is protected. Bain argues that digitalising swathes of sensitive information and storing it in one place could be highly dangerous if it isn’t done with the right data protection practices in place.
“While this project offers exciting possibilities for improving patient care and access to information, it also raises important concerns about data protection. The government has a duty to reassure the public that its data will be securely protected from outsider threats.” Bain explains.
Campaigners have already voiced their apprehensions to the changes, but ministers have reiterated their unwavering commitment to safeguarding confidential medical information.
Currently, the NHS App’s functionality is limited by the complicated nature of patient records, which are held locally by GPs and hospitals. This fragmentation hinders interoperability and limits the app’s usefulness. To address these challenges, the government is pushing forward with plans to create a single, comprehensive patient record.
“Undoubtedly, in 2024 patient care shouldn’t be impeded by delays caused by missing or incomplete records. At face value, the news offers exciting possibilities for improving patient care and access to information and ministers have reiterated their unwavering commitment to safeguarding confidential medical information,” Bain continued.
“Unfortunately, good intentions won’t keep our data safe, nor will the promise of commitment from any MPs. Packaging up our private data in an app might sound convenient for us, but a centralised database of sensitive data sounds even more convenient for someone looking to steal it and hold it to ransom. A reliance on legacy security protocols or solutions won’t be enough to protect us from today’s cybercriminals.
“As users, we should proceed with caution until we have more clarity on exactly the measures that are to be put in place to protect data within the app. Until then, we won’t know who has seen our data and frankly, nor will the NHS. Should any patient data fall into the wrong hands, trusts could face huge fines for failure to protect it adequately which will no doubt place extra strain on already tight budgets.
“While a single patient record might be desirable to some, from a security standpoint, it’s advisable that data is stored across multiple different locations through decentralized storage such as blockchain, leaving no single point of access for all of your data. Meaning that while one part of your record might be accessed or stolen, another part of it remains encrypted and protected for instant recovery and continuation of service
“And any private, sensitive data should remain encrypted at all times, not just when stored, but even when it is in use. With the right technology, medical professionals should be able to glean all the insights they need from your file via technologies such as homomorphic encryption, without exposing the entirety of your file when much of it might not have relevance.
“Another important consideration is that making a project like this possible will require the help of one or more external technology or service providers. It’s vital then that stakeholders at all points of the supply chain are clear and transparent about the protective measures they have in place when handling sensitive data. For example, it is vital that no NHS patient data is ever used to train an external AI model with sensitive information remaining under NHS control at all times.
“While security concerns shouldn’t limit modernisation and hinder progress, it’s vital that any steps taken are carried out with security and privacy in mind and in a way that is transparent to the public whose data is at risk. If this is not done, then any 10-year strategy will be a costly and futile endeavor needing immediate replacement before it is even complete.”