A growing number of security and data privacy experts are warning that proposed NHS Digital plans to scrape medical data on 55 million patients in England into a new database creates unacceptable levels of security risk. The plan was officially announced earlier in May, and of particular note is that patients have only until 23 June 2021 to opt-out of the scheme by filling out a paper-based form and handing it to their GP. If they do not do so, their data will become part of the data store, and they will not be able to remove it, although they will be able to stop data yet to be generated from being added.
The General Practice Data for Planning and Research (GPDPR) database will contain swathes of sensitive personally identifiable information (PII), which will be pseudonymized and include data on diagnoses, symptoms, observations, test results, medications, allergies, immunizations, referrals, recalls and appointments. It will also include information on physical, mental, and sexual health, data on gender, ethnicity, sexual orientation, and staff who have treated patients.
It is proposed that the data store be shared by multiple bodies, including academic and commercial organizations such as pharmaceutical companies in the interests of research and forward health planning, to analyze inequalities in healthcare provision, and to research the long-term impact of Covid-19 on the population.
David Sygula, a senior cyber security analyst at CybelAngel, conceded that taken at face value, the plans provided some “strong benefits” from the perspective of an academic researcher, and agreed that – as NHS Digital hopes – an initiative such as GPDPR could be precious in controlling the magnitude of the pandemic’s impact on the UK.
“However,” he added, “data collection on this scale is creating a new set of risks for individuals, where their personal health information is exposed to third-party data breaches. The extent of the unsecured database problem is growing. It is not simply an NHS issue, but the NHS’s third, fourth, or further removed parties too, and how they will ensure the data is securely handled by all suppliers involved. These security policies and processes need to be planned well in advance and details shared with both third parties and individuals.”
Sygula recommended several mechanisms that might usefully be put in place – such as the complete anonymization, not pseudonymization, of data – on the basis that a leak of data from the system is practically inevitable. Security researchers, attackers, and rogue states have all put in place processes to identify unsecured databases and will rapidly find leaked information,” he said. “That is the default assumption we should start with. It is about making sure patients are not personally exposed in case of a breach while setting up the appropriate monitoring tools to look for exposed data among the supply chain.”
