> PRS seem to have gone to great lengths to satisfy issues of > data security and confidentiality I've never heard of them. If they are serious about security then why haven't they been in touch with us? Does their system follow the BMA security policy? Are scripts digitally signed? If not, what's to stop them being altered? If so, then how do they propose to manage signing keys? Will their trust structure adopt the approach of one of the crypto pilots (and if so which), or will it introduce yet another key management system? > This software manages repeat script processing between GP and > pharmacy and works with the underlying clinical system... > using Reuters "Encounter" screen scraper So the software is inside the practice's trust perimeter. What tests have been done to ensure that it isn't a threat to either safety or privacy? Even if it doesn't accidentally copy the personal health information of other patients, how do you know it doesn't have bugs that could subtly corrupt the practice database? Has it been evaluated under ITSEC, and if so to what level? > Script manager connects to PRS's database using Racal Healthnet and the > infrastructure already in place to support GH-HA links. The system > currently only handles repeat scripts but PRS say it will be extended to > cover acute scripts. Does this mean that the PRS database now becomes yet another large aggregate of personal health information outside clinical control? How well protected is this database anyway? It says: > All the data flowing through the system is stored on PRSs central > database which sits on a dedicated DEC alpha array in Racals ultra high > security data centre in Runcorn. That tells me nothing. Are they running on an ITSEC evaluated system? Even if technical security measures are good, then what controls are in place to prevent the information being passed to third parties? They may say that > they don't intend to use the data for purposes other than the > provision of the services described but is there an enforceable contract with anybody? Who will audit it, and who will be responsible for reappointing the auditors (PRS)? Suppose that the police ask for information on patient X. Will PRS supply it quietly or fight it noisily? Will the patient - or his GP - even learn that the police have been added to their access control list? > Where the patient has requested that their scripts are transmitted to a > "Health Plus" pharmacy the repeat is produced and transmitted When the patient is asked for consent, what sort of information will be supplied on the risks (answers to all the above questions)? > Data is encrypted and identifiers are transmitted > separately link by a code which would be meaningless to anyone > intercepting the data. If the encryption is sound, then why de-identify the data as well? What algorithm is used - Red Pike or 3DES? How are pharmacists' decryption keys managed - does the government (or PRS) have a copy of them? Has the key management protocol been subjected to formal verification? How meaningless would the code really be? Would it be like the combination of postcode, date of birth and Soundex code of surname used to pass around information on HIV sufferers without their consent, or merely the combination of date of birth and postcode used to index information on hospital treatment in the HES system? In both those cases, the system owners were loudly confident in the privacy protection that their stupid mechanisms gave. (In the case of HIV data they still are.) > Patients wishing to use the system will be expected to "register" > with a particular "Health Plus" Pharmacy" to which the script will > be forwarded So if there's a long queue at Boots, I can't just go down the road ... > The script will carry a bar code on the right hand tear off portion of > the form and this will be used in conjunction with a bar coded patient > held card and to link the paper and electronic script, finally by > scanning the pack bar code a complete audit trail and check that > prescription and items dispensed match is provided. So we are not dispensing with paper; we are running paper and electronic systems in parallel. That's nice. But who will end up bearing the extra cost, and how will PRS make their money? What is the business model? On Ewan's description, the net effect of the system appears to be: (1) some work is saved at the practice but at the cost of getting the patient to carry yet another card around. The cost of administering a card base is nontrivial and this appears to fall on the GP. There seems to be an expectation that HAs will pay up in the expectation of better compliance. Will they? (2) a large database of personal health information is created that appears to be under the control of PRS rather than one of the clinical professions. It doesn't even appear to have an explicit contract with the Department that forbids it from selling data other than to the originators of that data, as Clearing has (and I'm not completely happy with Clearing) (3) reliance is placed on a number of encryption and de-identification mechanisms which we haven't seen. Experience is that such mechanisms always have bugs and need to be subjected to capable and hostile review. This is not just my view - it is that of GCHQ as well (4) There is a lot of work going on at present to try and hammer out agreement on crypto standards and build a trust infrastructure. I am concerned that the introduction of somebody's home brew encryption solution will muddy the waters and make everything more complex. I think we need to be told a lot more before we can be expected to recommend this to patients, Ross %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%