Questions concerning both the physical security of primary health care computer systems and attitudes of individual practices toward these issues are becoming ever more important. These questions have become prevalent over the past several years due to the proliferation in the use of computers within GP practices and the increasing amount of patient information stored within them.
In order to help assess GP practice attitudes towards the security of their computer system, a postal questionnaire was distributed with the March 1995 edition of the Journal of Informatics in Primary Care. The questionnaire was targeted both at practices with a computer system and those contemplating obtaining one in the near future. All questions asked were related to the eight principles of the Data Protection Act 1984 (DPA) this being the nearest thing to a legal computer security contract which practices are obligated to sign and being recommended as "Good Practice" to adopt.
Out of a circulation of 571, around 346 of which are practitioners, 144 completed questionnaires were received back from GP practices (although no rigorous checks were made to ensure that practices did not return more than one questionnaire). This is a return of 41.6% which is above the 20% to 30% range required to validate the survey's findings.
All except one of the respondents had a computer system and had registered under the DPA.
To begin with, an overview of practice response to the survey will be given, including descriptive details of training used and general attitudes. It should be remembered throughout that the sample is biased, all parties returning the questionnaire had an obvious interest in primary health care computing illustrated by their subscription to the Journal of Informatics in Primary Care.
The paper will then be structured in accordance with the analysis of the summary by splitting the eight DPA principles into three broad categories:
The above three categories will be used as a framework for the analysis of the responses collected from the questionnaire. In addition to this, reference will also be made to some of the free form comments returned, before discussing the results.
The questionnaire made general enquiries concerning:
Table 1: Computer systems used by GP practices in sample
|No. of practices||Practice Computer Systems|
|3 each||Exeter Systems, Microtest Practice Manager, Surgery Manager, unspecified|
|2 each||AmSys, Genisyst (GRSA), MCS500|
|1 each||Abies, Ambridge, AMC2000, Interaction Systems PRMS, Medical Care Systems, Microsoft Access, MISQL, MPASS, Panacea, PCS-Medical Primary Care System, Phoenix, Update PCS, W.C.S.|
The following descriptive results were obtained (all % given to 1 decimal place):
The first four DPA principles state respectively that:
It is assumed that when registering under the DPA, practices will specify any outside organisations likely to receive patient data for other reasons than their direct medical care. The questionnaire asked whether practices thought that patients ought to be made aware of this information-sharing.
A high percentage of practices thought it either "Important" or "Very Important" to tell patients if their personal details were passed to third parties (53% and 21% respectively). Patient sensitivity about the issue of who sees their personal details was illustrated by Hawker. A number of the free form comments received from practices were concerned with this issue. These stated either that no data would ever be passed to outside organisations, or that the only data given to third parties would first be made totally anonymous, the assumption presumably being that the latter situation makes it impossible to identify individual patients.
The fourth DPA principle says that all data held shall be adequate, relevant and not excessive. Practices were asked their opinion of the importance in the collection and storage of certain information surrendered by the patient.
Most practices feel that the collection of patient information concerning Name and Address, Date of Birth, Sex, and Medication are "Very Important" (99%, 97% and 99% respectively). The reasons for this are obvious and do not need spelling out here. The collection of other data items have been questioned. Such questions have been posed specifically by the report "The Office of the Data Protection Registrar. NHS Contract Minimum Data Set" which investigated whether collection of the "Contract Minimum Data Set" (CMDS) was a contravention of the DPA. This report found that collection of the CMDS could in fact be seen as contravening the fourth principle of the DPA, specifically in terms of the fields "ethnic origin" and "marital status". Both these fields, the report argues, could be viewed as excessive data collection.
There appears to be variable opinion among practices concerning the collection of the "marital status" information (Very important - 29%, Important - 25%, Of average importance - 32%, Less important - 10%, Not very important - 4%), while the majority, around 42%, seem to feel that knowledge of a patient's "ethnic origin" is "Not very important". Practices may well may be able to present "real world" arguments why these two contentious fields should not be regarded as excessive data collection, thus contradicting the above report.
Practices show reasonable awareness of the legal implications with respect to the data that they are collecting. Practices are, on the whole, protective toward their patients' information, only passing data to third parties either after consent has been given or after the data has been made anonymous. The second point concerning contentious fields is one very much open to discussion by all parties. No absolute conclusion can be drawn here as to whether practices should or should not collect them.
The second category of questions alluded to by the survey, considers the practice responses with respect to the matter of data storage.
The fifth principle of the DPA requires routine system backup to ensure that both accurate and up-to-date data can be restored to the system in the event of a machine failure. 93.1% of practices thought "Regular" data backups were essential. There was more variance between practices concerning checking with patients that details stored about them were accurate:
The DPA principle that no data should be held longer than required did cause some consternation from practices when asked if they ever purged patient records from their system:
Several practices raised the problem that they are not allowed by law to discard patient records.
The controlling of Data Access may be split into two sub-categories, "Protection of hardware" and "Protection of data".
The questionnaire asked practices about both the physical location of their computer system and measures taken to assure its security. The following points were ascertained:
Practices again showed their awareness of computer security and seemed willing to support these requirements as far as practicalities allowed. The variance in opinion concerning the locking away of equipment when not in use may best be explained by one comment received. This practice claimed to have numerous VDUs and printers and it was simply not practical to lock them all up in cupboards each night!
The seventh DPA principle states that patients have the right of "Subject Access", that is, to view information held about them on the practice computer (although not if the clinician feels that this may be detrimental to their health). Practices were questioned in relation to this "Subject Access" and the survey found that:
58% of practices felt that it was "very important" for clinicians to monitor information given to patients, and 28% felt that it was "important". There does appear to be a slight anomaly concerning "Subject Access". While practices are obliged to meet this requirement of the DPA and GPs seem to recognise the fact that they should monitor any outgoing patient data, there do seem to be differing opinions as to whether patients should be allowed access to their details.
The second consideration concerning Data Access involved the practice staff usage of the computer. The questionnaire enquired about various aspects of staff accessing the computer which received the following responses:
The last two questions have caused difficulties for practices mainly due to administration staff having to have access to patient medical details for their clerical duties, such as the production of referral letters. Again there is a conflict between the requirements of the DPA and "real world" pressures and again there seem to be no obvious solutions.
A brief discussion follows regarding certain factors found when analysing the questionnaire results. An attempt is made to offer explanations to some of these findings (although these are obviously open to subjective interpretation).
The final two points illustrate obvious security weaknesses, from the perspective of the DPA, when considering Data Storage. Practices overall seem reluctant to check the accuracy of information with patients. Also, practices in general failed to see the necessity to purge their computer systems of old and redundant records by placing them into an archive. While both these issues may present impracticalities under "real world" pressures, they are nevertheless breaches of the DPA which all practices completing the questionnaire have signed.
This survey was conducted among a group of practices who have an obvious awareness of issues concerning computerisation. Generally, a good appreciation of computer security and obligations towards the DPA were shown. Weaknesses did appear to be evident in the area of "Data Storage" and some protection of hardware, these probably being due to the realities of running a GP practice. Some confusion was also shown concerning the rights of patients having access to their computerised data.
The general awareness towards computer security within the GP practice environment appears to be greater than our previous correspondence6 had first anticipated. However, this survey has also highlighted certain areas in which practices are presently contravening the DPA.
Thanks to the Primary Health Care Specialist Group for their kindness in distributing the questionnaire with the Journal of Informatics in Primary Care. A grateful thank you to all the GP practices who responded. We hope you find the results interesting and informative.