I've just read this article from the King’s Fund and it struck me that it is a mistake to focus on the security of digital health records. Give me a chance to elaborate on that heretical statement...
For those (all) of us with little time to spare, I’ll provide a quick summary of the article. The author (Matthew Honeyman, a researcher in the policy team) envisages the year 2021 in which a fictional patient accesses their NHS account online to adjust the visibility of their health data. They can change it from being accessible just by the clinician who created it through to every researcher on the planet being able to take a look. The author’s concern, quite rightly, is that if this control is given to patients in a climate of data-security fear, most people will block access to their records. He then predicts research grinding to a halt, commissioners having only half-cocked data on which to make decisions etc. etc. General armageddon.
I have no problem with all of this. Unfortunately, the picture painted is all too plausible. Where I differ is how to best avoid this scenario. The article’s conclusion on what is needed is this:
"...means building confidence that data won’t fall into the wrong hands, building trust by being even more transparent about what happens to health care data, how it’s processed and for what purposes."
If I’ve learnt anything whilst leading the technical side of itamus, it’s that there is no such thing as absolute data security online. This is why every few months there is another news item about a privacy breach. Generally, it involves a large organisation and, inexplicably, comes as a surprise to everyone. In fact, the larger the organisation, the more likely the breach. Just as the more keys you make for a lock, the more easily it will be opened.
So, what happens if you focus on telling the public that their public health record is absolutely secure and can’t possibly fall into the wrong hands? Well, when it does inevitably get hacked, left on a train or just given away by a disgruntled employee, we shouldn’t be surprised that confidence is rocked and everyone locks down access to their data. You said it was safe, didn’t you?
The other major problem with any focus on data security is that, from a marketing perspective, it’s bad news. Unless you are trying to breed fear (think insurance salesmen or antivirus software) it is unlikely to improve uptake of a service. Often, it simply sows the seed of doubt that may not have been there in the first place.
Instead, the focus should be entirely on the benefits of more open access to health data. There are the benefits to research leading to new medicines and understanding of diseases, benefits to healthcare planning and delivery leading to improved services and lower costs, the possibility of training exciting new artificial intelligence bots to assist clinicians… the list is hardly lacking in positive news. The security risks should be acknowledged but certainly not form any part of a marketing campaign. It’s a big ask, but if the public can understand the potential benefits of sharing as much health data as they are comfortable with, they will be more likely to accept a small level of risk. If we instead focus on the fear of data loss, assure everyone it can never happen, and then it inevitably does, the prophecy in the King’s Fund article is all too likely to come true.