NHS plans to share data, "leaks will inevitably happen"
England's National Health Service (NHS) is planning to share the medical records of 55 million individuals with third parties, in a move that is attracting strong criticism from digital rights campaigners.
Unless individuals opt out by June 23rd by informing their GP practice, their personal medical records will be shared from July 1st onwards.
NHS Digital has said it will not collect patients’ names, addresses or any data that could directly identify patients (such as NHS number, date of birth or full postcode). It will collect data about diagnoses, symptoms, test results, medications and allergies, including information about physical, mental and sexual health, and data on sex, ethnicity and sexual orientation.
The NHS Digital website states that the data will be used to research the long-term impact of COVID-19 on the population, analyse healthcare inequalities and develop new treatments for serious illnesses.
However digital rights campaigners have raised alarms that the NHS has not stated who they would be sharing the data with. Foxglove, an organisation formed by legal experts who previously helped launch a lawsuit against the UK Government over data sharing with private US corporation Palantir, have written to the Department of Health and Social Care, questioning the lawfulness of the plans under data protection laws and threatening legal action.
Monitor the data supply chain
David Sygula, Senior Cybersecurity Analyst at CybelAngel says that while this move from the NHS provides some strong benefits from an academic research standpoint, data collection on this scale is problematic. "[It creates] a new set of risks for individuals, where their Personal Health Information (PHI) is exposed to third-party data breaches.
"The extent of the unsecured database problem is growing. It's not simply an NHS issue, but the NHS' third, fourth or further removed parties too, and how they will ensure the data is securely handled by all suppliers involved. These security policies and processes absolutely need to be planned well in advance and details shared with both third parties and individuals."
Sygula adds that it must be assumed there will be data breaches. "Several mechanisms must be put in place, starting with the anonymisation of data, as data leaks will inevitably happen. Security researchers, attackers, and rogue states have all put in place processes to identify unsecured databases and will rapidly find leaked information.
"That's the default assumption we should start with. It's about making sure patients are not personally exposed in case of a breach, while setting up the appropriate monitoring tools to look for exposed data among the supply chain."