Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Hospitals Can Now Store Confidential Patient Records In the Public Cloud (zdnet.com)

Posted by BeauHD on from the red-light-green-light dept.

The National Health Service (NHS) has given hospitals the go-ahead to store sensitive patient records in the cloud. "NHS Digital said the advantages of using cloud services include cost savings associated with not having to buy and maintain hardware and software, and availability of backup and fast system recovery," reports ZDNet. "'Together these features cut the risk of health information not being available due to local hardware failure,' said the report." From ZDNet: Rob Shaw, deputy chief executive at NHS Digital, said: "It is for individual organizations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively." The UK government introduced a 'cloud first' policy for public sector IT in 2013, and NHS Choices and NHS England's Code4Health initiative are already successfully using the cloud. NHS Digital's guidance said that the NHS and social care providers may use cloud computing services for NHS data, although data must only be hosted within the European Economic Area, a country deemed adequate by the European Commission, or in the U.S. where covered by Privacy Shield.

17 of 81 comments (clear)

  1. What can possibly go wrong... by toonces33 · · Score: 2, Informative

    n/t.

    1. Re:What can possibly go wrong... by Rick+Schumann · · Score: 4, Interesting

      Having worked for a medical device company (device incorporated a computer running Windows; not my choice, man!) and having had to provide tech support for it, I can attest to the fact that despite doctors having 8+ years of schooling, they very often can be quite dumb especially when it comes to computers and operational security procedures. Seriously, when you have your device show back up at your company for service and it's got virii and/or malware installed on it because so-called 'medical professionals' were browsing the internet (porn) on it, you must conclude they weren't very smart. Then there's the time I get a call from a doctor from the operating room (no lie; I heard the beep.. beep.. beep.. of the patients' heart monitor) expecting me walk him through how to operate the device because he couldn't be bothered to learn how to do it beforehand. And some people wonder why I don't take everything doctors tell me as 'word of God'.

    2. Re:What can possibly go wrong... by thegarbz · · Score: 3, Insightful

      And some people wonder why I don't take everything doctors tell me as 'word of God'

      And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.

  2. PR disaster in the making by Tablizer · · Score: 3, Insightful

    "The cloud" is setting itself up for a really huge public failure because a breach in one portion can more easily be re-used in all portions. If the back ends are consistent enough to get the economy-of-scale cloud promises, that consistency also means hackers can leverage their knowledge to get access to a larger group of systems.

    This is NOT saying that on average clouds are riskier, it only means that breaches will be quite public because it will affect more organizations.

    It's sort of comparable to travelling by car versus plane. Cars are overall more risky per mile, but you don't see car crashes in the news very often, at least not in proportion to those killed. But plane crashes are usually headlines. The cloud is a plane.

    --
    Table-ized A.I.
    1. Re:PR disaster in the making by pacman+on+prozac · · Score: 2

      Possibly but many organisations have two options:
      1) Use on-premise gear which is often out-of-support, has limited patching/updating due to risk of things breaking and high cost of testing properly, probably not monitored all that well, often not configured particularly securely, managed on a cheapest outsource arrangement.
      2) Use a cloud service from a company who only does that one specific thing, their entire business model hinges on them doing it well and securely. Who wrote the software so can monitor and manage it as they completely understand it. Where it's patched and kept up-to-date.

      The eggs-in-one-basket approach isn't necessarily the worst option.

    2. Re:PR disaster in the making by Tablizer · · Score: 2

      As I stated, I don't necessarily believe clouds are less secure, and don't disagree with your points from a technical standpoint. But if hundreds of companies get borked at the same time, some of them prominent, it will make the cloud look bad and the companies on it look bad.

      --
      Table-ized A.I.
  3. Probably better than a bunch of WinXP Machines by phorm · · Score: 3, Insightful

    They "dispute" the figure of course.

    Around the time of WannaCry

    "A reported 90 percent of NHS trusts run at least one Windows XP device, an operating system Microsoft first introduced in 2001 and hasn't supported since 2014."

    https://www.wired.com/2017/05/...

    1. Re:Probably better than a bunch of WinXP Machines by tepples · · Score: 4, Insightful

      "At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.

    2. Re:Probably better than a bunch of WinXP Machines by tepples · · Score: 2

      Thank you for volunteering to foot the bill to replace a multi-ten-thousand-pound peripheral that's mechanically working but has no driver for new Windows with a multi-ten-thousand-pound replacement that has a driver for new Windows.

    3. Re:Probably better than a bunch of WinXP Machines by jezwel · · Score: 2

      "At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.

      Not health related, and yes we have these. Quite a few actually. *Not* spending tens to hundred of thousands on new hardware just so you can upgrade the OS of an airgapped device to a newer version of Windows is good sense.

  4. No issues by nehumanuscrede · · Score: 2

    as long as the data is fully encrypted while sitting on or traversing cloud networks.

    If they decrypt / encrypt it locally on the client or even a hospital owned proxy server, then the data should be fine.

    At no point should this type of data reside on the cloud or the connecting networks outside of the hospital in any unencrypted form.

    1. Re:No issues by Rick+Schumann · · Score: 5, Insightful

      You can encrypt it to the Nth degree and it means nothing if some ransomware re-encypts it, or other malware destroys it. And the backups.

    2. Re:No issues by jaa101 · · Score: 2

      Protection from malware is an advantage of the cloud. Cloud services are much more likely to have proper, secure backups that are much less vulnerable to attack than some random organisation with a small IT department. Yes, client devices will get infected with ransomware and encrypted files will replace the originals in the cloud. Who's more likely to have good backups: underfunded IT in the next building or a cloud provider?

      Not saying I don't have serious reservations about putting personal data in foreign clouds, but malware is the wrong argument against it.

  5. Russia/China will offer cheap off-shoring... by ffkom · · Score: 3, Interesting

    ... of course not openly, but through a maze of sub-sub-sub-sub-contractors ultimately handling the "cloud" hardware the NHS information will reside on.

    And I am sure they will keep that data safe, and well back-up-ed, given how valuable it might become when tinkering with the next election or blackmailing the next politician.

  6. Re: I see the advantages by ls671 · · Score: 2

    Why would they care?

    The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission

    https://en.wikipedia.org/wiki/...

    Brexit is the prospective withdrawal of the United Kingdom (UK) from the European Union (EU).

    https://en.wikipedia.org/wiki/...

    --
    Everything I write is lies, read between the lines.
  7. It'll be fine, they all leaked already: by DCFusor · · Score: 2

    First google search on NHS leak records:
    https://www.google.com/search?...

    --
    Why guess when you can know? Measure!
  8. Re:D'oh by Archon · · Score: 2

    Outsourcing data storage is innovation? Client/server architectures are novel?