Kurhan - stock.adobe.com

NHS experts raise warning over patient data breach risk in registries project

Clinicians warn that the NHS England Outcome Registries Platform has poor security and is vulnerable to cyber attack, putting critical patient data at risk of being exposed

A group of NHS clinicians responsible for registries holding health information on millions of patients are warning of the risk of a major data breach through an NHS England project they claim has neglected basic IT security measures.

The programme to set up an Outcome Registries Platform (ORP) has received little attention outside the NHS, but once complete, it will see over 30 clinical registries comprising disparate highly sensitive, special category datasets that currently are held separately, moved into a single centralised repository, with the aim of improving patient care.

However, ORP is currently accessible via the public-facing internet, rather than being located on the secure Health and Social Care Network (HSCN), and is not protected by multi-factor authentication (MFA), which is stipulated by NHS security protocols.

This means a threat actor who has been able to obtain a valid credential by phishing a user or tricking them into downloading information-stealing malware would be able to access patient data. They could even conduct so-called brute force attacks – trying multiple variations of likely usernames and passwords until they hit a match.

If the ORP was to become compromised once it has assimilated multiple registries, the data of millions of patients would be impacted, including cancer patients, transplant recipients, people who have received care for major traumas, burns or spinal injuries, those living with congenital conditions such as cystic fibrosis or cleft lip and palate, and those living with life-changing conditions such as HIV.

Warning bells are being rung by the Federation of Clinical Registries (FCR), a group of registry lead healthcare professionals and technologists who are concerned at the ORP programme’s direction of travel.

An FCR representative said: “The platform that went live this year was placed on the internet without two-factor authentication (2FA), and that goes against NHS security policies that have been in place since the middle of last year – well before the system went live. It’s a specific policy that the NHS must have 2FA on all systems, and that’s notwithstanding the fact it’s also on the internet due to their flawed single platform strategy, exposing NHS data to unnecessary risk.”

Data breach

The FCR pointed to a 2023 data breach of the Trauma Audit and Research Network (TARN), which happened during a cyber attack on the University of Manchester, as an example of what could happen to ORP.

“NHS England was involved in this [incident] as well, which compromised millions of patient records. They were alerted to the risk of breach but failed to act. So, they know there is a risk of a breach, they obviously know there has been this breach, and then they go and put the ORP registry out on the internet, including the redeveloped TARN registry (now renamed NMTR), without 2FA and with other security issues,” said the FCR representative.

The FCR also cited further security concerns with vetting potential users of ORP.

“User registration and validation is managed via email, using Excel spreadsheets containing personal data, passed around on unsecured email. Passwords are being sent to users via email without any two-factor validation process. Government guidelines state systems should never do this because it’s not a secure channel. Users are able to specify what registries they want access to and what level of access. Bulk pre-registration of users is also happening. The whole process is wide-open to subversion,” said the FCR representative.

“Patients will rightly be extremely concerned that their data is being managed in this way. To protect patient data, the ORP software platform should be taken down with immediate effect until the platform has been fully reviewed and security issues addressed.”

Originally established as a registry for data about medical devices, critics also said the ORP’s scope is being expanded far beyond its original remit.

An NHS England spokesperson said: “The tracking and monitoring of devices and implants is crucial for patient safety. NHS England is committed to meeting the highest standards in cyber security and data protection, and the Outcome Registries Platform meets all appropriate security standards.”

What are clinical registries?

Clinical registries provide the information and functions necessary for the operation and management of clinical services nationally. They enable the commissioning of services, the introduction of new treatments and better identification of effective (or ineffective) treatments, a large range of quality assurance processes, research and policy development, and help ensure patient safety.

Some provide operational clinical functions for patients and clinicians. Others provide information regarding cost-effectiveness, helping identify NHS savings of hundreds of millions of pounds. They have also allowed better reporting of outlier service behaviour and harmful treatments, and have been the basis of many critically important investigations in the NHS.

The registries, which provide specialised information for over 100 conditions, have been created over the past 30 years to compensate for a lack of detail and quality-assurance in NHS data systems. In general, clinical registries were designed to understand specific medical conditions or groups of patients by clinicians working independently of the NHS with technical assistance provided by small software companies. The costs of their development were mostly borne by specialist medical associations, research grants and donations.

In many ways, registries act as a critical friend for the NHS in identifying and quantifying problems by way of independent analysis and report generation led by subject matter experts. This has meant that a few have also been the focal point for public inquiries such as the infected blood inquiry involving haemophilia patients and the report of care variation for patients with sickle cell disease.

Security questions

The FCR provided Computer Weekly with responses to questions it put to the ORP project’s senior responsible owner (SRO), Tim Briggs, national director for clinical improvement and elective recovery at NHS England.

When asked whether all required NHS security and information governance (IG) processes had been correctly followed for the ORP work, the response said: “All NHS England security and IG processes have been followed and are complete for Outcomes and Registries Programme work carried out to date.”

NHS England said ORP has been tested to the relevant cyber security credentials and that its supplier complies with the relevant security standards. The organisation said that when the contract for ORP was awarded, MFA was not a requirement for externally facing internet-based systems, but claimed MFA has now been added and will be in place in July.

The FCR said that it was not aware of any users having been informed of forthcoming changes to ORP relating to MFA, with less than two weeks before the start of July. 

The ORP programme in depth

The ORP project, initially known as medical devices outcome and registry programme (MDORP), has a somewhat complex history.

The initial decision to set it up was taken following two separate inquiries into medical mishaps – the Paterson Inquiry into crimes committed by rogue surgeon Ian Paterson, who is serving a 20-year prison sentence for subjecting over a thousand women to unnecessary breast surgery; and the Independent Medicines and Medical Devices Safety Review (IMMDSR), or Cumberledge Report, which explored the safety of synthetic mesh used for prolapse and incontinence surgeries.

Among the key recommendations of the IMMDSR was the creation of a Medical Device Information System (MDIS) to record data on all medical devices implanted or given to patients, and patient and procedure information. This data is currently held in a number of clinical registries.

In 2021, the government’s response to the IMMDSR agreed with the recommendation and called for the creation of the MDIS, but did not say how this would be done, other than by using the existing datasets held in clinical registries.

NHS Digital – as it then was – was directed to create MDIS, later renamed the Surgical Devices and Implants Information System (SDIIS), with the intention of being able to reach and identify any patients receiving medical devices should they have a safety issue necessitating a recall.

According to NHS England’s previous statements, this capability was supposed to have been in place in April 2021, but three years later, it has still not been delivered, raising concerns among the IMMDSR report authors and MPs on the Health Select Committee.

The ongoing delays, coupled with an extension of the MDORP remit to cover all NHS clinical registries – signified by the change in title to ORP – were among the factors that in September 2023 prompted the formation of the FCR group, the membership of which is made up of clinical leads representing some of the registries in scope, comprising NHS surgeons and physicians, clinical academics, scientists and technologists.

Besides the cyber security concerns detailed above, the FCR said it is concerned that the ORP is dramatically overreaching its initial remit – to focus on the physical safety of medical devices – to include far more clinical registries than was at first intended, while still not having delivered on the IMMDSR report recommendations.

The FCR claimed a number of clinical registries have come under pressure to sign draft contracts handing over sole data control of the registry to NHS England; develop an exit strategy to do so; and hand over registry staff and terminate third-party contracts, such as with software developers. The group also claimed the correct procurement process was not followed for the creation of the software platform.

The FCR said ORP’s leadership routinely tells those raising concerns they are being addressed and that a wide consultation exercise is being undertaken, but its members say they have seen no evidence of this.

We have no confidence that patient records would be protected or that ORP understands the scope and complexity of the National Haemophilia Database.
UK Haemophilia Society

The FCR accused NHS England of following an “intimidating, destructive approach” to established and world-renowned registries, and argued that the same individuals pushing the controversial Federated Data Platform (FDP) are pursuing a “dangerously flawed strategy” to take over and redevelop established registries merely to absorb their data into the FDP.

NHS England said there is no plan to take over or redevelop existing registries, nor to absorb their data into the FDP.

In response, the FCR representative said: “This is absolute nonsense and will enrage the registries. There is an enormous amount of evidence to the contrary,” citing a PA Consulting review that said: “NHS England has a priority list of new and established registries that will be reviewed with a view to consolidating on to a single platform,” and contract terms issued by NHS England to existing registries that included terms to enable the NHS “to transition to a model of automated/routine/centralised data collection for national clinical registries over a three to five-year period”.

Further, the response by SRO Briggs to the FCR’s previous questions stated: “There are over 30 registries that are fully or significantly funded by NHS England, and that are currently under review,” for inclusion into a single IT platform.

Patient groups urge a rethink

The growing controversy has also drawn the attention of patient advocacy groups, among them the Haemophilia Society UK, Haemophilia Northern Ireland and Haemophilia Scotland, which are concerned about the future of the National Haemophilia Database (NHD), one of the registries being grouped into ORP.

The NHD plays a hugely important role in tracking haemophilia and other bleeding disorders, monitoring clinical outcomes, and identifying trends and potential areas of concern among people living with such conditions.

It also played a critical role in supporting the recently concluded Infected Blood Inquiry, which investigated the contaminated blood scandal of the 1970s and 80s, in which over 30,000 people received blood transfusions or treatments that infected them with hepatitis C or HIV. Over 3,000 people have died as a result of this. It will also likely be relied upon to substantiate future medical claims, especially in cases where medical records no longer exist.

In a letter to NHS England national medical director Steve Powis, seen by Computer Weekly, Kate Burt, chief executive of the UK Haemophilia Society, and her counterparts, Nigel Hamilton and Alan Martin of Haemophilia NI and Haemophilia Scotland, said the Infected Blood Inquiry had recommended the need for the NHD to operate outside the NHS.

In his report, inquiry chair Brian Langstaff called for additional funding for the NHD if it was to continue its vital work, and while he acknowledged that one might think this meant it should be brought within the NHS, he considered there would be “little advantage” in this because it would expose the NHS to greater costs, and make the NHD subject to budget fluctuations and uncertainty.

“We believe it is crucial that all the recommendations in Sir Brian’s report are respected and implemented,” wrote Burt, Hamilton and Martin. “We are deeply concerned at the way in which this proposal has been handled. There has been no consultation with the patient organisations or the NHD, and no business case has been presented.

“We therefore have no confidence that patient records would be protected or that ORP understands the scope and complexity of the NHD,” they said. “It is important to present and future generations of people with bleeding disorders, not just those harmed through the contaminated blood scandal, that the NHD is protected and its funding-enhanced. We must learn lessons from the past and put patient voices at the heart of decision making.

“We therefore urge NHS England to immediately halt any plans for taking over the NHD. We ask you to support the Infected Blood Inquiry’s recommendations, which would allow the NHD, run by UKHCDO, to be a vital tool for achieving better patient-centred care, which we surely all want for the bleeding disorders community.”

Read more on Privacy and data protection