The British Medical Association in Scotland has today called for tougher safeguards to protect the confidentiality of electronic patient records. It comes as members of the Scottish Parliament prepare to debate a report of the Health Committee on Clinical Portal Technology and Telehealth.
The BMA says that patient information accessible through clinical portals may be available outside the NHS, possibly to those viewing child protection systems.
Dr Alan McDevitt, deputy chairman of the BMA’s Scottish General Practitioners Committee and lead on IT issues, said:
“The ease with which patient information can now be shared challenges us to come up with new ways of protecting information they have shared with us. With the growing use of electronic patient records, it is essential that we know who has looked at which records and when, so we can ensure only appropriate access.
“Although BMA Scotland is broadly supportive of the Clinical Portal Technology project, we do have concerns relating to patient confidentiality and how access to the system will be managed.
"If portals are to be accessible from computers anywhere within the NHS then it is our view that username and password access does not offer sufficient security of data.
“We are concerned that it may be commonplace for usernames and passwords to be shared between medical staff. This can often occur because staff do not receive access to systems promptly enough or are unable to reset their access out of hours.
"While this is already an issue of concern, the risk of misuse in an environment where clinical portals display much more data about many more people, is considerably greater. An identity and access system is required to ensure that access is granted promptly to those who need it (after secure identity checks), that they can reset access at all times and that access is stopped when they leave or change roles.
“The BMA strongly believes that introducing tighter controls will be far more effective at limiting inappropriate access to electronic patient records than using retrospective audit in isolation.”