Slashdot Mirror
NHS Moving To Cloud For Security
twoheadedboy writes "The NHS, one of the biggest public sector organisations in Europe, is to use a cloud-based security model to protect its 1.3 million users. This comes amidst a big move to the cloud in the UK public sector."
I thought the NHS had 61 million users?
NHS will now hover over Europe. It's the only way to be safe from the groundbased germs.
Nothing more secure than putting confidential information online.
I don't think moving data to a cloud for security is really a good idea. How is security really improved when essentially stuff it moved to "public storage?" Maybe a private cloud?? I would say it is weakened. This is just what groups similar to LulzSec and Anonymous really want.
Now I remember why I opted out of letting my GP push my medical records to the Big Central Database.
Hopefully, that will still apply here.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Isn't "cloud-based security model" an oxymoron, or at best a non-sequitur?
Isn't moving to the cloud for security a bit like moving to heroin to deal with your nicotine addiction?
... is like moving to Seattle for the nice weather. WTF?
Like fucking for virginity
Today's weirdness is tomorrow's reason why. -- Hunter S. Thompson
Its counterintuitive, and that is why it will work.
No one would think to look for confidential information "in the clouds?"
your gravity fails and negativity don't pull you through
The "Cloud" is synonymous with security, it makes perfect sense.
"If any question why we died, Tell them because our fathers lied."
Presumably this is so that the US government has escrow (as Microsoft have recently advised us all that the US Patriot act applies to all US companies that are cloud providers irrespective of where they are doing business) and can empower any American insurance corporations and pharmaceutical companies who wish to undermine both non-profit healthcare and British research companies.
The nature of the cloud is less security. You're trading free storage for big brother / big corp to get a free peek of your data that's it. This story was generated to make people believe that somehow cloud = secure. Complete BS
The NHS is set up clearly and specifically for reasons of public health. As soon as it allows a US private company "inside" we have a problem.
The only people working in or for public healthcare should only be interested in public healthcare. Money, IT, politics etc should be tools to get the job done without that aim being comnpromised.
If only...
I'll see your Constitution and raise you a Queen.
...on a tech rag no less. I wonder why? Is it really so difficult to understand that specialists can manage a network system better than a couple Bob's from the local community college?
If you have a web-based app stack and offer that to your employees, what is the difference between your company having a bunch of techies trying to run a shop like Google would, or actually letting Google run it for you?
I can see some reluctance from non-US companies, but for any U.S. based company, what is the difference?
Opinion:=TMyOpinion.Create(Me);
Because clouds are fluffy and airy and magic and untrappable; how would hackers ever hack into a cloud?
Back in the 1990's I had a summer job as a student working in our local NHS hospital's records department and they were starting to digitize the patient records then (although the main idea then was to distribute them around the hospital not further afield). Based on the complete, total and even frightening ignorance of the hardware and software system by the permanent "IT" staff I'd say centralizing the records and hiring even vaguely competent IT staff to manage it would be a huge improvement....unless of course they plan to operate it with the same staff!
Based on how the previous NHS IT projects went... I predict a huge failure.
I believe they managed to spend multiple billion pounds on the previous system and it still isn't up and running. They tried it at St George's and it still has issues.
'Cloud' security has already been used extensively in the NHS. It was mandated for the 'standard' installations of PACS (X-ray viewing) and a number of other results reporting systems. It has been a catastrophic failure.
Some of the bugs that I've seen:
1. No caching of user credentials. If the WAN link, or remote server is unavailable - no login is possible. Result: total inability to access critical systems.
2. Caching of user credentials added to system. Result: doesn't work. Catastrophic regression bugs leave login near impossible even when WAN link available.
3. Barely tested 'pre-alpha' quality software. Constant crashes of the login client software. Usually requiring a hard reboot (power off), as several system services hang and block a clean shutdown.
4. Very slow authentication. Up to 2 minutes for a login to be authenticated. Result: Unusable in busy environments e.g. ER.
4b. Consequence of 4: Shared logins condoned by IT and explicitly recommended by senior management.
4c. Consequence of 4b: Medical notes are attributed to the wrong doctor/nurse and feedback of medical errors is given to the wrong person.
4d. Further consequence of 4b: Abuse of records systems to access confidential medical records of 'celebrities'. Random people ended up disciplined, but no formal action was taken as 4b had been officially sanctioned at senior level.
5. No local information about login failure. If there was a credential problem, there was no way for local staff to investigate the reason for login failure. Faulty credentials could take days or weeks to rectify.
6. No local administration of user permissions. If the national policy did not explicity allow a particular staff group to use a function, they could not use it, and there was no possible way to override it. E.g. only system administrators were permitted to change the brightness contrast with which an X-ray image could be displayed. If a doctor wanted to brighten an X-ray because it was too dark; or wanted to examine the lungs on an X-ray taken for the spine; they could not do it. Local administrators couldn't fix this. National administrators stuck to policy, which was for annual reviews of role permissions. Numerous (too many for me to count) mandatory, and medically essential features, were locked out in this way for 12 months, until the next annual review.
6b. Similar draconian restrictions remained in place for local administrators, and vendor tech support. Local administrators had no way of 'hiding' or 'deleting' an X-ray, mistakenly saved in the wrong patient file. If someone made a mistake and put the wrong name on, the local admin had to raise a support ticket with a national administrator who would authorize the vendor to rename the image - in the meantime (several days) the image would be visible in the wrong patient's file, causing substantial confusion. Similarly, vendor tech support were denied access to debug logs and other key features - as a result, bugs and misconfigurations were near impossible for them to fix.
7. Local administrators had no ability to authorize new users to the system. Temporary staff (to cover sickness), or new hires would have no access to the system, until they could get an appointment to visit the regional office for the national administration (many miles away, and appointments could take a week or more). The national admin staff insisted on sight of passport and 2 other forms of ID, national insurance number, 3 proofs of address, application forms countersigned by employee, immediate manager, IT manager and HR. If any one of these documents was missing - result, no login credentials.
7b. When login credentials expired after 12 months - guess what. Same thing again. Appointment for a week's time. Trip across the city, briefcase full of valuable ID documents.
These were just a few of the problems that users of the NHS 'cloud' security system faced. It was absolute chaos.
I'm now a member of an IT users group, and together we have developed recommendations for template tenders and contracts for individual NHS hospitals/doctors surgeries to use for procuring new IT systems. One of the key recommendations we make is that 'All security and authentication services must be provided locally, with full local administration.'