Softly, softly: GPDPR comes to screeching halt, indefinitely, to be reworked

UK GPs and offices can now take an August holiday. The entire process of GPs extracting their data for the NHS GP Data for Planning and Research (GPDPR) database and patients opting out has been halted–or “deferred” per the letter from Parliamentary Under Secretary of State Jo Churchill. Formally, the Data Provision Notice was withdrawn on 19 June–and quietly. That means no more deadline of 1 September–or, in fact, any deadline, right now. 

According to the letter to GPs:

Instead, we commit to start uploading data only when we have the following in place:

  • the ability to delete data if patients choose to opt-out of sharing their GP data with NHS Digital, even if this is after their data has been uploaded [This is a significant feature that is expanded on later in the letter–Ed.]
  • the backlog of opt-outs has been fully cleared
  • a Trusted Research Environment has been developed and implemented in NHS Digital [Security based on OpenSAFELY and the Office for National Statistics’ Secure Research Service best practices–Ed.]
  • patients have been made more aware of the scheme through a campaign of engagement and communication

The revised scheme will be created in collaboration with the Royal College of General Practitioners (RCGP) and the British Medical Association (BMA). One wonders why these logical steps weren’t taken before deadlines were set, moved, and about five medical associations plus at least one MP excoriated the NHS publicly. Undoubtedly more tap dancing to come. Our most recent and previous coverage here. Also Pulse and HealthcareITNews EMEA.

Weekend reading: 1/3 of global healthcare orgs ransomwared, 50%+ mobile privacy problems–BMJ study, med device insecurity

Weekend reading to make you feel insecure, indeed. Healthcare continues to be one of the most vulnerable sectors to hacking, breaches, ransomware. (It likely was one of the top 5 on the list handed to Mr. Putin in Geneva a week ago.) It doesn’t help that many organizations from providers to payers, legacy devices to apps, figuratively have a ‘Welcome Hackers’ neon sign on their doors, virtual and otherwise.

Three articles from the always interesting Healthcare Dive, two by Rebecca Pifer and the third by veteran Greg Slobodkin, will give our Readers a quick and unsettling overview:

  • According to cybersecurity company Sophos in their 16-page report, 2020 was an annus horribilis for healthcare organizations and ransomware, with 34 percent suffering a ransomware attack, 65 percent confirming the attacks encrypted their data, but only 69 percent reported that the encrypted data was restored after the ransom was paid. Costs were upward of $1 million. Their conclusion: assume you will be hit, and at least three backups. Dive 24 June
  • The BMJ found that lax or no privacy policies were a key problem with over half of mobile health apps. 23 percent of user data transmissions occurred on insecure communication protocols and 28.1 percent of apps provided no privacy policies. There’s a lot to unpack in the BMJ study by the Macquarie University (Sydney) team. Our long-time Readers will recall our articles about insecure smartphone apps dating back to 2013 with Charles Lowe’s article here as an example. Dive 16 June
  • Old medical devices, continuing vulnerability that can’t be fixed. Yes, fully functioning and legacy medical devices, often costing beaucoup bucks, are shockingly running on Windows 98 (!), Windows XP, outdated software, and manufacturers’ passwords. It’s hard to believe that Dive is writing about this as it’s been an issue this Editor’s written about since (drumroll) 2013 when TTA picked up on BBC and other reports of ‘murderous defibrillators and pacemakers’. If too far back, try 2015 with Kevin Fu’s and Ponemon’s warnings then to ‘wash their hands’ of these systems even if they’re still working. Chris Gates quoted in the article: “You can’t always bolt-on security after the fact, especially with a legacy piece of equipment — I’ve literally handed checks back to clients and told them there’s no fixing this.” Dive 23 June

What to do?

  • If you are a healthcare organization, think security first. Other organizations in finance and BPO do, locking down to excruciating points. And yes, you’ll have to pay a premium for the best IT security people, up your budgets, and lower your bureaucracy to attract them. Payers are extremely vulnerable with their wealth of PHI and PII, yet tend to skimp here.
  • Consider bringing in all your IT teams to your home country and not offshoring. Much of the hacking occurs overseas where it’s tougher to secure servers and the cloud reliably and fully.
  • Pay for regular and full probes and audits done by outside experts.
  • If you supply a mobile app–design with security and privacy first, from the phone or device to the cloud or server, including data sharing. There are companies that can assist you with this. One example is Blue Cedar, but there are others.
  • If you supply hardware and software for medical devices, think updates, patches, and tracking every bit you sell to make sure your customers do what they need to do. Even if your customer is a past one.

(Side message to NHS Digital–don’t rush your GPDPR upload to the summer holidays. Make it fourth quarter. Your GPs will thank you.)

Suggestions from our Readers wanted! While your Editor has been covering security issues since early days here, she is not an expert, programmer, or developer, nor has stayed at a Holiday Inn Express lately.

GPDPR update: GPs must set own patient opt-out date prior to 1 September extraction (updated for ‘Data Saves Lives’)

(Editor’s Note: Read till the end for Roy Lilley’s take on data and the NHS Bureaucracy. “Bureaucracy… creates delays, duplication, interfaces and costs lives.)

Is it 25 August–or earlier? Well, it depends… NHS Digital has informed GPs that, contrary to a prior announcement, the deadline for submitting those who wish to opt out of the General Practice Data for Planning and Research (GPDPR) database must be set by the GP practice, and is not 25 August. The deadline for the mass extraction remains 1 September. This puts practices into a dilemma–informing patients of their right to opt-out. setting a date for staff to process the forms, and processing the hard copy forms in time for the 1 September extraction. (And right during summer holiday time with the bank holiday on 30 August)

For patients wishing to opt-out, they must submit a type-1 opt-out form (a Word document) and send it to their GP practice via mail or email by the deadline which then submits with the data collection. If a patient wishes to opt-out after, it’s permitted but any data before the opt-out date will be collected. The National Data Opt-Out does not apply to the GPDPR. 

According to the 22 June update in Pulse,

The BMA GP Committee’s latest newsletter quoted IT lead Dr Farah Jameel as saying: ‘The public needs a clear deadline by which they can opt out, alongside clear instructions on how to do this if they so wish.

‘We have been urging the government and NHS Digital to consider making the process of opting out simpler, and in effect remove any additional burden [that] large volumes of Type 1 opt-outs could place on already under-pressure general practice.

‘We urge NHS Digital to clarify this with both the public and practices.’

Another GP from Bristol is quoted as pointing out that most opt-outs will be received last minute, jamming the practices.

In addition, each GP practice has more work to do before the extraction–a data protection impact assessment (DPIA).

The problems of patient awareness, particularly during the summer, obtaining the form, and submitting it in time remain. So, what’s the rush? This Editor closes once again with the thought that the fourth quarter would be far better timing both for the surgeries and NHS Digital.

Our prior coverage 11 June and 2 June.

Addendum: Roy Lilley’s eLetter on ‘Data Saves Lives’ (draft publication here) is a Must Read. It is a most interesting take on how the NHS is botching the opportunities around health data by drowning it in bureaucracy. The latest example is a draft document titled ‘Data Saves Lives’. A course in obfuscation where even a casual look will reveal its true awfulness. Mr. Lilley has counted 96 commitments, 10 new organizations, and six major pieces of legislation. “It is bad, bad, bad and a perfect example of why the NHS’ relationship with the IT sector is so bad.” The GPDPR gets one–one–mention in this document. Sounds like some imports from the US Congress wrote it! In any case, if you’re in UK healthcare, you should be subscribing to this free eLetter. ‘Data Saves Lives’ NHS news release may go down easier

NHS Digital GPDPR medical database data extraction start postponed from 1 July to 1 September

Facing a GP revolt and legal action, NHS Digital has postponed the extraction of patient data records from surgeries until 1 September for the General Practice Data for Planning and Research (GPDPR). Before the House of Commons on 8 June, health minister Jo Churchill announced the extension. “We will use this time to talk to patients, doctors, health charities and others to strengthen the plan, build a trusted research environment and ensure data is accessed securely.” Health secretary Matt Hancock also announced that the patient opt-out deadline, originally 23 June, will be extended (date TBD). Pulse (may require registration), NHS revised release

On 4 June, before the extension announcement, the Doctors Association UK (DAUK), the Citizens, openDemocracy, the National Pensioners Convention, and Conservative MP David Davis were among the signatories to a legal letter sent to the Department of Health and Social Care (DHSC) threatening action to halt the data collection from GPs. Pulse (may require registration)   

While Ms. Churchill, Mr. Hancock, and Simon Bolton collectively insist that the additional time will be used for consultations with patients, doctors, health charities, and others, the proof will be in both the data collection and how informed patients will be of their options. Both the opt-out date and September, given the summer holidays, aren’t much time. In this Editor’s estimation, for a major effort, the end of this year would be far better. Perhaps we should send them this poster? Additional TTA coverage 2 June.

NHS Digital GPDPR medical database plans criticized by Royal College of GPs, privacy advocates (updated 8 June)

What our UK Readers may have missed on the long bank holiday weekend. And why this matters outside the UK.  NHS Digital is being roundly criticized by privacy advocates, the Royal College of GPs (RCGP), the Doctors’ Association UK (DAUK), and individual GP surgeries on plans for creation of the General Practice Data for Planning and Research (GPDPR).

The GPDPR will compile information on 55 million patients–every patient in England registered with a GP surgery–into a database available to academic and commercial third parties for research and planning purposes. NHS has been collecting patient data on patients in a database, the General Practice Extraction Service (GPES), for the past decade. The GPDPR will replace it. Data collection on patients in England starts 1 July. What will be collected is at the end of this article as background.

The objections center on the sensitivity of the data, the short window of notification to patients, the lack of a clearly notified opt-out with sufficient time, and how it will be used.

  • The data apparently can include mental and sexual health data, criminal records (!), and other sensitive information. 
  • The short time–six weeks–between the announcement in late April (a low key affair with Matt Hancock-signed blog posts on the NHS Digital website, YouTube videos, and flyers at GP surgeries), and the start of data collection from the surgeries
  • How many patients are actually aware that this is happening and of their options is debatable. (See next two bullets)
    • If a patient didn’t pick up on it in the six-week window ending on 23 June (and go to the page with the Type 1 Opt-Out), a patient can opt out for data going forward, but cannot withdraw any data collected into the database prior to that date.
    • If a patient is in the National Data Opt-out program, their medical data will be collected anyway, since it applies to only identifiable and confidential patient information.
  • Many GPs are concerned about further erosion of the physician-patient relationship and the lack of communication to patients on how the data will be used, the ethical questions around the organizations to which it will be sold, and how patient privacy will be preserved.

The blackest mark here on NHS Digital is that the groups ostensibly involved in the development of the database–the RCGP and the British Medical Association (BMA)–are the ones sounding the alarm, along with the aforementioned DAUK and privacy groups such as MedConfidential and Foxglove. There is also a rebellion starting among London GPs. Reportedly, 36 doctors’ surgeries in Tower Hamlets, east London, will withhold data. An email is circulating to about 100 surgeries in north London questioning the legitimacy of the NHS data collection. This is despite penalties if they don’t submit.

Why does this matter if you’re not in England? Medical data–collecting, manipulating it, connecting it, finding insights, and selling it–is the Gold Rush of the 2020s. Pharma and payers as markets are just the start. Nearly every Roundup or deal this Editor covers has companies with a chunk of this gold rush. Why are telehealth companies worth their IPO/SPAC/funding prices? Why is McKesson ‘big banging’ four separate businesses into one division? Why do we follow ‘data warehouses’ like Sensyne [TTA 26 May],  Mayo Clinic’s big bet on a multi-line Remote Diagnostics and Management Platform [TTA 23 Apr], and virtual pharmacies like Capsule?  Why are insurtechs like Oscar and Bright Health hot? Why is it the #1 target of hackers?

It’s not altruistic. Services can be duplicated. Companies can be a hair away from failure. But ah, their data…the data has huge market value, even if its potential is not fully understood yet. Ask any data analytics person. Ask China, probably the most aggressive nation in collecting the health and personal data of its citizens, with Chinese capital for years now leading investment in global health tech companies.

In an article back in October 2015, this Editor described the many ways that deidentified patient data, in this case genomic data, can be identified by researchers through cross-checking via research database “beacons”, a network of servers. Referring to the 23andme and Ancestry.com collection of innocently given genomic data from consumers, this Editor proposed a Genomic Bill of Rights in 2018 and again in 2020. If this Editor, no data geek, can deduce it (hat tip to Toni Bunting back in 2015), this information has to be well known to researchers and to privacy advocates.

The controversy is just starting to ramp up. And it should. It’s about time there was a reckoning. The Guardian 30 May, 1 June

More background. According to the NHS Digital page on the GPDPR, patients will be anonymized by a process where de-identification software will replace their NHS Number, date of birth, and full postcode with unique codes produced by de-identification software. The data collected from GPs in England starting 1 July will be on: (more…)