Before moving from "analogue to digital," the NHS has to fix its privacy flaws
Would you really want the NHS to have even more control over your most sensitive data?
Create a centralized database to make patient health records easily accessible by all NHS services, like hospitals, GP surgeries, and ambulances. These so-called "patient passports" are the main innovation of the government plan unveiled on Monday, October 21, to transform the NHS from "analog to digital" over the next decade.
Wes Steering, the health secretary, promises these changes will modernize the country's healthcare institutions to considerably speed up patient care and reduce human errors. A new law, the Data (Use and Access) Bill, is also expected to support this transition and create a standard system where sharing these digital records is the new norm.
At first glance, fixing the issues currently crippling the NHS by embracing the power of digital tools looks like a much-needed step. Some European countries have been using a similar system for years – Estonia began digitalizing all patient records in 2008, for example. Yet, privacy experts (myself included) can see how easy it might be for this ambitious plan to turn into yet another privacy nightmare at the cost of our most sensitive information.
NHS has a bad track record in protecting our data
Let's start with the obvious – so far, the NHS has been really bad at protecting patients' health data against hackers.
The health data of UK citizens has been leaked on several occasions this year, landing on the dark web. On March 15, for example, a ransomware gang hacked Into NHS Dumfries and Galloway's digital database and stole identifying information belonging to both staff and patients, including mental health data of children.
Pathology service provider Synnovis also suffered a major attack in June, resulting in hundreds of gigabytes of sensitive patient data leaking online. A National Cyber Security Centre (NCSC) executive, Professor Ciaran Martin, warned at the time against the risk of further attacks caused by the NHS IT systems being "out of date."
More recently, in August, the UK Information Commissioner's Office (ICO) filed a provisional fine of £6 million following the 2022 medical records hack that saw the personal information of almost 83k people compromised.
2023 was also a bad year for people's health data security. Over a million NHS patients have had their sensitive information leaked following a ransomware attack on the University of Manchester – affecting 250 GB, or over a decade’s worth, of patient data. Worse still, the security vulnerabilities of the NHS go back as far as 2012 when the personal information of over 1.8 million patients and staff was exposed.
This trend is only likely to increase considering that cyberattacks are more frequent and destructive than ever thanks to the spread of AI and machine learning software. According to experts, healthcare is among the fields hit the most.
All this is even more worrying considering that, at the time of writing, the government's ambitious plan is at a mere consultation stage – AKA, "we still have to figure out how to make these patient passports hacking-proof."
Well, I don't know about you but, as the situation stands now, I don't trust that the NHS will take good care of my data anytime soon.
No clear plan to escape the "Big Brother" effect
Besides data security, there's also another pressing question: how does the government plan to prevent privacy abuse? The plan is, Steering says, "to ensure patients’ data is protected and anonymized." That's great – on paper, at least. Again, authorities don't have a clue how to do that in practice – and who knows if they ever will.
As health privacy advocates group medConfidential pointed out, these patient records will be accessible by any of the NHS’s 1.5 million staff. "Wes Streeting is planning a ’big brother’ database," said Sam Smith, a spokesperson for the group, according to the Guardian. "A gift to stalkers and creeps who misuse NHS systems to find out the most basic private details that people only tell their doctors."
Such a centralized database also increases the risk of private medical data being sold to big pharma and other companies without patients knowing about it. After all, something similar already happened with today's messy and scattered health record system. Last year, an Observer investigation shed light on how a covert tracking tool placed on the websites of 20 NHS trusts has for years collected browsing information and shared it with Facebook.
I also agree with privacy expert Jamie Akhtar, co-founder and CEO at CyberSmart, when he says that medical records will pass from being managed by healthcare professionals to "the control of politicians, who might decide to sell this sensitive information to the highest bidder," as Yahoo News reported.
While an NHS App already exists, this comes with limitations as patients are still held locally (on their GP and visited hospitals system). The new app will de-facto reunite all the information about a patient across all parts of the health service in one place.
As we have seen, there's still a lot that we don't know about the current UK government's plan of action to execute its ambitious goal of making the NHS great again. What we do know, though, is that Britons aren't hopeful about the idea.
A public consultation published in May depicts a grim picture of public trust in the UK's healthcare institutions, with respondents completely lacking confidence in the NHS cybersecurity system. Four out of five patients believe that NHS systems are vulnerable to cyberattacks. Moreover, almost half (49%) strongly believe that the NHS could make mistakes in the handling of their data.
Wes Steering is now urging both NHS staff and patients to take part in the "national conversation.” You have time until the start of next year to voice your concerns and share ideas at change.nhs.uk.
Yes, we all know that the NHS needs to be better, but to do so it's crucial to have a solid plan of action to protect people's data privacy and security. Noble ideas alone won't save our most sensitive information from being leaked and abused.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com