Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Hospitals Can Now Store Confidential Patient Records In the Public Cloud (zdnet.com)

Posted by BeauHD on from the red-light-green-light dept.

The National Health Service (NHS) has given hospitals the go-ahead to store sensitive patient records in the cloud. "NHS Digital said the advantages of using cloud services include cost savings associated with not having to buy and maintain hardware and software, and availability of backup and fast system recovery," reports ZDNet. "'Together these features cut the risk of health information not being available due to local hardware failure,' said the report." From ZDNet: Rob Shaw, deputy chief executive at NHS Digital, said: "It is for individual organizations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively." The UK government introduced a 'cloud first' policy for public sector IT in 2013, and NHS Choices and NHS England's Code4Health initiative are already successfully using the cloud. NHS Digital's guidance said that the NHS and social care providers may use cloud computing services for NHS data, although data must only be hosted within the European Economic Area, a country deemed adequate by the European Commission, or in the U.S. where covered by Privacy Shield.

59 of 81 comments (clear)

  1. What can possibly go wrong... by toonces33 · · Score: 2, Informative

    n/t.

    1. Re:What can possibly go wrong... by thegarbz · · Score: 1

      Likely much less than what goes wrong when left up to a bunch of lowly paid doctors and administration assistants.

    2. Re:What can possibly go wrong... by Anonymous Coward · · Score: 1

      Likely much less than what goes wrong when left up to a bunch of lowly paid doctors and administration assistants.

      When we find 5,000 doctors offices all get sold the same sub-standard cloud solution that gets hacked, I highly doubt it.

    3. Re:What can possibly go wrong... by Rick+Schumann · · Score: 4, Interesting

      Having worked for a medical device company (device incorporated a computer running Windows; not my choice, man!) and having had to provide tech support for it, I can attest to the fact that despite doctors having 8+ years of schooling, they very often can be quite dumb especially when it comes to computers and operational security procedures. Seriously, when you have your device show back up at your company for service and it's got virii and/or malware installed on it because so-called 'medical professionals' were browsing the internet (porn) on it, you must conclude they weren't very smart. Then there's the time I get a call from a doctor from the operating room (no lie; I heard the beep.. beep.. beep.. of the patients' heart monitor) expecting me walk him through how to operate the device because he couldn't be bothered to learn how to do it beforehand. And some people wonder why I don't take everything doctors tell me as 'word of God'.

    4. Re:What can possibly go wrong... by Anonymous Coward · · Score: 1, Insightful

      Doctors probably think so-called "IT" people are stupid when they come in with high blood pressure from all the Cheetos and pizza.

      Are we done now, or shall we go on with unflattering generalizations?

      Hint: The "stupid" users you hate so much make for a lot of support jobs.

    5. Re:What can possibly go wrong... by thegarbz · · Score: 3, Insightful

      And some people wonder why I don't take everything doctors tell me as 'word of God'

      And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.

    6. Re:What can possibly go wrong... by cascadingstylesheet · · Score: 1

      And some people wonder why I don't take everything doctors tell me as 'word of God'

      And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.

      Generically I of course agree with you, but his examples were pretty specific. Calling tech support from the operating room to learn how to use equipment is pretty scary. It speaks to horrible judgment, however specialized and extensive your education.

    7. Re:What can possibly go wrong... by niks42 · · Score: 1

      Doctors are very educated people - spent most of their 20s in higher education, and they do look down their noses at IT people. They think they understand computers, and this may be their problem. I have endless debates with clinicians about doing 'skills transfer' of my knowledge and experience to more junior members of staff - why can't they do the job I do? I have to bite my lip to stop making pointed remarks about having spent 40 years working in IT, I know that skills transfer is not something that can easily be achieved. Sheesh, those Its Better Manually people thought I could perform a skills transfer of supporting a huge CRM system to a bunch of people four time zones away with a set of slides and a 2 hour conference call.

    8. Re:What can possibly go wrong... by thegarbz · · Score: 1

      It speaks to horrible judgment

      Maybe. Maybe it also speaks to his quick thinking in an emergency where an unpredictable event forced him to do something he doesn't normally do.

    9. Re:What can possibly go wrong... by Rick+Schumann · · Score: 1

      It's irresponsible for someone in the position of a surgeon to not to understand the tools (s)he needs to use before actually operating on a patient, and it's also not very smart.

    10. Re:What can possibly go wrong... by Rick+Schumann · · Score: 1

      No. We're talking about eye surgery, not emergency surgery, and we're talking about an ophthalamic ultrasound machine. I wouldn't trust any doctor to do a damned thing to me if he couldn't be smart enough to know how his tools work before cutting on me.

      You (and whoever else) can't seriously think that all doctors graduate top of their class and are all god-like intellects, do you? Or do you blindly do whatever they tell you to do without thinking about it at all?

    11. Re:What can possibly go wrong... by thegarbz · · Score: 1

      not emergency surgery

      I didn't say emergency surgery, I said emergency situation. There are a long list of routine tasks that can get turned into an emergency situation. Someone swapped out a machine, normal person who works with machine calls in sick, I mean if we trusted doctors with all their tools there wouldn't be 3 other people in every surgery.

      You are drawing way too many conclusions from a lack of data on the other end of a tech support phone line.

      Or do you blindly do whatever they tell you to do without thinking about it at all?

      Define the alternative: Shop for a doctor who's opinions you agree with? Why not self diagnose using WebMD while you're at it. My thumb hurt. I have cancer. Doctors know nothing.

    12. Re:What can possibly go wrong... by Rick+Schumann · · Score: 1

      You're utterly ridiculous. Cut back on the coffee or something.

    13. Re:What can possibly go wrong... by thegarbz · · Score: 1

      You're utterly ridiculous. Cut back on the coffee or something.

      Now you're making assumptions on my coffee intake from a forum post. You're good at this.

  2. Oh my stars and garters! by Chas · · Score: 1

    Yes! I can see THIS ending well!

    *Facepalm*

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:Oh my stars and garters! by serviscope_minor · · Score: 1

      Yes! I can see THIS ending well!

      compared ot the alternative?

      I'm not a huge cloud fan, but the servers are physically secure from any of the major vendors. All then that remains is the software security, but that's no harder in the cloud than it is locally.

      --
      SJW n. One who posts facts.
    2. Re:Oh my stars and garters! by Chas · · Score: 1

      Sure. You trust that it isn't on some server being run out of a communal basement someplace.
      And you trust that the people on the other end know what they're doing.

      Sorry, I don't trust.

      Also, in cases of downtime, I prefer to have local access to the data.
      Not have to wait on a call back while they wank for a couple of hours trying to figure out what they broke.

      --


      Chas - The one, the only.
      THANK GOD!!!
    3. Re:Oh my stars and garters! by serviscope_minor · · Score: 1

      you think AWS or GCE instances are running in someone's communal basement?

      Or you think that the chance of that is higher than some random doctor breaking into the hospital basement? I think you're very much mistaken. No matter the system you have to trust stuff, you're just pretending that some of the trusted things don't exist merely because they're local.

      And yes. You do have to trust that ultimately people know what they're doing. How many successful attacks have there been against Google or Amazon infrastructure? The evidence that they know what they're doing is pretty good. How do you know the local guys know what they're doing?

      --
      SJW n. One who posts facts.
  3. PR disaster in the making by Tablizer · · Score: 3, Insightful

    "The cloud" is setting itself up for a really huge public failure because a breach in one portion can more easily be re-used in all portions. If the back ends are consistent enough to get the economy-of-scale cloud promises, that consistency also means hackers can leverage their knowledge to get access to a larger group of systems.

    This is NOT saying that on average clouds are riskier, it only means that breaches will be quite public because it will affect more organizations.

    It's sort of comparable to travelling by car versus plane. Cars are overall more risky per mile, but you don't see car crashes in the news very often, at least not in proportion to those killed. But plane crashes are usually headlines. The cloud is a plane.

    --
    Table-ized A.I.
    1. Re:PR disaster in the making by Anonymous+Brave+Guy · · Score: 1

      Maybe that should be the case, but the reality is quite different.

      Time and again, we have seen that even serious data breaches on a massive scale have no real consequences for the negligent party, even if the data involved is highly sensitive.

      Meanwhile, the NHS getting hit by WannaCry not so long ago was headline news for a long time, and rightly so given the crippling effect it had on real world patient care.

      The GDPR looks like a significant overhead for small businesses and a good excuse for the EU to fine a few more big US companies, but for practical purposes if the government wants this outcome then the NHS might as well be above the law as far as data protection is concerned. That may be horrifying, but the average UK citizen is probably even more horrified by the idea that they might call 999 and not have an ambulance come or they might get to the emergency department and find it closed down because of malware.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:PR disaster in the making by pacman+on+prozac · · Score: 2

      Possibly but many organisations have two options:
      1) Use on-premise gear which is often out-of-support, has limited patching/updating due to risk of things breaking and high cost of testing properly, probably not monitored all that well, often not configured particularly securely, managed on a cheapest outsource arrangement.
      2) Use a cloud service from a company who only does that one specific thing, their entire business model hinges on them doing it well and securely. Who wrote the software so can monitor and manage it as they completely understand it. Where it's patched and kept up-to-date.

      The eggs-in-one-basket approach isn't necessarily the worst option.

    3. Re:PR disaster in the making by Tablizer · · Score: 2

      As I stated, I don't necessarily believe clouds are less secure, and don't disagree with your points from a technical standpoint. But if hundreds of companies get borked at the same time, some of them prominent, it will make the cloud look bad and the companies on it look bad.

      --
      Table-ized A.I.
  4. Probably better than a bunch of WinXP Machines by phorm · · Score: 3, Insightful

    They "dispute" the figure of course.

    Around the time of WannaCry

    "A reported 90 percent of NHS trusts run at least one Windows XP device, an operating system Microsoft first introduced in 2001 and hasn't supported since 2014."

    https://www.wired.com/2017/05/...

    1. Re:Probably better than a bunch of WinXP Machines by tepples · · Score: 4, Insightful

      "At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.

    2. Re:Probably better than a bunch of WinXP Machines by tepples · · Score: 2

      Thank you for volunteering to foot the bill to replace a multi-ten-thousand-pound peripheral that's mechanically working but has no driver for new Windows with a multi-ten-thousand-pound replacement that has a driver for new Windows.

    3. Re:Probably better than a bunch of WinXP Machines by jezwel · · Score: 2

      "At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.

      Not health related, and yes we have these. Quite a few actually. *Not* spending tens to hundred of thousands on new hardware just so you can upgrade the OS of an airgapped device to a newer version of Windows is good sense.

    4. Re:Probably better than a bunch of WinXP Machines by The123king · · Score: 1

      And this is the reason these devices need to run Linux, or another open-source OS

      --
      If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
    5. Re:Probably better than a bunch of WinXP Machines by niks42 · · Score: 1

      At least some of those WinXP devices are embedded in some clinical solution; one hospital I know of had a leak in to their network from a remote third party administrator logging in to a medical imaging device. They were still running WinXP since their device is a medical device that has been certified at a particular software level, and can't easily be patched or upgraded.

    6. Re:Probably better than a bunch of WinXP Machines by tepples · · Score: 1

      particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system

      And this is the reason these devices need to run Linux, or another open-source OS

      In the long term, I agree that free software is the answer. In the short term, needs to use its paid-for peripherals.

    7. Re:Probably better than a bunch of WinXP Machines by phorm · · Score: 1

      It could, but obviously in the case of NHS and WannaCry they had a significant amount of machines running XP that were *not* air-gapped.

      An air-gap also only works for network-layer stuff. Iran's centrifuges were air-gapped but still had available USB ports which allowed transmission by physical device. The devices in this case are only really safe if they never interact in any way with any other devices.

      A stealth virus could work in much the same way. To be fair with that though, a modern OS still might bot be any proof against such a method if it's an unknown vulnerability/0-day. However, if you are running a consumer OS, then part of the process of acquiring equipment should be to ensure proper hardening, patching, and eventually everygreening (retirement) schedules. I'm not saying Linux etc would be better - plenty of people still on RHEL5 - but at least with an open driver and/or open software there's a better chance of moving it up to something more modern.

    8. Re:Probably better than a bunch of WinXP Machines by tepples · · Score: 1

      These are hospitals we're talking about, and medical equipment tends to have fewer providers because its manufacture and sale is restricted by national regulation. When all three regulator-approved providers of a particular component that is essential to your business require "buying into a locked in ecosystem", then "[n]ot buying into a locked in ecosystem" means going out of business.

    9. Re:Probably better than a bunch of WinXP Machines by phorm · · Score: 1

      Yeah. I think part of this shows an pretty big need to reassess the use and longevity of major industrial and medical devices in a connected world. I've seen local hospitals with XP devices etc as well but they're not connected to anything (even then there's a risk if people are using USB devices). Obviously there's a cost but it should be considered part of maintenance because a breach or a disabling worm could lead to catastrophic downtime.

      Imagine if you've got some sort of very important medical device monitoring and keeping somebody alive and it suddenly goes down because of an attack against an unpatched exploit... scary shit.

  5. D'oh by Archon · · Score: 1

    What could possibly go wrong?

    1. Re:D'oh by Applehu+Akbar · · Score: 1

      What could possibly go wrong?

      The universal excuse for not trying anything innovative. It's so much easier to do nothing until we get bypassed by other countries, which we can then flame for "stealing" "our" tech.

    2. Re:D'oh by Archon · · Score: 2

      Outsourcing data storage is innovation? Client/server architectures are novel?

  6. No issues by nehumanuscrede · · Score: 2

    as long as the data is fully encrypted while sitting on or traversing cloud networks.

    If they decrypt / encrypt it locally on the client or even a hospital owned proxy server, then the data should be fine.

    At no point should this type of data reside on the cloud or the connecting networks outside of the hospital in any unencrypted form.

    1. Re:No issues by Rick+Schumann · · Score: 5, Insightful

      You can encrypt it to the Nth degree and it means nothing if some ransomware re-encypts it, or other malware destroys it. And the backups.

    2. Re:No issues by jaa101 · · Score: 2

      Protection from malware is an advantage of the cloud. Cloud services are much more likely to have proper, secure backups that are much less vulnerable to attack than some random organisation with a small IT department. Yes, client devices will get infected with ransomware and encrypted files will replace the originals in the cloud. Who's more likely to have good backups: underfunded IT in the next building or a cloud provider?

      Not saying I don't have serious reservations about putting personal data in foreign clouds, but malware is the wrong argument against it.

    3. Re: No issues by nehumanuscrede · · Score: 1

      Malware will hit locally owned data just as hard and fast as it will Cloud data. The hospitals hit recently with the ransomware crap comes to mind.

      Make sure your Cloud provider is doing backups or, better yet, use more than one provider.

  7. Probably not much more... by Roger+W+Moore · · Score: 1

    ...than letting hundreds of hospitals store their own records individually on their own systems with variable levels of IT security competence in the teams managing them.

    1. Re:Probably not much more... by Teun · · Score: 1

      For which there is no valid reason.
      British National Health is a huge organisation that can easily implement their own nation-wide 'cloud' service thereby setting their own privacy and security standards without relying on outsiders, esp. leaks like the US 'Privacy Shield'.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    2. Re:Probably not much more... by niks42 · · Score: 1

      If only there were some National body in the NHS UK ... we could call it NHS Digital for instance, who you might charge with the task of setting up some data centres, using some third parties like Accenture, CSC (now DXC), BT and Fujitsu to provide them ..

  8. We all know how this is gonna turn out, right? by shubus · · Score: 1

    Hacking the NHS records should turn out to be more profitable than some of the crappy ransomware going around.

    1. Re:We all know how this is gonna turn out, right? by AHuxley · · Score: 1

      Think of the heath "care" work that can be done to shape a new sales pitch the perfect new medicine to the UK gov.
      Find out what most people will need to be medicated with long term and offer new expensive medical support for that.
      The data sets will be a marketing dream for any new sales pitch to the UK gov.

      --
      Domestic spying is now "Benign Information Gathering"
  9. Screw it, may as well by Rick+Schumann · · Score: 1

    It's not like anything is safe anymore, unless it's literally offline storage -- and then only if you do a backup of your backup with a machine that's never connected to the Internet, ever. Better print out paper copies and copy those, too, just to be safe. At least until the criminal hacker organizations find a way to ransomware your paper copies, too.

    On an associated subject: with all the advances being made with neural interfaces, how long do y'all think it'll be before they have ransomware for your wetware? "Nice memories you have there, friend; would be a shame if something.. happened to them.."

  10. Russia/China will offer cheap off-shoring... by ffkom · · Score: 3, Interesting

    ... of course not openly, but through a maze of sub-sub-sub-sub-contractors ultimately handling the "cloud" hardware the NHS information will reside on.

    And I am sure they will keep that data safe, and well back-up-ed, given how valuable it might become when tinkering with the next election or blackmailing the next politician.

    1. Re:Russia/China will offer cheap off-shoring... by Anonymous Coward · · Score: 1

      Just like this.

  11. Re: I see the advantages by ls671 · · Score: 2

    Why would they care?

    The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission

    https://en.wikipedia.org/wiki/...

    Brexit is the prospective withdrawal of the United Kingdom (UK) from the European Union (EU).

    https://en.wikipedia.org/wiki/...

    --
    Everything I write is lies, read between the lines.
  12. Re: I see the advantages by mrbester · · Score: 1

    The UK version of the principles of GDPR, as in the country specific legislation, which all in EU are implementing, is already agreed to be enacted. Brexit has nothing to do with it and doesn't mean it will be discarded.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
  13. Cost savings is largely a myth by Anonymous Coward · · Score: 1

    For any deployment of reasonable size, the cloud is not economical. Yes it does save you from having to hire hardware jockeys, but you have to replace them all with experts in cloud provisioning and configuration. For the UK NHS to move to the cloud is going to cost them a boatload of money.

    At least all those pounds sterling will likely pay for actual security and robustness, but it’s bothing they couldn’t have gotten by spending even less to build and maintain it themselves.

    1. Re:Cost savings is largely a myth by niks42 · · Score: 1

      I've been challenged to consider a cloud solution for a Radiology refresh. The problem I have is the cost of transferring 400TB of data to the Cloud - and supporting a growth of 3TB a month for the foreseeable, and making it cheaper than the JBOD alternative.

  14. This American craves online medical records by Applehu+Akbar · · Score: 1

    One of the first rules of database design is to capture every piece of data only once, and then keep it secure. I don't want to have to tell every new doctor I visit my mediacal history all over again from the beginning, and then keep regurgitating it everyyear for every practitioner. If information like my age when I had measles is important, we can't keep running the risk that I will start getting the date wrong as the years go by.

    I want an online medical jacket that contains my entire history, accessible to every doctor who needs to know my list of medications, including those that were tried and given up on, so that I don't have to keep imperfectly remembering whether Dr. Fuzzbucket stopped prescribing Spenditol-X because it didn't work for me, or because I had an allergic reaction.

    And no, because hackers were able to attack Target does not mean that keeping online records secure is impossible. My bank and my brokerage have operated online for years, so why can't healthcare?

    1. Re: This American craves online medical records by Anonymous Coward · · Score: 1

      Your bank and your brokerage would lose a lot of money and clients should it happen thus they spend a lot on security and hiring talent.

      The NHS won't lose clients as a result of a data breech/hack. They will get a slap on the wrist and issue an apology. They can't be fined as it their current state they can't afford it.

      They spend little on IT and what talent they have is hamstrung by red tape to the extent they're get bent over by ransomware.

      Apples and oranges don't make for a good comparison.

  15. Re: I see the advantages by ls671 · · Score: 1

    Brexit has nothing to do with it

    Brexit has something to do with it.

    and doesn't mean it will be discarded.

    But it means they can adapt it as they see fit:
    http://www.computerweekly.com/...

    --
    Everything I write is lies, read between the lines.
  16. It'll be fine, they all leaked already: by DCFusor · · Score: 2

    First google search on NHS leak records:
    https://www.google.com/search?...

    --
    Why guess when you can know? Measure!
  17. Re:I see the advantages by AHuxley · · Score: 1

    If one company gets to encrypt for the gov then other contractors cant get the money thats on the table.
    Thats why so much of the US gov/mil work is plain text, on internet facing networks.

    --
    Domestic spying is now "Benign Information Gathering"
  18. Re: I see the advantages by pacman+on+prozac · · Score: 1

    Brexit isn't going to change GDPR, it'll come in place before Brexit happens and such regulations will be applied in UK law. The UK was heavily involved in developing GDPR so isn't going to be looking to dodge it. Plus it's the easiest way to be considered "adequate" to keep doing business with the rest of Europe and not need some custom arrangement for data transfers.

    Not sure what relevance the OP has anyway, using cloud services doesn't mean you're not compliant with GDPR or any other regulation.

  19. Re: I see the advantages by niks42 · · Score: 1

    They also might remember the Health and Social Care Act of 2015 which makes a hospital liable if patient care is adversely affected by not sharing patient data with another hospital.

  20. Re: I see the advantages by Computershack · · Score: 1

    Brexit has nothing to do with it. There is currently a bill going through Parliament that will implement all current EU laws at the time of our exit in March into UK law.

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams