back to article NHS OKs offshoring patient data to cloud providers stateside

The UK's National Health Service has said that Brits' patient data can be stored in the cloud – and has given US data centres party to Privacy Shield the thumbs-up. In a major policy shift, NHS Digital has given care providers the go-ahead to store patient information outside Blighty in a bid to hurry them into the cloud to …

  1. wolfetone Silver badge
    Mushroom

    This can only go well.

    1. ecofeco Silver badge

      Came to say exactly the same thing.

    2. Anonymous Coward
      Anonymous Coward

      Downvote as we clearly have only been given the sensational clickbait part of the story (just like the last NHS Google scare story that was actually crucial big data early diagnosis work).

      You were meant to be outraged, that was the entire purpose of this story.

      1. DavCrav

        "You were meant to be outraged, that was the entire purpose of this story."

        Sometimes it's the story that's outrageous.

      2. Adam 52 Silver badge

        Crucial

        Is that some new definition of "crucial" that means "not really necessary at all?"

        1. CrazyOldCatMan Silver badge
          Coat

          Re: Crucial

          Yup. "Crucial" as in "Records"..

          (Yes, yes, mine's the one with the very scuffed 45RPMs in the pocket)

        2. Anonymous Coward
          Anonymous Coward

          Re: Crucial

          Nope, if you actually drilled into the details of what they were planning on doing, it was using medical records to spot patterns and lead to early diagnosis of many serious diseases.

          As it is, the Luddites pretty much put a stop to it. Lets hope you, or your loved ones never suffer from a preventable disease, just because of some Internet click-bait outraged people with some half truth sensationalism.

          1. Sir Runcible Spoon

            Re: Luddites

            This Luddite would be happy for truly anonymized data to be used thus, but as has been shown time and time again, there are ways to stitch it all back together with other datasets that completely undo all the anonymization.

            Still, since when did we have a say about what happens to *our* data. We are slaves who must do as we are bid, else we face the wrath of Khan the SJW's!!

          2. Adam 52 Silver badge

            Re: Crucial

            " it was using medical records to spot patterns and lead to early diagnosis of many serious diseases"

            No it wasn't. It was to spot certain forms of Acute Kidney Injury.

            Google and the Royal Free never explained why they needed patient identifying data to do that, and they never explained why they needed 1.6 million mostly unrelated records, nor why that data wasn't properly secured. That's probably because it wasn't necessary. As multiple independent investigations found.

          3. John Brown (no body) Silver badge

            Re: Crucial

            "Nope, if you actually drilled into the details of what they were planning on doing, it was using medical records to spot patterns and lead to early diagnosis of many serious diseases."

            Maybe so, but why would the data need to be moved to a jurisdiction where we know for a fact that foreign owned data has no protections from the local government? Maybe Google can't afford local servers where they could handle the data in line with the laws of the data source country?

    3. CrazyOldCatMan Silver badge

      This can only go well..

      ..for the US advertising, healthcare and spam industries when our data get spaffed from an insecure S3 bucket?

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Why Don't We Have a Choice ???

      because nobody ever got a big fat greasy backhander by giving the electorate choice.

    2. anothercynic Silver badge

      Re: Why Don't We Have a Choice ???

      MPs haven't even seen this... and if they have, it's likely to be buried in some report they just scanned over. And despite the current government's belief in this misplaced thing called 'the special relationship' with the US, Privacy Shield is not worth the paper it's printed on.

    3. JohnFen

      Re: Why Don't We Have a Choice ???

      "Why don't we the UK public have a choice to opt out, or state that our data is not available, or cannot be store outside the UK, and no non-UK entity can have access "

      I hope my brothers and sisters in the UK fights for this. Here in the US, we have no choice. You can be sure that pretty much all health care providers are tied into the cloud now, much to my dismay.

  3. Steve Davies 3 Silver badge
    Childcatcher

    They have totally lost it

    Oh well, that's all our data in the hands of all the US TLA's as well as some other of the usual suspects.

    Which inevitably leads to...

    We're Doomed I tell ye, doomed.

    1. Jason Bloomberg Silver badge
      Thumb Down

      Re: They have totally lost it

      We handed them all our census data so we may as well hand them all the rest.

      1. smudge

        Re: They have totally lost it

        We handed them all our census data so we may as well hand them all the rest.

        And your proof of that assertion is... ?

        1. Paul Kinsler

          Re: And your proof of that assertion is... ?

          Presumably they were referring to the involvement of the defence contractor Lockheed Martin UK, a wholly owned subsidiary of the US defence contractor Lockheed Martin, see e.g.

          https://www.theguardian.com/uk/2012/jan/27/120-convicted-census-forms-2011

          1. Anonymous Coward
            Anonymous Coward

            Re: And your proof of that assertion is... ?

            I'm also pretty confident that database developers in India have a full copy of the DWP's entire database.

  4. Anonymous Coward
    Anonymous Coward

    As an NHS employee who has decried the lack of cross-Trust patient information in the past, I can appreciate the need to store patient data in a central repository. But not out of the country FFS!

  5. Doctor Syntax Silver badge

    "That deal, which allows firms to sign up by self-certifying to the US Department of Commerce"

    Self-certify what? That they're wide open to any US official that wants access? Until the DoJ/Microsoft case is resolved we can't even be sure that data is safe with US providers even if it's never off-shored.

    The NHS needs an effective data guardian.

    1. wyatt

      Self certification is a load of toss isn't it, company I work for has just 'self certified' some Cyber aware thingy. Of course we had to pay for the privilege of being a member of the club.

      1. Anonymous Coward
        Anonymous Coward

        Privacy Shield

        Agreed. I have previously reviewed the assessment process. As far as I could tell the only assessment was whether the correct sum of money was on the bank account at the correct time. There was certainly no assessment of the actual data storage environment, the network and external audit was not allowed.

    2. JohnFen

      "Self-certify what?"

      Self-certification is exactly equal to no certification.

  6. Warm Braw

    You can tell how well though out this is...

    The NHS risk document identifies the following Government Security Classifications, intended to identify different levels of information sensitivity across government departments and their suppliers:

    • Official
    • Official-sensitive
    • Secret
    • Top-secret

    They then identify all of the various levels of sensistivity of patient information (from aggregated statistics through to clinical information and contact information for people at threat). Apart from publicly-disseminated information (such as numbers of people suffering from 'flu), everything maps to Official-Sensitive - even the key material encrypting the data because:

    Whilst we need such data to be treated to the highest standards, they do not fit into the government policy criteria for SECRET or TOP-SECRET.

    So the government, in 2014, adopted a system of security classification that is entirely inapplicable to the health data in its possession. And no doubt equally inapplicable to sensitive information about child protection, vulnerable adults, taxation and who knows what else. And is then pushing its departments to push that data out into the public cloud.

    A dispassionate observer might conclude they were concerned only with the preservation of their own secrets.

    1. Anonymous Coward
      Anonymous Coward

      Re: You can tell how well though out this is...

      FWIW this is exactly why the Caldicott guidelines were developed; existing data protection principles do not translate well into health data and the ethics of healthcare.

    2. CrazyOldCatMan Silver badge

      Re: You can tell how well though out this is...

      were concerned only with the cost of preservation of the secrets, regardless of any impact

      There, fixed.

      PS: Are the Government and all it's little tentacles still beholden to DPA/GDPR? Because it seems to me that handing such data over to people not under the rigours of GDPR is setting themselves up for a loss in either the High Court or the European Court of Human Rights..

  7. MrBoring

    If this saves millions and allows us to pay nurses more, buy more MRI scanners and get 7 day a week GPs, then i'm all for it. But all the cloud migration business cases I've seen have turned out to be more costly than doing whatever you're doing on-prem.

    1. Gary Lloyd 1
      FAIL

      "If this saves millions and allows us to pay nurses more, buy more MRI scanners and get 7 day a week GPs, AND THE DATA IS KEPT IN THE UK then i'm all for it".

      FTFY.

      It will inevitably cost more long term as we are paying for a service which we no longer control.

    2. Laura Kerr

      But, but... it's the cloud! Everyone else is doing it, so it must be good. And look! Here are some slides prepared by our world-class consultants, Churnham and Fleece, that show how much money we can save. Do pay attention.

      Oh, for goodness' sake. I haven't got time to listen to all this technical drivel and scaremongering nonsense about American interference. The Americans are our friends and would never do anything untoward with our information. They told us so.

      1. CrazyOldCatMan Silver badge

        They told us so..

        ..as my bank manager can attest.

        (He says in jest - just in case a lawyer is reading this..)

        1. Sir Runcible Spoon

          The linked-to document pretends to be some kind of decision tree to evaluate use of cloud services, but it basically pre-supposes that you *will* use the Cloud (it gives no direction as to what to do if you think it shouldn't) and that you should just be prepared to whether the public shit-storm that will ensue from a breach.

    3. Anonymous Coward
      Anonymous Coward

      "If this saves millions and allows us to pay nurses more, buy more MRI scanners and get 7 day a week GPs"

      Yeah right. Do you also believe in red buses with £350m written on the side?

      1. Anonymous Coward
        Anonymous Coward

        Yes

        I believe that there was a red bus with £350m written on the side.

    4. Anonymous Coward
      Anonymous Coward

      PLEASE don't listen to the reminders, our glorious vice-leader with the mop up his head has already clarified that the 350 milion saved per week will actually be AT LEAST twice that. Same with this deal. We'll be rich, all rich.

      Now, if we could somehow outsource all our NHS. Better still all the users of the NHS, we'd be even richer!

  8. jms222

    Response

    Putting aside issues of confidentiality for a moment, response times for hosting in the US are going to be significantly worse than for Europe. Laws of physics or something. I'd like to see a politician argue otherwise.

    1. Alister

      Re: Response

      I'd like to see a politician argue otherwise.

      <ObMalcolm_Turnbull>

      "The laws of physics are very commendable, but the only law that applies in the UK is the law of the UK"

      </ObMalcolm_Turnbull>

    2. Yet Another Anonymous coward Silver badge

      Re: Response

      response times for hosting in the US are going to be significantly worse than for Europe

      Once Britain leaves europe that will be fixed

    3. Anonymous Coward
      Anonymous Coward

      Re: Response

      As I've worked in the UK but run all my jobs (includign interactive edits/debug/etc) on servers in California for the last 3 years then while the "laws of physics" means there's a slightly slower response time than from a local server it's not noticeable so this is a pretty specious argument.

      1. Yet Another Anonymous coward Silver badge

        Re: Response

        Now do a complex inner join on 60M records with the DB app local and the data being 100ms away

  9. Aladdin Sane
    Flame

    No

    See title

  10. Queeg

    So...

    Once Max Schrems and the Court of Justice of the European Union have sunk Privacy Shield.

    Do we simply ask "Please Sir, can we have our data back?"

    by the way we still need a Sarcasm Icon

    1. Detective Emil
      Big Brother

      Re: So...

      Coincidentally, I got a mailshot from Schrems this morning to tell me about his current vehicle, myob.eu, and asking for a bung.

      1. Anonymous Coward
        Anonymous Coward

        Re: So...

        I assume he has your permission to mailshot you!

    2. Queeg

      Re: So...

      Might I suggest one of the following.

      http://static.adweek.com/adweek.com-prod/wp-content/uploads/sites/2/2016/06/BewareOfSarcasm.jpg

      https://pbs.twimg.com/profile_images/591312552669351937/USRF3YMB.jpg

      http://refe99.com/wp-content/uploads/2014/09/Life-Love-Quotes-Sarcasm-Because-Beating.jpg

      https://ih0.redbubble.net/image.131276572.2426/flat,800x800,075,f.u2.jpg

      http://goodquotesword.com/images/92077/z4i_quotes_about_being_s.jpg

      Please feel free to add your own.

  11. peterm3
    FAIL

    Data protection?

    If you use the NHS, it seems like the Govt decides what to do with your data. The data is also sold on without permission.

    I've always wanted to sign up with a false name, it seems they don't give a f*ck about patient confidentiality.

    1. Adam 52 Silver badge

      Re: Data protection?

      So what are you doing about it? Have you complained? Have you written the the ICO? Have you moaned to your MP? Have you asked for an injunction prevention the sharing of your data?

      Moan as much as you like here, but unless you take action elsewhere nothing will change.

      1. Sir Runcible Spoon

        Re: Data protection?

        What are we doing about it?

        There's fuck all we can do about it, and no that isn't me being pessimistic. Please direct me to one (just one) instance where emailing your MP or writing to the ICO has had more than a 'fart in a hurricane's worth of different.

        Social media outrage and public awareness have much more effect these days, whether we like it or not.

        1. Adam 52 Silver badge

          Re: Data protection?

          There's a page here:

          https://ico.org.uk/action-weve-taken/enforcement/

          I'm not saying the ICO is anything other than mediocre, but it's not useless.

  12. Disgusted of Cheltenham

    No, Sam, GCHQ is not part of MoD

    Anyway https://www.gchq.gov.uk/privacy is quite clear

    We store your data on secure servers in the Republic of Ireland.

    1. Ken 16 Silver badge
      Coat

      Re: No, Sam, GCHQ is not part of MoD

      Where the GDPR will continue to apply after April fools day next year

      1. Sir Runcible Spoon

        Re: No, Sam, GCHQ is not part of MoD

        If UK still wants to do business with Europe, it will have to comply with GDPR too.

  13. Anonymous Coward
    Anonymous Coward

    The government should build its own data centre and use it across government, the cost savings would be enormous.

    NHS

    Police

    Courts

    HMRC

    etc...

    1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

      <quote>The government should build its own data centre...</quote>

      ...with BlackJack! And Hookers!

      And so on and so forth.

    2. Anonymous Coward
      Anonymous Coward

      Eh? I thought they had - it’s called Ark / Crown Hosting.

      I do love it when I read shit like, “greater data security protection”. Greater than what exactly??

    3. Anonymous Coward
      Anonymous Coward

      The government should build its own data centre and use it across government, the cost savings would be enormous.

      You've not being following the government's performance on ANY major project, I take it?

      If government built their own enormous data centre, it would built somewhere stupid for political reasons, be commissioned ten years later, cost three times the original budget, the cost savings would be negative, and it would inevitably turn out that they'd forgotten something vital like mains power connection, the UPS and standby, or the necessary bandwidth of data pipes. And probably built it the wrong size by three orders of magnitude plus or minus.

    4. r_c_a_d_t

      That's pretty much what UKCloud are https://ukcloud.com/ they already handle data for those entities in UK data centres.

      Surprised they weren't mentioned in the article...

  14. Zog_but_not_the_first
    Facepalm

    Whatever next?

    "Alexa - how do I diagnose this patient's condition?"

    1. John 110
      Holmes

      Re: Whatever next?

      You know that's not funny, right?

      1. Aladdin Sane

        Re: Whatever next?

        Depends if it involves the humerus.

    2. MrXavia
      Devil

      Re: Whatever next?

      Considering the number of times i've seen a GP look something up on google I would not be surprised if someone used AWS Machine Learning and Alexa to provide an interface for DR's to look up medical information fast and assist diagnostics...

      1. MachDiamond Silver badge

        Re: Whatever next?

        "Considering the number of times i've seen a GP look something up on google"

        I work on rocket guidance systems and look things up using a search engine all of the time. I'd feel better if my doctor took the time to double check something or find information on something they weren't familiar with. There is way too much to know about human physiology for any one person to have remembered. I want my doctor to be absolutely sure about my condition and not in a big hurry to prescribe a bottle of antibiotics and send me on my way.

        1. Dodgy Geezer Silver badge

          Re: Whatever next?

          Do you mind if he uses Wikipedia?

          1. MachDiamond Silver badge

            Re: Whatever next?

            "Do you mind if he uses Wikipedia?"

            Mind? I'd be scared out of my wits and looking for another doctor.

      2. Ken 16 Silver badge

        Watson

        some years ago I read here that IBM had fed Watson all medical case histories in to allow it to suggest most probably diagnoses for symptoms.

  15. Anonymous Coward
    Anonymous Coward

    Cabinet Office email has been sitting with Google for years. And they insist on penetration test information being sent to those in boxes.

  16. Anonymous Coward
    Anonymous Coward

    Does this include viewers in Scotland?

  17. Tubz Silver badge
    WTF?

    What could possibly go wrong, hmmm, lets ask all the US medical companies and government departments that have massive leaks in the couple of years. More importantly,if it does go wrong, how will it be investigated, if it even gets reported and those effected get compensation, even the NHS can't fight US lawyers !

    1. Sir Runcible Spoon

      My first thoughts on this were that the NHS was liable to be sued into oblivion in fairly short order.

  18. Salestard

    Quick as a flash

    scuse the pun...

    Just as the rest of the world starts to notice that cloud storage, particularly massive cloud storage with big security requirements, mostly isn't as cheap as you thought it was, especially when you scale it... the British public sector comes crashing through the door with both feet.

    But hey ho, better than it going to Capita

  19. Anonymous Coward
    Anonymous Coward

    One part of the reason we keep getting poor decisions by politicians is that they do not get enough knowledgeable feedback on this sort of issue. They, poor dears, are, for the most part, semi-literate (i.e. not STEM educated) and the implications of many technical issues go right over their heads.

    A challenge: how many of those complaining here about this potential clusterf**k have actually disturbed the electrons and made their views known to their MP? Tell them what you think is wrong, why you think it is wrong and what you consider the actions, rules, regulations needed are.

    I am having that conversation with my local MP and the poor dear did not understand that handing data to any US company exposes it to silent access by the US government who ignored "Safe Harbor" and will ignore "Privacy Shield".

    It needs more of those who do understand the issues to educate MP's rather than just let off steam on a forum. The MP's need hard facts and evidence of what their constituents want to counter the bureaucrats.

    </rant>

    p.s. I do not hold out much hope though, as you can not educate lard.

    1. Boris the Cockroach Silver badge
      Unhappy

      If you write to

      your MP about it, you'll just be regarded as another wack job out to ruin a great plan.

      Hint : during the 'ban air soft guns' thing a few years ago, the government cited how easy it was to convert air soft guns to real ones.

      I pointed out to our MP that a major gun manufacturer is based in the city and only 1/2 a mile from her office and that she could walk there and get expert advice within 10 mins.

      Hello special branch......

      1. Anonymous Coward
        Anonymous Coward

        Re: If you write to

        "Hint : during the 'ban air soft guns' thing a few years ago, the government cited how easy it was to convert air soft guns to real ones."

        They really said that? How could you convert a gun that fires small plastic bb's using gas/electric/springs to fire bullets? If that can be done easily, I would love to see the genius who managed it! Im sure it would be faster to craft a gun from scratch in a metalworkshop..

        It never ceases to amaze me how ignorant MP's are about what they vote on...

        And it scares me that they think these bans actually can achieve anything except take pleasure away from the enthusiasts.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you write to

          "And it scares me that they think these bans actually can achieve anything"

          It makes it look like they are doing something. You know, like saving the world by declaring war on plastic bags or taxing food containing calories.

  20. YARR
    Thumb Down

    Data globalisation -> Russia wins

    The proles may have voted for Brexit but that wont stop the powers that be needlessly globalising everything. That we the people aren't consulted about how our own data is stored demonstrates how our "democracy" works. If we are consulted, it will be after they've implemented it so that reversing the decision will be costly and disruptive.

    Even if cloud hosting costs are cheaper elsewhere, the data transmissions costs must be taken into account. It's probably worth paying more if the extra money is fed back into the local economy.

    If the Russians are capable of tapping transatlantic cables, data security is at risk. In the event that they cut our communication links (or if they are cut by mistake or natural causes), the NHS wont have reliable access to patient data.

  21. kain preacher

    Who did not see this coming? It's going to go to the lowest bidder or what ever is going to cost the 3rd party supplier the least amount of money. If the could the would store it in NK/India if it saved them a buck.

  22. MachDiamond Silver badge

    UK and European privacy laws

    On one hand, the UK and Europe have passed and implemented some of the most comprehensive data privacy and security laws on the planet and now a branch of the government wants to save a few quid by off-shoring its data storage? That's completely bonkers. I see that type of thinking with governments that are complaining that their birth rates are dropping and how bad that is while at the same time the news if full of how so many jobs are being lost to automation and that the prospects that there will be more jobs created in the future to replace those is low to zero.

    It's so common as to be suspect to hear in the US news that "some employee" had a laptop/memory card/external hard drive stolen, usually from their car, packed with sensitive personal data that they were taking home to work on after hours. In at least some of those incidents, there is a good probability that the data was being "stolen" to cover its being sold or if it shows up later that the theft can be ascribed as its source. Plausible deniability, baby. What happens when a load of NHS data gets lost/stolen, sold on the dark net and winds up in a data aggregators database? Nothing except the people affected are stuffed.

  23. deevee

    In the end, regardless what the government says about privacy, it always boil's down to the dollar.

    Your only defence, is not to give the government any information in the first place.

    Are we taking bets on how long before all these details are hacked and placed on the internet?

  24. Long John Brass
    Black Helicopters

    On the bright side

    When the inevitable happens and the great, the good and the powerful find all their medical histories published in a poorly secured S3 bucket they will understand why people were making such a big fuss over data security.

    Would T. Mays mammogram be considered NSFW?

    1. Anonymous Coward
      Anonymous Coward

      Re: On the bright side

      Long John Brass, why are you thinking about Teresa Mays mammories?

  25. RobertLongshaft

    In case you missed it MI5 already allows the NSA and CIA to spy on every man women and child in the UK and feed the juicy information back to them.

    And you are worried about the NHS using a cloud datacentre in the US?

    1. This post has been deleted by its author

    2. Adam 52 Silver badge

      To bring this back from conspiracy theory territory, the government explicitly refused to remove health data from the Investigatory Powers Act.

  26. Tigra 07

    So now the NSA has my dental and medical records and probably has more knowledge on me than my doctor?

  27. Anonymous Coward
    Anonymous Coward

    It puts the burden of risk assessments on to the care providers

    does the ter "care providers" refer to them hospitals and stuff that got locked out of "their" data (aka MY DATA, YOU F....ERS! by that crypto virus, some of them, twice?

  28. Anonymous Coward
    Anonymous Coward

    we would like to thank the NHS

    on behalf of all our 3-letter-agencies, it's so much more convenient to have it on the plate!

  29. David Roberts
    Facepalm

    All together children

    There's a hole in my bucket......

  30. Flywheel

    "not having to buy and maintain hardware and software"

    That'll have the Suits opting in faster than you can say "whip out my gall bladder". Not a f*cking clue.

  31. This post has been deleted by its author

  32. Anonymous Coward
    Anonymous Coward

    As an NHS Data Security Professional, I shall not be transfering any data outside the EU, and am definatley not using the Pan Atlantic Profits Plaster as an excuse

    However the chance to use EU cloud infrastucure, rather than the expensive UK only zones might allow some workloads to be effectivley cloud based (ofc the appropriate disclosures and legal justfication must be provided)

    but considering the ancient propriatary software and data strucutres, cloudifying this lot will take donkeys

  33. TrumpSlurp the Troll
    Trollface

    Care.data anyone

    Attempts to legislate the sale of NHS data to all and sundry caused a major outcry and were scrapped.

    So just put the data in the cloud, a quick "Oops!" and plausible deniability.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like