> PRS seem to have gone to great lengths to satisfy issues of
> data security and confidentiality

I've never heard of them. If they are serious about security then
why haven't they been in touch with us?

Does their system follow the BMA security policy? Are scripts
digitally signed? If not, what's to stop them being altered?  If so,
then how do they propose to manage signing keys? Will their trust
structure adopt the approach of one of the crypto pilots (and if so
which), or will it introduce yet another key management system?

> This software manages repeat script processing between GP and
> pharmacy and works with the underlying clinical system...
> using Reuters "Encounter" screen scraper

So the software is inside the practice's trust perimeter. What tests
have been done to ensure that it isn't a threat to either safety or
privacy? Even if it doesn't accidentally copy the personal health
information of other patients, how do you know it doesn't have bugs
that could subtly corrupt the practice database?  Has it been
evaluated under ITSEC, and if so to what level?

> Script manager connects to PRS's database using Racal Healthnet and the
> infrastructure already in place  to support GH-HA links. The system
> currently only handles repeat scripts but PRS say it will be extended to
> cover acute scripts.

Does this mean that the PRS database now becomes yet another large
aggregate of personal health information outside clinical control?
How well protected is this database anyway? It says:

> All the data flowing through the system is stored on PRSs central
> database which sits on a dedicated DEC alpha array in Racals ultra high
> security data centre in Runcorn.

That tells me nothing. Are they running on an ITSEC evaluated system?
Even if technical security measures are good, then what controls are
in place to prevent the information being passed to third parties?
They may say that

> they don't intend to use the data for purposes other than the
> provision of the services described

but is there an enforceable contract with anybody? Who will audit it,
and who will be responsible for reappointing the auditors (PRS)?

Suppose that the police ask for information on patient X. Will PRS
supply it quietly or fight it noisily? Will the patient - or his GP -
even learn that the police have been added to their access control list?

> Where the patient has requested that their scripts are transmitted to a
> "Health Plus" pharmacy the repeat is produced and transmitted

When the patient is asked for consent, what sort of information will be
supplied on the risks (answers to all the above questions)?

> Data is encrypted and identifiers are transmitted
> separately link by a code which would be meaningless  to  anyone
> intercepting the data.

If the encryption is sound, then why de-identify the data as well?
What algorithm is used - Red Pike or 3DES?  How are pharmacists'
decryption keys managed - does the government (or PRS) have a copy of
them? Has the key management protocol been subjected to formal
verification?

How meaningless would the code really be? Would it be like the
combination of postcode, date of birth and Soundex code of surname
used to pass around information on HIV sufferers without their
consent, or merely the combination of date of birth and postcode used
to index information on hospital treatment in the HES system? In both
those cases, the system owners were loudly confident in the privacy
protection that their stupid mechanisms gave. (In the case of HIV
data they still are.)

> Patients wishing to use the system will be expected to "register"
> with a particular "Health Plus" Pharmacy" to which the script will
> be forwarded

So if there's a long queue at Boots, I can't just go down the road ...

> The script will carry a bar code on the right hand tear off portion of
> the form and this will be used in conjunction with a bar coded patient
> held card and to link the paper and electronic script, finally by
> scanning the pack bar code a complete audit trail and check that
> prescription and items dispensed match is provided.

So we are not dispensing with paper; we are running paper and
electronic systems in parallel. That's nice. But who will end up
bearing the extra cost, and how will PRS make their money? What is
the business model?

On Ewan's description, the net effect of the system appears to be:

(1) some work is saved at the practice but at the cost of getting
    the patient to carry yet another card around. The cost of
    administering a card base is nontrivial and this appears to fall
    on the GP. There seems to be an expectation that HAs will pay up
    in the expectation of better compliance. Will they?

(2) a large database of personal health information is created that
    appears to be under the control of PRS rather than one of the
    clinical professions. It doesn't even appear to have an explicit
    contract with the Department that forbids it from selling data
    other than to the originators of that data, as Clearing has (and
    I'm not completely happy with Clearing)

(3) reliance is placed on a number of encryption and de-identification
    mechanisms which we haven't seen. Experience is that such
    mechanisms always have bugs and need to be subjected to capable and
    hostile review. This is not just my view - it is that of GCHQ as
    well

(4) There is a lot of work going on at present to try and hammer out
    agreement on crypto standards and build a trust infrastructure. I
    am concerned that the introduction of somebody's home brew
    encryption solution will muddy the waters and make everything more
    complex.

I think we need to be told a lot more before we can be expected to
recommend this to patients,

Ross




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%