NHS patient information open to computer attack

'NHS needs an encryption based communications infrastructure'

National Health Service representatives have concluded that patient information held on health service computers is highly vulnerable to interception and theft, highlighting the need for an encryption based communications infrastructure.

NHS delegates came to this conclusion at the second IMPACT (In Medical Practice Action to Co-ordinate Technology) conference held in Birmingham yesterday.

The overwhelming consensus was that the need for a secure and reliable communications infrastructure within the health service has reached crisis point.

Conference co-ordinator Barry James commented on the seriousness of the current security situation saying, "It is abundantly clear that the network's current 'ring-fence' security model is totally inadequate and inappropriate. Unless encryption is adopted it can only be a matter of time until there is a security breach which could put the NHS back several years."

It is three months since the first IMPACT meeting highlighted the importance of developing a secure computer network for the NHS and James also called for immediate government action at the conference saying, "The NHS is still high and dry with no new plan on the table and no more information now than it had then. These are not issues that will go away. Decisions are being made locally on a daily basis and we need urgent clarification."

Yesterday's conference also decided that encrypted SMTP based communication is preferable to the highly traceable X.400 mail protocol that has long been preferred within the NHS. James describes the X.400 protocol as an "inappropriate, obsolete and over-complicated technology," and Dr Adrian Midgley said of the X.400 protocol, "The continuing attempts to impose X.400 where it is clearly rejected are interfering with this important next step, and risk damaging the whole program."

Until April this year GPs had to pay per email for communications across the NHS network. Although the government now funds communications, it was also revealed at the conference that a group called the GPnet is to investigate exactly how patients will bear the brunt of this cost.

The conferences resulted in three main statements from doctors and delegates concerning the NHS computer infrastructure were:

  • Security of patient information.
  • A reliable communications network.
  • No more resources should be wasted on the obsolete X400 system.