Most GP systems will require security upgrades

The majority of GP clinical IT systems will not meet the Department of Health’s new data security requirements for transfer and storage of patient data and PCTs will need to fund the costs of extra encryption, according to Connecting for Health.

CfH’s programme director for GP Systems of Choice (GPSoC), Kemi Adenubi, has written to PCT and strategic health authority GPSoC leads to alert them to the latest requirements for secure storage and transmission of patient identifiable data and the need to meet the costs of additional encryption.

NHS chief executive David Nicholson ordered a review of NHS data security at the end of last year following the loss of confidential data on all recipients of Child Benefit by HM Revenue and Customs in November 2007. It advised trust chief executives to buy-in additional data security expertise if needed and to give priority to the security of data in transit.

This month’s letter from Adenubi states: “PCTs and practices have a responsibility to protect patient identifiable data in the practice and in transit. Most existing GP clinical IT systems do not currently provide the protection that will meet the Department of Health's data security requirements.”

Adenubi says the SafeBoot encryption software recently bought by CfH on behalf of the NHS can be used to meet most of the encryption requirements in a practice but specialist encryption software will be required for back up tapes and for some types of personal digital assistants (PDAs) used to access clinical data.

GPSoC suppliers will be asked to offer services for the encryption of system back ups, data archives on portable devices and other portable electronic media and drives or desktops. Suppliers will also be asked to set out how existing processes for services such as back up tape verification and data migration will need to be changed to meet CfH requirements.

Adenubi’s letter adds: “NHS CFH will negotiate value for money pricing for these services centrally in the expectation that all practices will require back up tape and PDA encryption as a minimum. There is however no central funding for the purchase of these services and it will fall to PCTs to order and fund these services locally.”

Services should be to be available to order under the GPSoC agreements by the end of April 2008 according to CfH but if practices and PCTs do not want to wait that long they can choose to purchase encryption services from suppliers outside of the GPSoC arrangements. The GP suppliers’ current proposals for protection of patient data are outlined on the CfH website.