One of the NHS's major suppliers is upgrading its GP records system and moving millions of patient data to Amazon's cloud. EMIS Group is one of four principal suppliers to the NHS. Its health suite is used by 10,000 organisations and holds more than 40 million records. The firm today announced that it is upgrading its …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

Friday 30th November 2018 16:07 GMT Commswonk

Bullshit Alert

"This will also allow new solution providers with interesting technologies such as artificial intelligence to overcome the traditional barriers to market entry, leveraging the interoperability at the heart of our new architecture," he said.

I'm not sure I want my records stored by a company that can put out garbage like that.

Where's the mind bleach?

65 0 Reply
1. Friday 30th November 2018 23:12 GMT robidy
  
  Re: Bullshit Alert
  
  Err erm, how are my or anyone else's medical records out of scope of the US Patriot act in AWS?
  
  El Reg, this is something we UK citizens need help answering?
  
  34 0 Reply
  1. Saturday 1st December 2018 00:05 GMT JohnFen
    
    Re: Bullshit Alert
    
    "how are my or anyone else's medical records out of scope of the US Patriot act in AWS?"
    
    If those records are being kept in servers on US soil, then they are absolutely in scope and will remain so. Further, if the Patriot act is invoked to get at those records, nobody outside of Amazon will be told.
    
    However, if those records are encrypted and the keys aren't available to Amazon, then what the government would get is a bunch of encrypted data.
    
    11 0 Reply
    1. Saturday 1st December 2018 01:38 GMT Mark 85
      
      Re: Bullshit Alert
      
      This also presumes that someone has set the access to said servers and locked them down instead of leaving them in the default settings like we've heard about here on El Reg.
      
      20 0 Reply
      1. Saturday 1st December 2018 23:57 GMT 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921
        
        Re: Bullshit Alert
        
        ...not if my experience of NHS "systems" is anything to go by, they couldn't even secure MSAccess.
        
        14 5 Reply
    2. Saturday 1st December 2018 09:39 GMT Anonymous Coward
      
      Re: Bullshit Alert
      
      And what EMIS could get is sued under the data protection act. The records cannot be kept outside the EU so they will need to ensure they on to specific regions inside AWS. Whatever safe harbour is calling itself today it is still not valid.
      
      17 0 Reply
      1. Monday 3rd December 2018 19:59 GMT Anonymous Coward
        
        Re: Bullshit Alert
        
        The records cannot be kept outside the EU so they will need to ensure they on to specific regions inside AWS.
        
        ---------------------------------------------------------------------
        
        Doesn't matter.
        
        AWS is from a US firm, thus the CLOUD act says they have to hand it over to US agencies.
        
        2 0 Reply
      2. Tuesday 4th December 2018 04:57 GMT Anonymous Coward
        
        Re: Bullshit Alert
        
        So when the U.K. leaves the EU they will not be able to host the U.K. data in the U.K.?
        
        0 0 Reply
    3. Monday 3rd December 2018 12:18 GMT Peter Gathercole
      
      Re: Bullshit Alert
      
      "...the keys aren't available"
      
      Someone please correct me. If this data is encryped, but being used by cloud based analysis applications, then those cloud based applications must have the keys necessary to access the data (I accept that using the data from, for example, GP surgerys. there is scope for keys to be on the surgery's systems, and presented for every request, but that does not cope with bulk analysis mentioned here).
      
      And they're in the same cloud, so if someone really wants the data, they half inch the data and the keys (OK, you could go down the rabbit hole of needing a key to decrypt the key store in the cloud, but how often do you go round this loop until you must store a key somewhere readable).
      
      So where is the security?
      
      I'm sure I must have missed something, so I'm asking for someone to point out where I'm being stupid?
      
      6 0 Reply
      1. Monday 3rd December 2018 13:04 GMT Anonymous Coward
        
        Re: Bullshit Alert
        
        We use exchange online for processing UK medical insurance claims, all traffic to the cloud goes through a gateway server in-house that does pass through encryption, so all the records stored in the cloud are encrypted with their own individual AES 256 key which never leaves our physical control.
        
        The obvious downsides are we still need a small server room so can't go full ~~crazy~~ cloud and we are responsible for backing up the keys securely.
        
        The legal beagles have gone through this setup with a fine-toothed comb and barring some new case law popping up they think its good for the foreseeable future.
        
        2 2 Reply
        
        Monday 3rd December 2018 13:28 GMT Peter Gathercole
        
        Re: Bullshit Alert
        
        OK. Thanks for your scenario. You're using only cloud storage, I can understand that. Encrypted as it goes to/from the cloud, and never actually used in the cloud. Cheap storage, but to do any volume analysis, will be very expensive on data transfer costs.
        
        But actually running the application in the cloud? Or using cloud-based desktop (not mentioned here, I'm extrapolating)? In these cases, the keys need to be in the cloud.
        
        OK. Encrypted region within a cloud domain? You're trusting the cloud provider cannot be coerced to hand the data and the keys over to some TLA or hacker, and backed up by a warranty which will not exceed the cost of the service (even if you can prove that the data's been nabbed?) This cannot be considered a good move.
        
        0 0 Reply
      2. Monday 3rd December 2018 20:01 GMT Anonymous Coward
        
        Re: Bullshit Alert
        
        I'm sure I must have missed something, so I'm asking for someone to point out where I'm being stupid?
        
        -------------------------
        
        No, you are right.
        
        As for the keys, the US agencies can simply demand the decrypted data from Amazon, under the CLOUD act. And IIRC, Amazon can't tell anyone they have handed it over.
        
        4 0 Reply
    4. Monday 3rd December 2018 19:58 GMT Anonymous Coward
      
      Re: Bullshit Alert
      
      If those records are being kept in servers on US soil, then they are absolutely in scope and will remain so. Further, if the Patriot act is invoked to get at those records, nobody outside of Amazon will be told.
      
      However, if those records are encrypted and the keys aren't available to Amazon, then what the government would get is a bunch of encrypted data.
      
      ---------------------------------------------------------------------------------------------
      
      And how are the keys not going to be in the cloud servers delivering the applications?
      
      And the CLOUD act says US agencies must have access to any data available to any US corporation, no matter where it resides.
      
      2 0 Reply
    5. Tuesday 4th December 2018 01:42 GMT Alan Brown
      
      Re: Bullshit Alert
      
      "If those records are being kept in servers on US soil, then they are absolutely in scope and will remain so"
      
      It doesn't matter if they are on US soil or not. if they are kept on servers operated by a US _COMPANY_ then they are in scope.
      
      And by "US company" - I mean "any company which does business and has an office in the USA", which includes a surprising number of European outfits.
      
      1 0 Reply
  2. Saturday 1st December 2018 19:24 GMT Local Laddie
    
    Storing PII Data in AWS (S3)
    
    When selecting a location to store your Data on AWS - You need to choose a region (which has multiple redundancy) and your data is then stored in physical data centres in the geographic boundaries of that region (Region EU-West-2 is the UK).
    
    My understanding of the US Patriot Act is that it currently does not apply to data and data centers physically in the UK.
    
    The US Cloud Act is may be a different matter entirely!
    
    9 0 Reply
    1. Sunday 2nd December 2018 21:09 GMT Tom Chiverton 1
      
      Re: Storing PII Data in AWS (S3)
      
      "EU-West-2 is the UK"
      
      Not for long!
      
      #Brexit
      
      8 2 Reply
      1. Sunday 2nd December 2018 21:52 GMT JaimieV
        
        Re: Storing PII Data in AWS (S3)
        
        London's leaving the UK?
        
        4 3 Reply
        
        Monday 3rd December 2018 10:17 GMT BebopWeBop
        
        Re: Storing PII Data in AWS (S3)
        
        Well it will not be EU!
        
        3 1 Reply
        
        Monday 3rd December 2018 13:06 GMT Anonymous Coward
        
        Re: Storing PII Data in AWS (S3)
        
        >London's leaving the UK?
        
        There are some genuine ... umm, lets be nice and say "confused" people who have mooted it. Whatever you may think of Brexit the idea of London becoming a self governning city state is absurd and would be a disaster for everyone except rich financiers. Who could clear off to their 2nd homes in their helicopters anyway when the food and water started to run out.
        
        1 0 Reply
        
        Monday 3rd December 2018 13:53 GMT Anonymous Coward
        
        Re: Storing PII Data in AWS (S3)
        
        You have this all wrong. London is going to become part of Scotland, and will then join the EU as such. The current sticking point is whether Scotland will need a long tendril which reaches down to London (the A1, in other words) or whether topologically-disconnected countries are OK (when not separated by sea).
        
        3 0 Reply
        
        Monday 3rd December 2018 16:11 GMT Ken 16
        
        Re: Storing PII Data in AWS (S3)
        
        I thought England and Wales were leaving the United Kingdom???
        
        2 0 Reply
        
        Monday 3rd December 2018 13:22 GMT charlieboywoof
        
        Re: Storing PII Data in AWS (S3)
        
        Its not in the UK
        
        0 0 Reply
      2. Monday 3rd December 2018 14:58 GMT easytoby
        
        Re: Storing PII Data in AWS (S3)
        
        "EU-West-2 is the UK" - yes, London.
        
        0 0 Reply
    2. Monday 3rd December 2018 21:15 GMT robidy
      
      Re: Storing PII Data in AWS (S3)
      
      Correct me if I'm wrong but the US Patriot Act covers US corporations regardless of server location.
      
      The act covers corporations not their location...otherwise there would be some massive data centres in Canada and Mexico to avoid it.
      
      1 0 Reply
    3. Tuesday 4th December 2018 01:42 GMT Alan Brown
      
      Re: Storing PII Data in AWS (S3)
      
      "My understanding of the US Patriot Act is that it currently does not apply to data and data centers physically in the UK."
      
      Your understanding is flat out wrong.
      
      1 0 Reply
  3. Monday 3rd December 2018 14:57 GMT easytoby
    
    Re: Bullshit Alert
    
    I assume they will be on a London AWS instance(s), not US
    
    0 0 Reply
Friday 30th November 2018 16:26 GMT Anonymous Coward

Cloud of Confusion

I've always wondered whether people who consider this kind of cruft to be a good idea have cloud formations inside their own head where the gray matter should be.

35 0 Reply
1. Friday 30th November 2018 21:56 GMT John Brown (no body)
  
  Re: Cloud of Confusion
  
  For that matter, do Amazon have BitBarns inside the post_Brexit borders?
  
  3 0 Reply
  1. Saturday 1st December 2018 18:36 GMT jamesdagger
    
    Re: Cloud of Confusion
    
    Yep. eu-west-2 region aka London.
    
    5 0 Reply
Friday 30th November 2018 16:30 GMT Craig (well, I was until The Reg changed it to Craig 16)

Interoperability be damned

"Part of the aim is to encourage new businesses into the market, which is currently dominated by four suppliers – TPP SystmOne, EMIS Web, INPS Vision and Microtest Evolution – and offer care providers greater choice"

Snake-oil sales-cretin: "Choose our fandabbydozy clinical system and it'll make your life wonderful! Guaranteed a billionty one times better than EMIS/SystmOne (others are available) at getting patients in and out faster!"

(small print around 1 point text and in white on white: "This clinical system will barely co-operate with your printers and will certainly never work with any other NHS clinical system outside of manually retyping things between computers. Oh and don't try to install it on anything other than Windows Millenium Edition with an obscure 2005 release of Java and open access to t'interweb.)

There must be a hard interoperability clause in any clinical system approval into the NHS. If it can't talk to the core clinical systems already approved then it doesn't get in the door.

20 0 Reply
1. Monday 3rd December 2018 11:44 GMT sebbb
  
  Re: Interoperability be damned
  
  What if I tell you that SystmOne ship with its own "hidden" JRE version 1.6.0_04?
  
  And there is no other clinical software out there that's less crap than these four.
  
  4 0 Reply
Friday 30th November 2018 17:03 GMT Pascal Monett

Just a minute there

It starts out by saying "unprecedented levels of protection", and then we get this :

"Clinicians working in any location with any third-party technology will be able to view and share vital patient information safely and ethically"

So you're telling me that any 3rd party app is going to be able to hook into this data container that has "unprecedented levels of protection" ?

Because zero protection is not exactly unprecedented, and anything more is going to be a big hassle for 3rd party apps to be able to use.

40 1 Reply
1. Friday 30th November 2018 17:13 GMT Commswonk
  
  Re: Just a minute there
  
  Clinicians working in any location with any third-party technology will be able to view and share vital patient information safely and ethically
  
  More bullshit. The upshot of the above is that individual patients' data can finish up <Deity> knows where with no protection whatsoever. Will all this "third-party technology" be properly and securely tracked? Not that that would prevent the leaking of patient data, of course.
  
  Dreadful idea... <shudder>
  
  30 1 Reply
2. Friday 30th November 2018 21:59 GMT JohnFen
  
  Re: Just a minute there
  
  Don't worry! Those third party apps will have to engage in authentication to ensure they're authorized. They recognize that this poses an addition burden on app developers, though, and so to mitigate that they've decided the authentication will be a simple, standardized password: "password".
  
  11 1 Reply
  1. Saturday 1st December 2018 08:33 GMT DavCrav
    
    Re: Just a minute there
    
    "standardized password: "password"."
    
    That's hideously insecure and now deprecated. We know that all passwords need a number and a capital letter. The new standard is 'Password1'.
    
    (This is not actually a joke. A friend of mine used the password 'guitars' until he was forced to abide by new rules. He chose the password 'Guitars1'. Much safer. I was unsuccessful in convincing him it was not that much safer.)
    
    7 0 Reply
    1. Monday 3rd December 2018 16:22 GMT JohnFen
      
      Re: Just a minute there
      
      "I was unsuccessful in convincing him it was not that much safer."
      
      I believe you're mistaken in saying "not that much safer". In reality, it's not any safer at all. But you're dealing with someone who is using a single word (that's in the dictionary, no less) as their password -- so obviously they couldn't care less about being secure in the first place.
      
      2 0 Reply
3. Saturday 1st December 2018 21:19 GMT Doctor Syntax
  
  Re: Just a minute there
  
  "unprecedented levels of protection"
  
  It's probably a fair description. It's just unprecedented in a way you don't want it to be.
  
  12 0 Reply
Friday 30th November 2018 17:04 GMT A.P. Veening

Switch over

"A spokeswoman said the transfer would be module by module, not a whole system switchover, which El Reg presumes is meant to reassure folk there won't be an IT disaster involving the billions of health-related documents held by EMIS."

This isn't reassuring to me, I foresee databases getting out of sync. And that is going to be extremely nice when one medication interacts with another and the prescription for each being in a different database due to that out of sync situation.

I've already seen similar things in a previous job. Fortunately, it didn't involve medication and lives. And due to a confidentiality clause in my contract, I can't tell anything more about it.

9 3 Reply
Friday 30th November 2018 17:28 GMT sad_loser

Half-baked babble

This is going to go catastrophically wrong, and will be a magnet for ne'er do wells.

There are companies in this space who operate private clouds and that is fine - I even think it is fine to have cloud based back-up, and I could see a role for cloud-based dockers providing the front end, but hosting the data? I don't see this ending happily - there is a reason the banks are not on the cloud.

17 0 Reply
1. Saturday 1st December 2018 21:20 GMT Doctor Syntax
  
  Re: Half-baked babble
  
  "I even think it is fine to have cloud based back-up"
  
  What about all those reports of stuff found hanging out online unencrypted and unsecured which turned out to be cloud based back-ups. And even if properly secured still vulnerable to US "we own the world" legislation.
  
  3 0 Reply
Friday 30th November 2018 17:30 GMT Severus

Shifting patient records to the cloud requires approval from NHS Digital

This would be the same NHS digital that presided over the Wannacry Clusterphuq that affected 45 NHS organisations including at least 81 out of 236 trusts across England plus a further 603 primary care and other NHS organisations including 595 GP practices would it? Well they obviously couldn't find their own @rses with both hands and a mirror on a stick, so should NOT be making this decision, the security services should be responsible for ensuring the data is secure. As it stands I may as well put my own health records up for sale and get a couple of quid for them because sure as the sun sets in the evening these records WILL be compromised and sold to the highest bidder.

9 5 Reply
1. Saturday 1st December 2018 09:43 GMT Anonymous Coward
  
  Re: Shifting patient records to the cloud requires approval from NHS Digital
  
  NHS Digital have no say over trusts at all, they definitely have no say of GP practices, the majority of which are private businesses. As it stands it is always best to check facts before you go off on a rant.
  
  8 0 Reply
  1. Saturday 1st December 2018 21:20 GMT Doctor Syntax
    
    Re: Shifting patient records to the cloud requires approval from NHS Digital
    
    "As it stands it is always best to check facts before you go off on a rant."
    
    Never. It just gets in the way.
    
    8 0 Reply
  2. Monday 3rd December 2018 11:47 GMT sebbb
    
    Re: Shifting patient records to the cloud requires approval from NHS Digital
    
    It depends, because although lots of GPs are private businesses, they are often fed IT by a CCG/CSU, which are quite rubbish in some things (just to mention, Wannacry problem was that there was no firewalling on the private network routers between WAN and GPs LAN, i.e. tcp/139 and 445 open for fun!)
    
    0 0 Reply
    1. Monday 3rd December 2018 15:01 GMT easytoby
      
      Re: Shifting patient records to the cloud requires approval from NHS Digital
      
      The EMIS contract claims that EMIS owns the patient data anyway, claim the customer is renting from EMIS.
      
      0 0 Reply
  3. Monday 3rd December 2018 13:06 GMT Dan 55
    
    Re: Shifting patient records to the cloud requires approval from NHS Digital
    
    NHS Digital have no say over trusts at all, they definitely have no say of GP practices, the majority of which are private businesses. As it stands it is always best to check facts before you go off on a rant.
    
    So what are they there for then?
    
    0 0 Reply
Friday 30th November 2018 17:53 GMT alain williams

USA Patriot act

Amazon is a USA company and thus subject to the Patriot Act, so once it is on their servers it would, if asked by the USA government, have to hand it over.

17 1 Reply
1. Saturday 1st December 2018 09:45 GMT Anonymous Coward
  
  Re: USA Patriot act
  
  The Amazon they are dealing with probably isn’t Amazon US though so the Patriot Act would have no force. The same way Microsoft aren’t handing over data on servers in Ireland, different company for tax also means diffe4ent company legally.
  
  0 1 Reply
  1. Saturday 1st December 2018 21:24 GMT Doctor Syntax
    
    Re: USA Patriot act
    
    "the Patriot Act would have no force"
    
    But the CLOUD Act would.
    
    4 0 Reply
  2. Sunday 2nd December 2018 20:59 GMT SImon Hobson
    
    Re: USA Patriot act
    
    Would that be the same Microsoft that "just handed over" data located on servers in Ireland once the US passed the CLOUD act ?
    
    https://www.theregister.co.uk/2018/04/04/microsoft_agrees_doj_cloud_act_renders_email_battle_moot/
    
    As such, the Feds issued a fresh warrant under the CLOUD Act instead and – hey presto – Microsoft responded.
    
    If there was the legal and technical separation claimed, then Microsoft in the US would not have been able to access the data, and Microsoft Europe would have refused to hand it over. Also, the recent SNAFUs affecting Microsoft's authentication services prove that there is no technical separation as claimed since an outage of a server in the US would be unable to affect users not supposedly connected to the US. If a user authenticates using a server in the US, then subverting that authentication process can over-ride any supposed technical separation.
    
    7 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Topics

Special Features

Vendor Voice

Resources

COMMENTS

Page:

Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Re: Bullshit Alert

Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Storing PII Data in AWS (S3)

Re: Bullshit Alert

Cloud of Confusion

Re: Cloud of Confusion

Re: Cloud of Confusion

Interoperability be damned

Re: Interoperability be damned

Just a minute there

Re: Just a minute there

Re: Just a minute there

Re: Just a minute there

Re: Just a minute there

Re: Just a minute there

Switch over

Half-baked babble

Re: Half-baked babble

Shifting patient records to the cloud requires approval from NHS Digital

Re: Shifting patient records to the cloud requires approval from NHS Digital

Re: Shifting patient records to the cloud requires approval from NHS Digital

Re: Shifting patient records to the cloud requires approval from NHS Digital

Re: Shifting patient records to the cloud requires approval from NHS Digital

Re: Shifting patient records to the cloud requires approval from NHS Digital

USA Patriot act

Re: USA Patriot act

Re: USA Patriot act

Re: USA Patriot act

Page:

POST COMMENT House rules

Enter your comment

Add an icon

Other stories you might like

KPMG bags £8.5M NHS gig as cheerleader for Federated Data Platform rollout

AWS must pay $525M to cloud storage patent holder, says jury

US-EAST-1 region is not the cloudy crock it's made out to be, claims AWS EC2 boss

Irish power crunch could be prompting AWS to ration compute resources

Snowmobile, Amazon's truck-powered migration service, reaches the end of the road

UK govt office admits ability to negotiate billions in cloud spending curbed by vendor lock-in

AWS severs connection with several hundred staff

Amazon to lure upstarts with $500K in AWS AI credits each

GenAI will be bigger than the cloud or the internet, Amazon CEO hopes

INC Ransom claims responsibility for attack on NHS Scotland

Microsoft hiring Inflection team triggers interest from EU's antitrust chief

Stability AI reportedly ran out of cash to pay its bills for rented cloudy GPUs

About Us

Our Websites

Your Privacy