I like to raise another issue on the security and confidentiality front.
That is the question of access to GP systems by suppliers for support
purposes. As I am concerned that any tightening up takes on board the
needs of suppliers and doesnt put barriers in place which will make it
more difficult for suppliers to provide prompt support and push support
charges up after a period when we have been successful in reduce our
support charges.

Id welcome list members feedback.

Our policy is in line with the most recent GMSC guidance of which are
aware which dates back many years. This is included in our support
contract as follows:

We acknowledge that when providing support services we may have access
to confidential data in relation to your practice and patients.  We
agree to keep access to such information limited to that strictly
necessary to provide our support services and to keep any such
information confidential.  When we take copies of data for support
purposes we will do so only with your consent, keeping such data secure
and returning or destroying it as soon as possible.  We will
destructively erase any data held on faulty hard disks removed from your
system in the course of maintenance as soon as is practicable.  Our
staff have been made aware of the importance of respecting the
confidentiality of your data and that summary dismissal is the likely
consequence of failing to do so.

We include a similar statement in our terms and conditions of employment
and ask all employees to sign an additional document acknowledging that
this particular aspect of their T&Cs has been explained to them.

There are three areas were we may have access to patient data:

Access to systems at customer sites.

We expect our customers to supervise access, but they usually wont
spare the staff and leave our people with free access. Most work on
customer sites does not require access to patient data other than for a
customer to demonstrate a problem and for us to demonstrate that a
problem has been solved. We encourage customers to use fictitious
patients if possible, most do.

Data called back to AAH Meditel.

In the case of problems that we cant replicate on test data  or in the
case of data damage (which can be caused in a number of ways) we
sometimes have to call in backup copies of customers systems for
diagnoses or repair. This often requires extensive access to patient
data. This process is controlled by a tight procedure under the ultimate
supervision of  our Medical Director. We have special procedure to avoid
staff handling data of people they know.

We also handle data occasionally to give an expert opinion as to whether
data and audit trails are valid in support of their use in evidence in
service hearings and court cases.

Remote Access

Much remote access work does not require access to patient data but some
does. We only access customer systems remotely by appointment to carry
out agreed work. We always phone back to confirm what we have done. We
encourage customers not to leave a dial in port open except for a
limited period by appointment. Other suppliers seem to be a lot more lax
just dialling in in response to a call to their helpdesk.

With System 6000 most online support can be done in such a way as the
customer can watch what we are doing (this is often also useful
training). This is not possible with System 5 and AMC 2000.

We already had the ludicrous requirements of the NHS Net code of
connection which forbids those who sign it making any other connections.
If customer sign and observe the route we been following of reducing
support charges year on year is likely to go into reverse.

Access for support purposes is essential. Being more restrictive makes
it difficult for both suppliers and customers. Many of the ways of
reducing risks further will cost a lot to implement. How much more will
GPs pay to provide further protection and supervision? Or are our
current procedures and safeguards adequate?

Ewan Davis
[log in to unmask] - Bromsgrove, UK

Managing Director AAH Meditel Ltd - Supplier of EMR Systems.
[log in to unmask] Voice +44 (0)1527 579414 Fax +44 (0)1527
837287


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%