nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
NHS OKs offshoring patient data to cloud providers stateside

Silver badge
Mushroom

This can only go well.

54
1
Silver badge

Came to say exactly the same thing.

2
0
Anonymous Coward

Downvote as we clearly have only been given the sensational clickbait part of the story (just like the last NHS Google scare story that was actually crucial big data early diagnosis work).

You were meant to be outraged, that was the entire purpose of this story.

0
13
Silver badge

"You were meant to be outraged, that was the entire purpose of this story."

Sometimes it's the story that's outrageous.

8
0
Silver badge

Crucial

Is that some new definition of "crucial" that means "not really necessary at all?"

4
0
Silver badge

This can only go well..

..for the US advertising, healthcare and spam industries when our data get spaffed from an insecure S3 bucket?

4
0
Silver badge
Coat

Re: Crucial

Yup. "Crucial" as in "Records"..

(Yes, yes, mine's the one with the very scuffed 45RPMs in the pocket)

0
0
Anonymous Coward

Re: Crucial

Nope, if you actually drilled into the details of what they were planning on doing, it was using medical records to spot patterns and lead to early diagnosis of many serious diseases.

As it is, the Luddites pretty much put a stop to it. Lets hope you, or your loved ones never suffer from a preventable disease, just because of some Internet click-bait outraged people with some half truth sensationalism.

0
4
Silver badge

Re: Luddites

This Luddite would be happy for truly anonymized data to be used thus, but as has been shown time and time again, there are ways to stitch it all back together with other datasets that completely undo all the anonymization.

Still, since when did we have a say about what happens to *our* data. We are slaves who must do as we are bid, else we face the wrath of Khan the SJW's!!

3
0
Silver badge

Re: Crucial

" it was using medical records to spot patterns and lead to early diagnosis of many serious diseases"

No it wasn't. It was to spot certain forms of Acute Kidney Injury.

Google and the Royal Free never explained why they needed patient identifying data to do that, and they never explained why they needed 1.6 million mostly unrelated records, nor why that data wasn't properly secured. That's probably because it wasn't necessary. As multiple independent investigations found.

5
0
Silver badge

Re: Crucial

"Nope, if you actually drilled into the details of what they were planning on doing, it was using medical records to spot patterns and lead to early diagnosis of many serious diseases."

Maybe so, but why would the data need to be moved to a jurisdiction where we know for a fact that foreign owned data has no protections from the local government? Maybe Google can't afford local servers where they could handle the data in line with the laws of the data source country?

2
0

This post has been deleted by its author

Anonymous Coward

Re: Why Don't We Have a Choice ???

because nobody ever got a big fat greasy backhander by giving the electorate choice.

33
0
Silver badge

Re: Why Don't We Have a Choice ???

MPs haven't even seen this... and if they have, it's likely to be buried in some report they just scanned over. And despite the current government's belief in this misplaced thing called 'the special relationship' with the US, Privacy Shield is not worth the paper it's printed on.

12
0
Silver badge

Re: Why Don't We Have a Choice ???

"Why don't we the UK public have a choice to opt out, or state that our data is not available, or cannot be store outside the UK, and no non-UK entity can have access "

I hope my brothers and sisters in the UK fights for this. Here in the US, we have no choice. You can be sure that pretty much all health care providers are tied into the cloud now, much to my dismay.

5
0
Silver badge
Childcatcher

They have totally lost it

Oh well, that's all our data in the hands of all the US TLA's as well as some other of the usual suspects.

Which inevitably leads to...

We're Doomed I tell ye, doomed.

31
0
Silver badge
Thumb Down

Re: They have totally lost it

We handed them all our census data so we may as well hand them all the rest.

8
2
Silver badge

Re: They have totally lost it

We handed them all our census data so we may as well hand them all the rest.

And your proof of that assertion is... ?

1
4

Re: And your proof of that assertion is... ?

Presumably they were referring to the involvement of the defence contractor Lockheed Martin UK, a wholly owned subsidiary of the US defence contractor Lockheed Martin, see e.g.

https://www.theguardian.com/uk/2012/jan/27/120-convicted-census-forms-2011

15
0
Anonymous Coward

Re: And your proof of that assertion is... ?

I'm also pretty confident that database developers in India have a full copy of the DWP's entire database.

3
0
Anonymous Coward

As an NHS employee who has decried the lack of cross-Trust patient information in the past, I can appreciate the need to store patient data in a central repository. But not out of the country FFS!

45
1
Silver badge

"That deal, which allows firms to sign up by self-certifying to the US Department of Commerce"

Self-certify what? That they're wide open to any US official that wants access? Until the DoJ/Microsoft case is resolved we can't even be sure that data is safe with US providers even if it's never off-shored.

The NHS needs an effective data guardian.

37
0
Bronze badge

Self certification is a load of toss isn't it, company I work for has just 'self certified' some Cyber aware thingy. Of course we had to pay for the privilege of being a member of the club.

19
0
Silver badge

"Self-certify what?"

Self-certification is exactly equal to no certification.

9
0
Anonymous Coward

Privacy Shield

Agreed. I have previously reviewed the assessment process. As far as I could tell the only assessment was whether the correct sum of money was on the bank account at the correct time. There was certainly no assessment of the actual data storage environment, the network and external audit was not allowed.

5
0
Silver badge

You can tell how well though out this is...

The NHS risk document identifies the following Government Security Classifications, intended to identify different levels of information sensitivity across government departments and their suppliers:

  • Official
  • Official-sensitive
  • Secret
  • Top-secret

They then identify all of the various levels of sensistivity of patient information (from aggregated statistics through to clinical information and contact information for people at threat). Apart from publicly-disseminated information (such as numbers of people suffering from 'flu), everything maps to Official-Sensitive - even the key material encrypting the data because:

Whilst we need such data to be treated to the highest standards, they do not fit into the government policy criteria for SECRET or TOP-SECRET.

So the government, in 2014, adopted a system of security classification that is entirely inapplicable to the health data in its possession. And no doubt equally inapplicable to sensitive information about child protection, vulnerable adults, taxation and who knows what else. And is then pushing its departments to push that data out into the public cloud.

A dispassionate observer might conclude they were concerned only with the preservation of their own secrets.

25
0
Anonymous Coward

Re: You can tell how well though out this is...

FWIW this is exactly why the Caldicott guidelines were developed; existing data protection principles do not translate well into health data and the ethics of healthcare.

8
0
Silver badge

Re: You can tell how well though out this is...

were concerned only with the cost of preservation of the secrets, regardless of any impact

There, fixed.

PS: Are the Government and all it's little tentacles still beholden to DPA/GDPR? Because it seems to me that handing such data over to people not under the rigours of GDPR is setting themselves up for a loss in either the High Court or the European Court of Human Rights..

1
0

If this saves millions and allows us to pay nurses more, buy more MRI scanners and get 7 day a week GPs, then i'm all for it. But all the cloud migration business cases I've seen have turned out to be more costly than doing whatever you're doing on-prem.

20
5
FAIL

"If this saves millions and allows us to pay nurses more, buy more MRI scanners and get 7 day a week GPs, AND THE DATA IS KEPT IN THE UK then i'm all for it".

FTFY.

It will inevitably cost more long term as we are paying for a service which we no longer control.

22
0

But, but... it's the cloud! Everyone else is doing it, so it must be good. And look! Here are some slides prepared by our world-class consultants, Churnham and Fleece, that show how much money we can save. Do pay attention.

Oh, for goodness' sake. I haven't got time to listen to all this technical drivel and scaremongering nonsense about American interference. The Americans are our friends and would never do anything untoward with our information. They told us so.

27
0
Anonymous Coward

"If this saves millions and allows us to pay nurses more, buy more MRI scanners and get 7 day a week GPs"

Yeah right. Do you also believe in red buses with £350m written on the side?

18
1
Anonymous Coward

Yes

I believe that there was a red bus with £350m written on the side.

26
0
Anonymous Coward

PLEASE don't listen to the reminders, our glorious vice-leader with the mop up his head has already clarified that the 350 milion saved per week will actually be AT LEAST twice that. Same with this deal. We'll be rich, all rich.

Now, if we could somehow outsource all our NHS. Better still all the users of the NHS, we'd be even richer!

5
0
Silver badge

They told us so..

..as my bank manager can attest.

(He says in jest - just in case a lawyer is reading this..)

1
0
Silver badge

The linked-to document pretends to be some kind of decision tree to evaluate use of cloud services, but it basically pre-supposes that you *will* use the Cloud (it gives no direction as to what to do if you think it shouldn't) and that you should just be prepared to whether the public shit-storm that will ensue from a breach.

0
0
Bronze badge

Response

Putting aside issues of confidentiality for a moment, response times for hosting in the US are going to be significantly worse than for Europe. Laws of physics or something. I'd like to see a politician argue otherwise.

13
0
Silver badge

Re: Response

I'd like to see a politician argue otherwise.

<ObMalcolm_Turnbull>

"The laws of physics are very commendable, but the only law that applies in the UK is the law of the UK"

</ObMalcolm_Turnbull>

14
0
Silver badge

Re: Response

response times for hosting in the US are going to be significantly worse than for Europe

Once Britain leaves europe that will be fixed

10
0
Anonymous Coward

Re: Response

As I've worked in the UK but run all my jobs (includign interactive edits/debug/etc) on servers in California for the last 3 years then while the "laws of physics" means there's a slightly slower response time than from a local server it's not noticeable so this is a pretty specious argument.

0
7
Silver badge

Re: Response

Now do a complex inner join on 60M records with the DB app local and the data being 100ms away

11
1
Silver badge
Flame

No

See title

5
0

So...

Once Max Schrems and the Court of Justice of the European Union have sunk Privacy Shield.

Do we simply ask "Please Sir, can we have our data back?"

by the way we still need a Sarcasm Icon

19
0
Big Brother

Re: So...

Coincidentally, I got a mailshot from Schrems this morning to tell me about his current vehicle, myob.eu, and asking for a bung.

3
0
Anonymous Coward

Re: So...

I assume he has your permission to mailshot you!

0
0

Re: So...

Might I suggest one of the following.

http://static.adweek.com/adweek.com-prod/wp-content/uploads/sites/2/2016/06/BewareOfSarcasm.jpg

https://pbs.twimg.com/profile_images/591312552669351937/USRF3YMB.jpg

http://refe99.com/wp-content/uploads/2014/09/Life-Love-Quotes-Sarcasm-Because-Beating.jpg

https://ih0.redbubble.net/image.131276572.2426/flat,800x800,075,f.u2.jpg

http://goodquotesword.com/images/92077/z4i_quotes_about_being_s.jpg

Please feel free to add your own.

1
0
FAIL

Data protection?

If you use the NHS, it seems like the Govt decides what to do with your data. The data is also sold on without permission.

I've always wanted to sign up with a false name, it seems they don't give a f*ck about patient confidentiality.

10
0
Silver badge

Re: Data protection?

So what are you doing about it? Have you complained? Have you written the the ICO? Have you moaned to your MP? Have you asked for an injunction prevention the sharing of your data?

Moan as much as you like here, but unless you take action elsewhere nothing will change.

0
0
Silver badge

Re: Data protection?

What are we doing about it?

There's fuck all we can do about it, and no that isn't me being pessimistic. Please direct me to one (just one) instance where emailing your MP or writing to the ICO has had more than a 'fart in a hurricane's worth of different.

Social media outrage and public awareness have much more effect these days, whether we like it or not.

1
0
Silver badge

Re: Data protection?

There's a page here:

https://ico.org.uk/action-weve-taken/enforcement/

I'm not saying the ICO is anything other than mediocre, but it's not useless.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing