Journal of Informatics in Primary Care 1995 (September):6-12

Articles

GP Practice computer security survey

Robert A. Pitchford (Health Care Support Unit)
Stephen Kay (Medical Informatics Group) University of Manchester

Introduction

Questions concerning both the physical security of primary health care computer systems and attitudes of individual practices toward these issues are becoming ever more important. These questions have become prevalent over the past several years due to the proliferation in the use of computers within GP practices and the increasing amount of patient information stored within them.

In order to help assess GP practice attitudes towards the security of their computer system, a postal questionnaire was distributed with the March 1995 edition of the Journal of Informatics in Primary Care. The questionnaire was targeted both at practices with a computer system and those contemplating obtaining one in the near future. All questions asked were related to the eight principles of the Data Protection Act 1984 (DPA)† – this being the nearest thing to a legal computer security contract which practices are obligated to sign and being recommended as "Good Practice" to adopt[1].

Out of a circulation of 571, around 346 of which are practitioners, 144 completed questionnaires were received back from GP practices (although no rigorous checks were made to ensure that practices did not return more than one questionnaire). This is a return of 41.6% which is above the 20% to 30% range required to validate the survey's findings[2].

All except one of the respondents had a computer system and had registered under the DPA.

The structure of the paper

To begin with, an overview of practice response to the survey will be given, including descriptive details of training used and general attitudes. It should be remembered throughout that the sample is biased, all parties returning the questionnaire had an obvious interest in primary health care computing illustrated by their subscription to the Journal of Informatics in Primary Care.

The paper will then be structured in accordance with the analysis of the summary by splitting the eight DPA principles into three broad categories:

1. Data Collection
2. Data Storage
3. Data Access

The above three categories will be used as a framework for the analysis of the responses collected from the questionnaire. In addition to this, reference will also be made to some of the free form comments returned, before discussing the results.

General Practice computer system overview

The questionnaire made general enquiries concerning:

• The general usage of the computer systems within the practice
• Staff training and usage of the computer system
• The general philosophy regarding practice computerisation

The general usage of the computer systems within the practice

Table 1: Computer systems used by GP practices in sample

The following descriptive results were obtained (all % given to 1 decimal place):

• The length of time practices had been computerised showed a wide variation, between a maximum of 16.8 years to a minimum of 2 years.
• A variety of different computer systems were in used, the main three being:

EMIS( 24.3% of practices)

AAH Meditel (23.6% of practices)

VAMP(19.4% of practices)

For a full list of other computer systems used by GP Practices, see table 1.

• 50.0% of practices had their computers connected to the outside world.

Staff training and usage of the computer system

• The number of staff who used the computer system varied from a single GP to a maximum of 29 clinicians (both GPs and nursing staff). From the responses, administration staff outnumber clinicians by a ratio of nearly 2:1
• 80.6% of practices employed a computer manager
• 70.8% of practices thought it "Very Important" to train the staff concerning the use of the computer (18.8% registering that this was just "Important")

General attitudes regarding practice computerisation

• 84.0% of practices thought it important to have a computer security policy
• 90.3% of practices thought it "Very Important" to make all staff aware of their responsibilities toward security and confidentiality of patient computerised data
• Practices who thought that a computer system would be an important improvement on their efficiency, ranged from:

52.8% "Very Important"

25.7% "Important"

6.9% "Average Importance"

• When asked how secure they thought patient data would be held upon computer, practices gave the following responses:

"Very secure" 31.9%

"Secure" 36.8%

"Of average security" 12.5%

"Less than secure" 4.9%

"Not very secure" 2.1%

Data Collection

The first four DPA principles state respectively that:

• DPA 1: Information should be obtained fairly and lawfully
• DPA 2: Information should only be held for specified purposes
• DPA 3: Information should not be used for purposes other than those specified
• DPA 4: Information should be adequate, relevant and not excessive

It is assumed that when registering under the DPA, practices will specify any outside organisations likely to receive patient data for other reasons than their direct medical care. The questionnaire asked whether practices thought that patients ought to be made aware of this information-sharing.

A high percentage of practices thought it either "Important" or "Very Important" to tell patients if their personal details were passed to third parties (53% and 21% respectively). Patient sensitivity about the issue of who sees their personal details was illustrated by Hawker[3]. A number of the free form comments received from practices were concerned with this issue. These stated either that no data would ever be passed to outside organisations, or that the only data given to third parties would first be made totally anonymous, the assumption presumably being that the latter situation makes it impossible to identify individual patients.

The fourth DPA principle says that all data held shall be adequate, relevant and not excessive. Practices were asked their opinion of the importance in the collection and storage of certain information surrendered by the patient.

Most practices feel that the collection of patient information concerning Name and Address, Date of Birth, Sex, and Medication are "Very Important" (99%, 97% and 99% respectively). The reasons for this are obvious and do not need spelling out here. The collection of other data items have been questioned. Such questions have been posed specifically by the report "The Office of the Data Protection Registrar. NHS Contract Minimum Data Set"[4] which investigated whether collection of the "Contract Minimum Data Set" (CMDS) was a contravention of the DPA. This report found that collection of the CMDS could in fact be seen as contravening the fourth principle of the DPA, specifically in terms of the fields "ethnic origin" and "marital status". Both these fields, the report argues, could be viewed as excessive data collection.

There appears to be variable opinion among practices concerning the collection of the "marital status" information (Very important - 29%, Important - 25%, Of average importance - 32%, Less important - 10%, Not very important - 4%), while the majority, around 42%, seem to feel that knowledge of a patient's "ethnic origin" is "Not very important". Practices may well may be able to present "real world" arguments why these two contentious fields should not be regarded as excessive data collection, thus contradicting the above report.

Practices show reasonable awareness of the legal implications with respect to the data that they are collecting. Practices are, on the whole, protective toward their patients' information, only passing data to third parties either after consent has been given or after the data has been made anonymous. The second point concerning contentious fields is one very much open to discussion by all parties. No absolute conclusion can be drawn here as to whether practices should or should not collect them.

Data Storage

The second category of questions alluded to by the survey, considers the practice responses with respect to the matter of data storage.

• DPA 5: Information should be accurate and up-to-date
• DPA 6: Information should not be kept for longer than is necessary

The fifth principle of the DPA requires routine system backup to ensure that both accurate and up-to-date data can be restored to the system in the event of a machine failure. 93.1% of practices thought "Regular" data backups were essential. There was more variance between practices concerning checking with patients that details stored about them were accurate:

• 33.3% "Very Important"
• 36.1% "Important"
• 24.3% "Of Average Importance"
• 4.9% of "Less Importance"

The DPA principle that no data should be held longer than required did cause some consternation from practices when asked if they ever purged patient records from their system:

• 11.1% stated they "Regularly" purged patient records
• 5.6% "Often" purged patient records
• 13.2% "Sometimes" purged patient records
• 11.1% "Not Often" purged patient records
• 56.9% stated that they "Never" purged records

Several practices raised the problem that they are not allowed by law to discard patient records.

Data Access

• DPA 7: Information should available for "Subject Access"
• DPA 8: Information and the hardware storing it should be afforded adequate physical security

The controlling of Data Access may be split into two sub-categories, "Protection of hardware" and "Protection of data".

Protection of hardware

The questionnaire asked practices about both the physical location of their computer system and measures taken to assure its security. The following points were ascertained:

• 10.4% of practices reported having had computer hardware stolen
• Practices who thought it important that computer equipment be locked away when not in use ranged from:

31.9% "Very Important"

22.2% "Important"

19.4% "Of Average Importance"

10.4% "Less Important"

15.3% "Not Very Important"

• Practices were asked how important that their premises be secure enough to house computer equipment, 74.3% thought this "Very Important" while 13.9% thought it "Important"
• 71.5% of practices thought it "Very Important" to destroy redundant computer printouts in a secure manner, while 20.8% registered this as being "Important"

Practices again showed their awareness of computer security and seemed willing to support these requirements as far as practicalities allowed. The variance in opinion concerning the locking away of equipment when not in use may best be explained by one comment received. This practice claimed to have numerous VDUs and printers and it was simply not practical to lock them all up in cupboards each night!

Protection of data

The seventh DPA principle states that patients have the right of "Subject Access", that is, to view information held about them on the practice computer (although not if the clinician feels that this may be detrimental to their health). Practices were questioned in relation to this "Subject Access" and the survey found that:

• Practices' feelings towards allowing patient access to information held about them varied:

34.7% "Very Important"

27.8% "Important"

22.9% "Of Average Importance"

10.4% "Less Important"

3.5% "Not Very Important"

• 45.1% of practices claimed to have "Never" had a "Subject Access" request, while 50.0% said that this was a very rare occurrence.

58% of practices felt that it was "very important" for clinicians to monitor information given to patients, and 28% felt that it was "important". There does appear to be a slight anomaly concerning "Subject Access". While practices are obliged to meet this requirement of the DPA and GPs seem to recognise the fact that they should monitor any outgoing patient data, there do seem to be differing opinions as to whether patients should be allowed access to their details.

Practice staff usage of data

The second consideration concerning Data Access involved the practice staff usage of the computer. The questionnaire enquired about various aspects of staff accessing the computer which received the following responses:

• Practices asked whether staff choose their own passwords gave varying response:

44.4% thought this "Very Important"

22.9% "Important'

15.3% "Of Average Importance"

9.7% "Less Important"

6.2% "Not Very Important"

• Practices asked whether it was important that only clinicians have access to patient medical records again showed a varied response:

14.6% thought this "Very Important"

17.4% "Important"

25.0% "Of Average Importance"

22.2% "Less Important"

19.4% "Not Very Important"

• Finally practices were asked how important it was that patient records be viewed only on a "need-to-know" basis; this also gave a mixed response:

25.7% "Very Important"

26.4% "Important"

30.6% "Of Average Importance"

9.7% "Less Importance"

7.6% "Not Very Important"

The last two questions have caused difficulties for practices mainly due to administration staff having to have access to patient medical details for their clerical duties, such as the production of referral letters. Again there is a conflict between the requirements of the DPA and "real world" pressures and again there seem to be no obvious solutions.

Discussion

A brief discussion follows regarding certain factors found when analysing the questionnaire results. An attempt is made to offer explanations to some of these findings (although these are obviously open to subjective interpretation).

• There may be some interest in the fact that computer system usage was in a ratio of about 2:1 between administrative staff and clinicians? Reasons for this could possibly be partly explained by the employment of part-time clerical and reception staff. There is also the possibility of practices being fundholding, thus placing a greater administrative burden upon the computer system.
• Another factor of interest, is the survey's findings regarding the perceptions towards the security of patient data while held upon the computer system. The majority of 36.8% and 31.9% thought it "Secure" or "Very secure" respectively. With the general ideology, rightly or wrongly, that no data held upon computer is safe5, one may have expected the figures to be skewed more towards the "Not very secure" category.
• There appeared to be some contradiction between practices' feelings towards patients' data access. Only 27.8% thought patient access to their computerised data "Important" and 34.7% "Very Important". This may be regarded as contrary to their obligations towards "Subject Access" requests under the DPA. An explanation for this may be found in the fact that relatively few "Subject Access" requests have been attempted. This may mean that GPs are lacking experience in the area of allowing patients access to a controlled set of data. If the demand for "Subject Access" increases, the anxiety felt by GPs about letting patients view certain details concerning them may be eased.
• There appeared to be a variance among practices regarding the checking with patients the correctness of their data held upon the system. Only 36.1% and 33.3% of practices regarded this as "Important" or "Very Important" respectively, even though it is an obligation under the DPA. One explanation for this could lie in the time-consuming practicalities of checking the personal details of each patient entering the practice.
• The majority of practices, 56.9%, failed to purge patient records from their computer system. As earlier stated, some practices argued that they are legally obligated to keep all patient information. In view of this fact, it could be argued that no data is kept for an excessive amount of time. From the perspective of ensuring the efficiency and speed of the computer system, perhaps any "inactive" data should be placed into an archive, although, as one practice pointed out, the patient data is more vulnerable on backup media than on the actual computer systems.

The final two points illustrate obvious security weaknesses, from the perspective of the DPA, when considering Data Storage. Practices overall seem reluctant to check the accuracy of information with patients. Also, practices in general failed to see the necessity to purge their computer systems of old and redundant records by placing them into an archive. While both these issues may present impracticalities under "real world" pressures, they are nevertheless breaches of the DPA which all practices completing the questionnaire have signed.

Conclusion

This survey was conducted among a group of practices who have an obvious awareness of issues concerning computerisation. Generally, a good appreciation of computer security and obligations towards the DPA were shown. Weaknesses did appear to be evident in the area of "Data Storage" and some protection of hardware, these probably being due to the realities of running a GP practice. Some confusion was also shown concerning the rights of patients having access to their computerised data.

The general awareness towards computer security within the GP practice environment appears to be greater than our previous correspondence6 had first anticipated. However, this survey has also highlighted certain areas in which practices are presently contravening the DPA.

Acknowledgments

Thanks to the Primary Health Care Specialist Group for their kindness in distributing the questionnaire with the Journal of Informatics in Primary Care. A grateful thank you to all the GP practices who responded. We hope you find the results interesting and informative.

References

1. Barry Barber. Towards an Information Technology Security Policy for the NHS. In HC91: Current Perspectives in Healthcare Computing. BJHC, 1991:345–351
2. Moser CA, Kalton G. Survey Methods in Social Investigation. Heinemann Educational Books Limited, 1971
3. Hawker A. Confidentiality of personal information: a patient survey. Journal of Informatics in Primary Care 1995 (March):16–18
4. Data Protection Registrar. The Office of the Data Protection Registrar. NHS Contract Minimum Data Sets. Technical Report. Office of the Data Protection Registrar, 1993
5. Russell D, Gangemi Sr, GT. Computer Security Basics. O'Reilly and Associates Inc., 103 Morris Street, Suite A, Sebastopol, CA 95472., first edition, July 1991
6. Pitchford RA, Kay S. GMP Accountability is What Counts. Journal of Informatics in Primary Care, 1994 (December):32–34

Appendix: Data Protection Act Principles

1. The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully,
2. Personal data shall be held only for one or more specified and lawful purposes.
3. Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or purposes.
4. Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or purposes.
5. Personal data shall be accurate and, where necessary, up-to-date.
6. Personal data held for any purpose or purposes shall not be kept for longer than necessary for that purpose or purposes.
7. An individual shall be entitled:

   (a)

   at reasonable intervals and without undue delay or expense:

   i) to be informed by any data user whether he holds personal data of which that individual is the subject; and

   ii) to access to any such data held by the data user; and

   (b)

   where appropriate, to have such data corrected or erased.

8. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

On to the next article

Back to September 1995 informatics Contents Page

Back to informatics Index