Computerised medical records - no security
Discussion
Busa_Rush said:
So check your Doctor's staff . . . see if they will divulge your patient record to anybody who asks.
I really couldn't care if someone knows I have osteoarthritis in my right knee. What is anyone going to do with that information? Blackmail me? Deliberately invite me to meetings for fun where I have to walk up 6 flights of stairs?davepoth said:
say, for example, you'd been treated for The Clap, due to a "dalliance". How would you feel if one of your enemies got a copy of your medical records and started blackmailing you?
Its ok I lied at the clap clinic.Might cause a few raised eyebrows in one household though I 'may' have used a work coleagues name
tinman0 said:
Busa_Rush said:
So check your Doctor's staff . . . see if they will divulge your patient record to anybody who asks.
I really couldn't care if someone knows I have osteoarthritis in my right knee. What is anyone going to do with that information? Blackmail me? Deliberately invite me to meetings for fun where I have to walk up 6 flights of stairs?The point you miss entirely is that it is 'your' personal details. Security is a joke.
You probably don't have oste' in your knee, but say you do. Somewhere down the line let's you get appointed to a new job. A gammy knee shouldn't affect your chances in your application, but then they don't know about it.
Ahhh, they do now! 'He's got a gammy knee... hmm, time off?'
'Thank you for attending our interview. We regret to say you were not successful in....'
Similar: could be as simple as a bad back, but you had a successful op. But will the employer who wants you to do a lot of lifting, admittedly not hard graft lifting, and gets hold of you 'personal' records could think twice? Of course he bloody will!
'Personal' detail should mean just that. Of course, it could be REALLY personal detail!
Mind you, I'm passed caring about anything to do with this country now. 'Cos like you, NOBODY cares anymore!
Didn't used to be like this.
dandarez said:
Didn't used to be like this.
Yes it did. Someone went into a GP and asked for a copy of their records, you've been able to do this for 15-20 years, regardless of if its stored electronically or still on paper. Most (all?) GP's will have electronic systems, and have had for aons. Printing out from this is the same as photocopying your paper records.
This ISNT the spine, isnt the mega health network that was planned, its just your local GPs records.
That the receptionist didnt check ID is a human security issue which isnt an IT problem.
I used to be a private investigator. It always staggered me how easy it was to get supposedly confidential information about people just by phoning and asking for it. Not just doctors and hospitals either - banks, employers, Inland Revenue to name a few are just as bad. Don't worry about hackers cracking multi-million pound highly secured computer databases, worry about the bored, minimum wage admin assistants with access to those computer databases.
kwits.branflakes said:
I used to be a private investigator. It always staggered me how easy it was to get supposedly confidential information about people just by phoning and asking for it. Not just doctors and hospitals either - banks, employers, Inland Revenue to name a few are just as bad. Don't worry about hackers cracking multi-million pound highly secured computer databases, worry about the bored, minimum wage admin assistants with access to those computer databases.
It's well known that the weakest point in any "secure" system is almost always the user.davepoth said:
say, for example, you'd been treated for The Clap, due to a "dalliance". How would you feel if one of your enemies got a copy of your medical records and started blackmailing you?
Heaven forbid you'd ever have to face the consequences of your actions! 
In the OP's tale it's a human failure, not a computer failure and I'd hope he has raised it with the chief administrator at the practice.
ewenm said:
Heaven forbid you'd ever have to face the consequences of your actions!
In the OP's tale it's a human failure, not a computer failure and I'd hope he has raised it with the chief administrator at the practice.
Indeed, this would be a serious breach of NHS data policy, and probably the DPA as well. I'd advise you to complain to the practice (they should have a designated data controller AIUI).In the OP's tale it's a human failure, not a computer failure and I'd hope he has raised it with the chief administrator at the practice.
Busa_Rush said:
The Dr said that paper records could be physically stolen as they are on display in 100's of drawers, but the electronic records are on a hard disk in a locked room behind another locked door. They are also electronically protected so you'd need an encryption key or password to access the raw data or the application.
But that shows where his thinking has taken him - he's not in his career had to deal with electronic security. He's a good Dr, I have no issue with his qualifications, experience, knowledge or ability to perform a medical diagnosis but his knowledge of electronic security is limited to a level which is way below the required standard.
If he's not aware of what needs to be done and why and what the risks are then notes will be given to anybody . . .
But the records are available on the network to be stolen lots of times. Doesn't matter how many doors you put in front of the physical device - if it's on the network it's accessible from somewhere. I would have said that the paper records were more secure - and only accessible from a single place.But that shows where his thinking has taken him - he's not in his career had to deal with electronic security. He's a good Dr, I have no issue with his qualifications, experience, knowledge or ability to perform a medical diagnosis but his knowledge of electronic security is limited to a level which is way below the required standard.
If he's not aware of what needs to be done and why and what the risks are then notes will be given to anybody . . .
Busa_Rush said:
The Dr said that paper records could be physically stolen as they are on display in 100's of drawers, but the electronic records are on a hard disk in a locked room behind another locked door. They are also electronically protected so you'd need an encryption key or password to access the raw data or the application.
But that shows where his thinking has taken him - he's not in his career had to deal with electronic security. He's a good Dr, I have no issue with his qualifications, experience, knowledge or ability to perform a medical diagnosis but his knowledge of electronic security is limited to a level which is way below the required standard.
If he's not aware of what needs to be done and why and what the risks are then notes will be given to anybody . . .
Is the Doctor the person responsible for the security of the information? In a busy surgery I'd have thought it would be an administrator. You should raise training concerns with the appropriate person - the desk staff need training in the DPA and processes put in place so that they don't give out confidential information when they shouldn't.But that shows where his thinking has taken him - he's not in his career had to deal with electronic security. He's a good Dr, I have no issue with his qualifications, experience, knowledge or ability to perform a medical diagnosis but his knowledge of electronic security is limited to a level which is way below the required standard.
If he's not aware of what needs to be done and why and what the risks are then notes will be given to anybody . . .
Security from theft seems good. Security from user-error seems poor at this surgery but they won't know (well, realise) unless you tell them and tell the right person.
Busa_Rush said:
Why is this bad ?
As mentioned above, you go for a new job, get on great - get the offer and give notice to your old job. (You could be a partner with a Bank or a general IT bod - doesn't matter) In the meantime they manage to see your medical records, see that 10 years ago you had anti-depressants for 6 months (they won't know why and can't ask you obviously) - or that you had a leg operation with complications . . . so remove the job offer.
You're applying for life cover for yourself and your wife, you want a high level of cover, big mortgage, 3 kids etc . . . you make all the relevant declarations and get the cover but it's then revoked for no reason . . . because the Ins Co have seen that 18 years ago you had a slight heart issue . . . you know it was caused by some dodgy tablets the pharmacist gave you but they won't, so no cover.
You made both of those up, didn't you?As mentioned above, you go for a new job, get on great - get the offer and give notice to your old job. (You could be a partner with a Bank or a general IT bod - doesn't matter) In the meantime they manage to see your medical records, see that 10 years ago you had anti-depressants for 6 months (they won't know why and can't ask you obviously) - or that you had a leg operation with complications . . . so remove the job offer.
You're applying for life cover for yourself and your wife, you want a high level of cover, big mortgage, 3 kids etc . . . you make all the relevant declarations and get the cover but it's then revoked for no reason . . . because the Ins Co have seen that 18 years ago you had a slight heart issue . . . you know it was caused by some dodgy tablets the pharmacist gave you but they won't, so no cover.
In the second example, the life company will ask for permission to approach your Doctor anyway.
RobDickinson said:
This ISNT the spine, isnt the mega health network that was planned, its just your local GPs records.
The senior doctor in my local Practise is a Caldicott guardian and completely opposed to the Spine, to the extent of actively encouraging all patients to opt out of having their data added to it. And quite rightly too. Sadly, few doctors and Practise Managers are as clued up on such data protection and confidentiality issues.
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff