I went to the doctor the other day ...

Patient records are at risk until the NHS co-ordinates its IT strategy. It's no joke, reports Barry Fox.

The next time you are having a medical check-up and your doctor is pulling up your records from his surgery computer, ask what virus protection they use.

Unless your GP is a computer hobbyist, the chances are they will look blank and say that it is all handled by someone else.

You would then be entitled to ask that 'someone else' the same question, because it is your records that could be wiped or randomly emailed round the world.

Of course it makes sense for doctors to store patients' records on a computer and be part of a national network. The NHS runs its own email service, known as NHSNet.

But doctors must choose between competing hardware, software, networking and email solutions. Changing supplier later is a logistic nightmare because there is no hope of 100 per cent accurate data transfer from one system to another.

Non-standard notes, on little things like life-threatening allergies and hereditary problems, tend to vanish without trace.

There are hundreds of local health authorities and they give different advice because there is no national IT strategy. Some of the NHS bureaucrats giving the advice are clearly out of their depth.

One told a surgery that, because they had changed computer systems, they could no longer have access to the NHSNet global address book. I helped the surgery to complain. The address book magically returned and emails started to arrive again.

But there is one thing that the NHS Information Authority (NHSIA), which runs NHSNet, makes clear: responsibility for security and virus protection is down to individual surgeries.

Overworked doctors, who don't often know about computers and don't have time to learn, must sign a draconian Code of Connection before getting hooked up to NHSNet.

By signing they undertake to install antivirus software and keep it up do date. Pity the doctor who tries to find out what this entails.

Last year the NHSIA told me: "We cannot dictate the exact nature of the virus policy to practices, or the means by which they get virus protection."

Instead, the NHSIA was sending doctors a Practical Guide to IT Security.

On viruses it advised: "Upgrade your software as new versions become available." This is nonsense; a new 'version' of software is out of date by the time it is sold and still needs online updating every few days.

One of the surgery system suppliers assured a doctor that updates to the McAfee antivirus software it had sold with the installed system were "transmitted on a monthly basis", that the surgery system was "set up to receive updates via the net" and that the "updates are then distributed to all workstations on the network within the practice".

I smelled a rat and told the doctor how to push for clear confirmation that the surgery need take no action. The supplier sent out a confusing 20-page Guidance Note, which buried the admission that "we are not able to support the McAfee product".

Through the letters column of the British Medical Journal I asked whether doctors shared my concern over security. Many did. A computer-literate doctor, who had been employed to train surgeries on security issues, told how he quit in dismay at the lack of employers' understanding.

"My practice is regarded as idiosyncratic because it will not connect to the NHS network in the routine non-secure way," he wrote. "A neighbour received 67 copies of the Love Bug virus when it was current, and another downloaded a virus which disabled all his printers."

I recently asked the NHSIA whether anything had changed to make plain English advice on viruses available. A spokeswoman, Gill Friend, first referred me to nww.nhsia.nhs.uk, which was available only via NHSNet. Doctors cannot access this site until they have signed the Code and connected to NHSNet.

I found another (www.nhsia.nhs.uk) and tried several searches for 'security advice on computer viruses'. For a laugh, try it yourself while imagining that you're a doctor without a tame IT department, and a waiting room full of sick patients.

When I tried to send the spokeswoman an email it bounced back from the NHSNet address with the error message 'routing server failure'. After some more tries I got back the reassurance that: 'There is a wealth of information for GPs about computer viruses from our NHSNet website.'

It came with the parrot disclaimer that 'installation and management of antivirus software is a local responsibility'.

When the NHSIA proudly announced in May that it had a "new central virus service" to "filter content", the news came also with the customary copout: "Implementation of these measures in no way reduces the need for organisations connected to NHSNet to maintain the highest standards of virus protection locally."

The latest news is that the government wants a consortium of software companies to "develop a common integration architecture framework".

This seems to be in addition to a £35m plan to introduce secure networking and a £5bn scheme to scrap the 400 incompatible systems in use by British hospitals and surgeries and create an electronically joined-up NHS.

Until these dreams come true, or are replaced by new dreams with new fancy names thought up by a new bunch of bureaucrats, doctors are on their own and patient records remain at risk of an accident waiting to happen.