Anger over EC medical data-sharing scheme

Anger over EC medical data-sharing scheme

Summary: Experts are outraged by a plan that would make UK citizens' medical details accessible across Europe

SHARE:
TOPICS: Networking
2

The European Commission is about to call for proposals on how patients' medical details would be shared between its member states, with the UK almost certain to be included in the scheme.

Within the next few days, an initiative called the Competitiveness and Innovation Framework Programme (CIP) will be adopted as part of Framework 7, a massive drive by the EU to fund research and development, with e-health being a major beneficiary.

One requirement of the CIP will be to establish interoperability between member states' healthcare IT systems, such as the NHS's so-called "Spine", which is the new UK database of patient care records.

If it comes to the point that everyone of the five million people working in healthcare in Europe, plus the CIA and hackers, can access my medical information, then I'll stop using the health service

Professor Ross Anderson, Cambridge University

This aim was outlined in a document published in September last year, entitled Connected Health: Quality and Safety for European Citizens. In this document, the Commission's ICT for Health unit called for interoperability between nations' healthcare systems, arguing that "health, social care and other providers must no longer work in isolation, but need to collaborate as a team, if necessary beyond their national and linguistic borders".

On Wednesday, Paul Timmers, the head of the Commission's eGovernment unit, told a London telehealth symposium that work was already underway on "interoperable platforms that can work… across borders".

Dr Gerard Comyn, head of the ICT for Health unit, confirmed on Thursday that the idea will shortly enter the "proposals stage", part of the competitive bidding process. This will be followed by a large-scale pilot involving six member states. According to those close to the plans, the UK is certain to be one. The pilot stage will take about three years to become operational and "real scale operations" should be in place by 2012.

"The UK is a net beneficiary of the scheme," said one source on Wednesday, explaining that member states will have to supply at least 60 percent of the funding, with the European Commission providing the rest. The UK Research Office to the EU (UKRO), which is funded by many UK research councils, is also understood to be involved.

The data that will be shared will include some kind of emergency care records and patients' medication histories. The aim of the scheme is that if, for example, a UK citizen falls ill while in Spain, doctors there will know what medication the patient cannot take or what existing conditions they already have.

But according to Ross Anderson, a Cambridge University security engineering professor and longstanding critic of the NHS's multi-billion pound centralising systems upgrade, the National Programme for IT (NPfIT), the scheme is unnecessary and could even be counterproductive.

"If you're somebody with information that should be known, at present you will carry either a bracelet or a card in your wallet to say so," Anderson told ZDNet UK on Thursday. "It is foolish to move to a computer for the simple reason that, if you have the information either on an online database or sitting on a smartcard, then the computer could be down. Human-readable information which you can carry is the most appropriate technology."

Anderson explained that a voluntary scheme along these lines has already been in place within the UK for over 10 years, and claimed that the Commission's new scheme had been proposed before, and was "not driven by healthcare concerns but by lobbying from the French smartcard industry".

Anderson also claimed that the scheme was little more than a "covert industrial subsidy" with money going "to whoever is closest to the Commission", saying: "I sincerely hope it's another round of something that's never going to happen. If it comes to the point that every one of the five million people working in healthcare in Europe, plus the CIA and hackers, can access the information, then I'll stop using the health service".

It is unclear at this stage what level of security will be built into the Commission's initiative. Comyn confirmed that "it will be up to the member states to take appropriate actions on security and make sure the level of security they choose is in line with the national levels". As there is already disquiet within the UK about the security implications of having a centralised national health database, the idea of those details being available in other countries, under those countries' home-grown security restrictions, seems sure to cause further concerns.

It is also not clear whether this interoperability was part of the original specification for the UK's NPfIT, or whether it will create new requirements and costs for the scheme. Richard Granger, the head of NPfIT, had not responded to a request for comment at the time of writing.

Murray Bywater, managing director of Silicon Bridge Research and founding chairman of the Intellect Healthcare Group, told ZDNet UK that interoperability was not yet a reality within the UK, let alone Europe. "I go to Brussels often, but when I go do I worry about my medical records being available there?" he asked. "It doesn't even cross my mind — I would love to have decent records in Basingstoke where I live, though."

Suggesting that the EC figures behind the scheme were "off their trolleys", Bywater went on to call the scheme a "colossal waste of money and energy", with only "the usual suspects" standing to gain from EC funding. He also pointed out that there are very few working agreements between member states allowing patients to be treated outside of their home countries, despite an EU directive to this effect.

"Interoperability is great, but it is nowhere near at the stage where you could envision a European solution," Bywater said on Friday. "There are better and more pragmatic ways to do it if they really wanted to."

Bywater suggested that one such approach might be to have disease-specific patients' groups, such as those specialising in diabetes or heart disease, suggest what information they would like to see made available on a secure web portal. Patient-specific URLs for this portal could then be carried by travellers and given to local health providers if necessary. In this way, he explained, doctors and patients might "get over all of the security and privacy concerns" associated with sharing confidential information.

Topic: Networking

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Naive politicians constantly waste public funds on grand IT schemes

    Politicians who don't understand the complexities of software development naively think that just because they set up a contract with a supplier who claims to be able to deliver, the supplier can deliver. I thought it was only British politicians, but I am alarmed to discover that EC politicians/administrators are falling for this.

    As a result of reading about the NHS disaster I produced an analysis here http://www.cs.bham.ac.uk/research/projects/cogaff/misc/isoft

    showing why the problems of forecasting resources required grows exponentially with the size of the project, except for projects that are minor variants of what has been done before, which the medical scheme is not.

    Moreover, there are many reasons why it is *impossible* to make such systems secure. If it were possible the big banks, who have been in this field for years, would not be losing vast sums of money through fraud, etc. Again politicians are naive in thinking that just pumping money into software companies will ensure that security is achieved.

    Moreover, the academics who think that if only proper mathematical/formal methods are used it will be possible to ensure correctness of designs forget that big systems are embedded in a physical, psychological, social and economic environment that they have not a hope in hell of accurately representing in their models, and even if they could, the combinatorics would defeat them.

    I think the answer is only to grow small systems, and to run many small experiments in parallel, learning from experience. If public funds are spent, make sure that all results are guaranteed to be in the public domain so that other developers can take the sources and find and fix bugs and improve designs. Don't employ companies that will not agree to this. Others will.

    Aaron Sloman
    www.cs.bham.ac.uk/~axs
    A.Sloman9
  • Cracking a walnut with a sledge hammer

    Apart from the infringement of human rights and invasion of privacy, this wonderful sounding idea will, if it is IT successful, result in a massive expenditure of taxpayers funds on the infrastructure and the wages of hundreds if not thousands of operating staff just to cater to the infinitely small number of travellers within the participating states.
    Far easier would be for persons travelling abroad to be able to get a re-writable CD loaded with the necessary medical information from their GP.
    Compatible programmes would need to be in place throughout participating nations. CDs could be updated every time medical treatment was accessed.
    And, above all, this is outside the authorised scope of the EC.
    hampshirehog