Remote access to patient records and security of android apps

Mary Hawking maryhawking at
Sat Jan 14 09:10:35 GMT 2012

From: Tony Naggs [mailto:tony.naggs at] 

TN: I am not familiar with "SystemOne", and it is not clear from the article
what the Android application would be used for. Clearly managing one's
calendar, accessing email or editing patient notes have different
confidentiality issues.

MH: SystmOne (TPP and supplied under the CSC LSP - Local Service Provider -
contract is a "one record per patient" (SSEPR Single Shared Electronic
Patient Record) electronic record system designed to be the record of prime
entry for not only GP practices but also other primary care and other
organisations e.g. community nursing, child health services, speech and
language therapy etc.: it has even been used for a referrals management
centre. The organisations using the record share content on a security
level: every consultation is given a security level of 1-5 (1 low, 5 high)
and the default for most things is 3. The sharing and security level need
not be reciprocal. 

It is being aggressively promoted in the areas where CSC holds the LSP
contract - Northe, Midlands and East.

The app referred to is one to directly access the individual live patient
record which is held on a central server.

TN: In principle an Android tablet could access a smartcard, as the SIM card
in an Android phone is a form of Smartcard - but I have not noticed any
tablet computers advertised with Smartcard slot. Also some Android phones
are starting to have NFC (Near Field Communications) interfaces that could
talk to Smartcards that work wirelessly (similar to an Oyster card).

I am also concerned about how whether the data is securely encrypted when
sent over the the WiFi or 3G data network.

MH: I hope the data is encrypted (it is normally sent over the N3 network)
but I don't have any information one way or the other. I believe contactless
smartcards have been discussed for use in secondary care, but sorry, no
information on that either!

The article seems to envisage using any Android tablet - so unless there is
a universal means of  getting an Android tablet to recognise a smartcard
(using Gem Authenticate) and this can be incorporated into the app, I do not
see how a smartcard can be used - and how the user can be authenticated to
the level the NHS has been saying is necessary to prevent illegitimate
access to patient records.

Mary Hawking 
"thinking - independent thinking - is to humans as swimming is to cats: we
can do it if we really have to."  Mark Earles on Radio 4.  




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ukcrypto mailing list