BMA Scotland demands portal security

The BMA in Scotland is calling for tighter controls on access to shared record information as the Scottish Parliament prepares to debate the introduction of clinical portal technology.

BMA Scotland said it was “broadly supportive” of plans to introduce clinical portals to share information between primary and secondary care, and possibly with non-NHS databases such as child protection systems.

However, it said it was concerned about patient confidentiality and how access would be managed.

Dr Alan McDevitt, deputy chairman of the Scottish General Practitioner Committee and lead on IT issues, said: “If portals are to be accessible from computers anywhere within the NHS then it is our view that username and password access does not offer sufficient security of data.”

Scotland is working on plans to enable sharing of information via clinical portals and NHS Greater Glasgow and Clyde and NHS Tayside have already put some systems in place. A report from the Scottish Health Committee earlier this year criticised slow progress across the country on roll-out of the clinical portals.

The report is due to be debated by Members of the Scottish Parliament today. Ahead of the debate, BMA Scotland said it was concerned that it may be commonplace for usernames and passwords to be shared between medical staff - either because staff did not receive access to systems promptly or were unable to reset their passwords out-of-hours.

Dr McDevitt added: “While this is already an issue of concern, the risk of misuse in an environment where clinical portals display much more data about many more people, is considerably greater.”

The BMA is called for an “identity and access” system to make sure that access is granted promptly to those who need it following secure identity checks that can be reset at all times and that stop access when staff leave or change roles.

A spokesperson for BMA Scotland told EHI Primary Care that a system similar to the smartcard system used in England might be appropriate.

Dr McDevitt added: “The BMA strongly believes that introducing tighter controls will be far more effective at limiting inappropriate access to electronic patient records than using retrospective audit in isolation.”