Sharing 55 million NHS patients’ medical data: privacy and security experts call for more safeguards


Plans by NHS Digital to share NHS patient data of 55 million people in England have drawn fire from privacy and security experts.

A Financial Times report reveals that NHS Digital is creating a database of the medical records of around 55 million people who are registered with a GP practice.

These records could include sensitive data such as mental health records, sexual orientation or a history of drug-taking or abuse.

ADVERTISEMENT

And controversially, it appears that the data could be shared with 'academic and commercial third parties for research and planning purposes'.

NHS Digital says that all patient data will be pseudonymised, and that each request for patient data will need to be approved.

"We do not collect patients’ names or exactly where they live. Any other data that could directly identify someone, for example their NHS number, full postcode and date of birth, is pseudonymised before it leaves their GP practice," it says.

"This means that this data is replaced with unique codes so patients cannot be directly identified in the data which is shared with us. The data is also securely encrypted."

Little warning for patients

However, privacy advocates are deeply concerned. Leading the charge is Foxglove, which campaigns for digital rights and is particularly worried about the scant warning patients have been given.

"Hancock announced this plan quietly, via a single website, and set a deadline of 23 June for us to opt out of our records being included. That’s why urgent action is needed right now,"

says Foxglove.

It's calling for the deadline to be postponed, the plans to share data with private companies scrapped and a full consultation held.

ADVERTISEMENT

Healthcare data is a target

Others have highlighted the potential security risks of a database such as this. Since the beginning of the pandemic, healthcare organisations have been particularly targeted by hackers, with a January report from Check Point Software Technologies finding a 45 per cent increase in cyber-attacks targeting healthcare organisations globally in the previous three months alone.

And as for the NHS, the National Cyber Security Centre says it dealt with 723 cyber security incidents between 1 September 2019 and 31 August 2020, including more than 160 high-risk and critical vulnerabilities.

“It is not surprising that the NHS is facing backlash in response to this move. Sharing medical data with third parties is very risky, as there is no way to be sure they will have the proper security tools in place to keep the data safe," says George Papamargaritis, MSS director at Obrela Security Industries.

"While it looks like the NHS has plans to anonymise patient data, this is not a 100 percent guarantee of security protection. Anonymisation tools are very easy to reverse engineer." 

And as David Sygula, senior cybersecurity analyst at CybelAngel points out, there are supply chain issues too.

"It’s not simply an NHS issue, but the NHS’ third, fourth or further removed parties too, and how they will ensure the data is securely handled by all suppliers involved," he says.

"These security policies and processes absolutely need to be planned well in advance and details shared with both third parties and individuals."