Friday, November 7, 2008

UK Encryption Update

Summary: Encryption is not required for CDs given to patients in the UK

Long Version:

In the discussion on AuntMinnie on this subject, Brandon Bertolli from London provided an update of the UK situation that clarifies when encryption is expected to be used, or not used. Specifically, a note in a letter from NHS Chief Executive David Nicholson to the president of the British Orthopaedic Association, dated 29 October 2008, includes important statements:
  • "Patients can continue to be given their own images on CD to carry away with them ... provided that the CDs are given directly to the patient, they are made aware of the risks and they take responsibility for their safekeeping, there is no fundamental problem if these are not encrypted."
  • "If ... a CD needs to be used, which is possibly the case if the X-Ray is taken in a non acute setting ... then it should be encrypted ... alternatively it can be given to the patient and therefore encryption would not be necessary."
For those of us involved in teaching and research, there is another very important clarification:
  • "Naturally images will need to continue to be used for teaching, and the system for protecting data on CDs should not prevent entirely legitimate teaching activities ... if the teaching is outside the clinical environment then as long as the data on the CD contains no patient identifiable information then there is no need for it to be encrypted."
These are very important and sensible clarifications, which should ease the concerns that some folks have had about the potential negative impact of privacy protection in the UK on safety and convenience, and the practicality of long term accessibility of password based encrypted media.

It seems very clear that the NHS is taking action primarily for transfers between organizations and between providers, which is as it should be. But the need for encryption can still not be dismissed lightly and is described in the letter as "good practice" even for CDs for patients. So we do need to make sure that we promote the appropriate standards for media creation vendors to implement so as to avoid the NHS or anybody else needing to adopt proprietary schemes for such transfers.

But the sky over Britain's CD users is not falling after all.

David

PS. Here is the scanned in text of the letter and the accompanying note (with thanks to Miss. Clare Marx who kindly provided a copy of the entire letter):

6 comments:

David Clunie said...

The RCR has issued guidance on this matter:

RCR Practical Guidance for Radiologists and Clinical Users Regarding PACS CD Encryption

Nick James, UK said...

I recently recieved an encrypted CD with images for a patient who had been transferred to be imported onto our PACS.
I knew it was encrypted.. It was printed on the CD.
I knew the password.. That was printed on the CD too!!
It was worth a wry smile

Research Paper said...

Many institutions limit access to their online information. Making this information available will be an asset to all.

michael said...

Hi there,
the question arises as to how one can track the amount of radiation being delivered, either to the population, or at a site, or to an individual, and hence benchmark one's own performance then make improvements to the process. Surprisingly, though devices have long been required to provide visual feedback to the operator at the console, it has proven remarkably difficult to get this information out of the scanners and into some sort of database or registry that can be searched or monitored.
Thanks
testking ccna

David Clunie said...

Hi Michael

Not sure why you left this comment about radiation dose tracking on the UK Encryption Update thread ... perhaps you meant to leave it with the more recent Dose Matters thread.

Anyhow, if you look at that entry you will find a bunch of stuff about exactly what you are asking for (for example, my OCR tool to extract structured information from the dose screens).

David Clunie said...

The link RCR Practical Guidance for Radiologists and Clinical Users Regarding PACS CD Encryption is dead. For historical purposes, you can find an archived copy here.

A potential replacement is Standards for patient confidentiality and RIS and PACS.

See also the NHS Policy guidelines on use of encryption to protect person identifiable and sensitive information.