UK Hospitals Can Now Store Confidential Patient Records In the Public Cloud (zdnet.com) 81
The National Health Service (NHS) has given hospitals the go-ahead to store sensitive patient records in the cloud. "NHS Digital said the advantages of using cloud services include cost savings associated with not having to buy and maintain hardware and software, and availability of backup and fast system recovery," reports ZDNet. "'Together these features cut the risk of health information not being available due to local hardware failure,' said the report." From ZDNet: Rob Shaw, deputy chief executive at NHS Digital, said: "It is for individual organizations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively." The UK government introduced a 'cloud first' policy for public sector IT in 2013, and NHS Choices and NHS England's Code4Health initiative are already successfully using the cloud. NHS Digital's guidance said that the NHS and social care providers may use cloud computing services for NHS data, although data must only be hosted within the European Economic Area, a country deemed adequate by the European Commission, or in the U.S. where covered by Privacy Shield.
Re: (Score:3)
Why would they care?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission
https://en.wikipedia.org/wiki/... [wikipedia.org]
Brexit is the prospective withdrawal of the United Kingdom (UK) from the European Union (EU).
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
The UK version of the principles of GDPR, as in the country specific legislation, which all in EU are implementing, is already agreed to be enacted. Brexit has nothing to do with it and doesn't mean it will be discarded.
Re: (Score:2)
Brexit has nothing to do with it
Brexit has something to do with it.
and doesn't mean it will be discarded.
But it means they can adapt it as they see fit:
http://www.computerweekly.com/... [computerweekly.com]
Re: (Score:2)
Re: (Score:2)
Brexit isn't going to change GDPR, it'll come in place before Brexit happens and such regulations will be applied in UK law. The UK was heavily involved in developing GDPR so isn't going to be looking to dodge it. Plus it's the easiest way to be considered "adequate" to keep doing business with the rest of Europe and not need some custom arrangement for data transfers.
Not sure what relevance the OP has anyway, using cloud services doesn't mean you're not compliant with GDPR or any other regulation.
Re: (Score:2)
Re: (Score:2)
Thats why so much of the US gov/mil work is plain text, on internet facing networks.
What can possibly go wrong... (Score:3, Informative)
n/t.
Re: (Score:2)
Likely much less than what goes wrong when left up to a bunch of lowly paid doctors and administration assistants.
Re: (Score:1)
Likely much less than what goes wrong when left up to a bunch of lowly paid doctors and administration assistants.
When we find 5,000 doctors offices all get sold the same sub-standard cloud solution that gets hacked, I highly doubt it.
Re:What can possibly go wrong... (Score:5, Interesting)
Re: (Score:1, Insightful)
Doctors probably think so-called "IT" people are stupid when they come in with high blood pressure from all the Cheetos and pizza.
Are we done now, or shall we go on with unflattering generalizations?
Hint: The "stupid" users you hate so much make for a lot of support jobs.
Re: (Score:1)
Re:What can possibly go wrong... (Score:4, Insightful)
And some people wonder why I don't take everything doctors tell me as 'word of God'
And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.
Re: (Score:2)
And some people wonder why I don't take everything doctors tell me as 'word of God'
And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.
Generically I of course agree with you, but his examples were pretty specific. Calling tech support from the operating room to learn how to use equipment is pretty scary. It speaks to horrible judgment, however specialized and extensive your education.
Re: (Score:2)
It speaks to horrible judgment
Maybe. Maybe it also speaks to his quick thinking in an emergency where an unpredictable event forced him to do something he doesn't normally do.
Re: (Score:2)
You (and whoever else) can't seriously think that all doctors graduate top of their class and are all god-like intellects, do you? Or do you blindly do whatever they tell you to do without thinking about it at all?
Re: (Score:2)
not emergency surgery
I didn't say emergency surgery, I said emergency situation. There are a long list of routine tasks that can get turned into an emergency situation. Someone swapped out a machine, normal person who works with machine calls in sick, I mean if we trusted doctors with all their tools there wouldn't be 3 other people in every surgery.
You are drawing way too many conclusions from a lack of data on the other end of a tech support phone line.
Or do you blindly do whatever they tell you to do without thinking about it at all?
Define the alternative: Shop for a doctor who's opinions you agree with? W
Re: (Score:2)
Re: (Score:2)
You're utterly ridiculous. Cut back on the coffee or something.
Now you're making assumptions on my coffee intake from a forum post. You're good at this.
Re: (Score:2)
Re: (Score:2)
Probably not much more... (Score:2)
Re: (Score:2)
British National Health is a huge organisation that can easily implement their own nation-wide 'cloud' service thereby setting their own privacy and security standards without relying on outsiders, esp. leaks like the US 'Privacy Shield'.
Re: (Score:2)
Oh my stars and garters! (Score:2)
Yes! I can see THIS ending well!
*Facepalm*
Re: (Score:2)
Yes! I can see THIS ending well!
compared ot the alternative?
I'm not a huge cloud fan, but the servers are physically secure from any of the major vendors. All then that remains is the software security, but that's no harder in the cloud than it is locally.
Re: (Score:2)
Sure. You trust that it isn't on some server being run out of a communal basement someplace.
And you trust that the people on the other end know what they're doing.
Sorry, I don't trust.
Also, in cases of downtime, I prefer to have local access to the data.
Not have to wait on a call back while they wank for a couple of hours trying to figure out what they broke.
Re: (Score:2)
you think AWS or GCE instances are running in someone's communal basement?
Or you think that the chance of that is higher than some random doctor breaking into the hospital basement? I think you're very much mistaken. No matter the system you have to trust stuff, you're just pretending that some of the trusted things don't exist merely because they're local.
And yes. You do have to trust that ultimately people know what they're doing. How many successful attacks have there been against Google or Amazon infras
PR disaster in the making (Score:3, Insightful)
"The cloud" is setting itself up for a really huge public failure because a breach in one portion can more easily be re-used in all portions. If the back ends are consistent enough to get the economy-of-scale cloud promises, that consistency also means hackers can leverage their knowledge to get access to a larger group of systems.
This is NOT saying that on average clouds are riskier, it only means that breaches will be quite public because it will affect more organizations.
It's sort of comparable to travelling by car versus plane. Cars are overall more risky per mile, but you don't see car crashes in the news very often, at least not in proportion to those killed. But plane crashes are usually headlines. The cloud is a plane.
Re: (Score:2)
Maybe that should be the case, but the reality is quite different.
Time and again, we have seen that even serious data breaches on a massive scale have no real consequences for the negligent party, even if the data involved is highly sensitive.
Meanwhile, the NHS getting hit by WannaCry not so long ago was headline news for a long time, and rightly so given the crippling effect it had on real world patient care.
The GDPR looks like a significant overhead for small businesses and a good excuse for the EU to fin
Re: (Score:3)
Possibly but many organisations have two options:
1) Use on-premise gear which is often out-of-support, has limited patching/updating due to risk of things breaking and high cost of testing properly, probably not monitored all that well, often not configured particularly securely, managed on a cheapest outsource arrangement.
2) Use a cloud service from a company who only does that one specific thing, their entire business model hinges on them doing it well and securely. Who wrote the software so can monitor a
Re: (Score:2)
As I stated, I don't necessarily believe clouds are less secure, and don't disagree with your points from a technical standpoint. But if hundreds of companies get borked at the same time, some of them prominent, it will make the cloud look bad and the companies on it look bad.
Probably better than a bunch of WinXP Machines (Score:3, Insightful)
They "dispute" the figure of course.
Around the time of WannaCry
"A reported 90 percent of NHS trusts run at least one Windows XP device, an operating system Microsoft first introduced in 2001 and hasn't supported since 2014."
https://www.wired.com/2017/05/... [wired.com]
Re:Probably better than a bunch of WinXP Machines (Score:5, Insightful)
"At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.
Re: (Score:3)
Thank you for volunteering to foot the bill to replace a multi-ten-thousand-pound peripheral that's mechanically working but has no driver for new Windows with a multi-ten-thousand-pound replacement that has a driver for new Windows.
Re: (Score:2)
Re: (Score:2)
particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system
And this is the reason these devices need to run Linux, or another open-source OS
In the long term, I agree that free software is the answer. In the short term, needs to use its paid-for peripherals.
Re: (Score:3)
"At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.
Not health related, and yes we have these. Quite a few actually. *Not* spending tens to hundred of thousands on new hardware just so you can upgrade the OS of an airgapped device to a newer version of Windows is good sense.
Re: (Score:2)
These are hospitals we're talking about, and medical equipment tends to have fewer providers because its manufacture and sale is restricted by national regulation. When all three regulator-approved providers of a particular component that is essential to your business require "buying into a locked in ecosystem", then "[n]ot buying into a locked in ecosystem" means going out of business.
Re: (Score:1)
It could, but obviously in the case of NHS and WannaCry they had a significant amount of machines running XP that were *not* air-gapped.
An air-gap also only works for network-layer stuff. Iran's centrifuges were air-gapped but still had available USB ports which allowed transmission by physical device. The devices in this case are only really safe if they never interact in any way with any other devices.
A stealth virus could work in much the same way. To be fair with that though, a modern OS still might bot
Re: (Score:2)
Re: (Score:1)
Yeah. I think part of this shows an pretty big need to reassess the use and longevity of major industrial and medical devices in a connected world. I've seen local hospitals with XP devices etc as well but they're not connected to anything (even then there's a risk if people are using USB devices). Obviously there's a cost but it should be considered part of maintenance because a breach or a disabling worm could lead to catastrophic downtime.
Imagine if you've got some sort of very important medical device m
D'oh (Score:2)
What could possibly go wrong?
Re: (Score:2)
What could possibly go wrong?
The universal excuse for not trying anything innovative. It's so much easier to do nothing until we get bypassed by other countries, which we can then flame for "stealing" "our" tech.
Re: (Score:3)
Outsourcing data storage is innovation? Client/server architectures are novel?
No issues (Score:3)
as long as the data is fully encrypted while sitting on or traversing cloud networks.
If they decrypt / encrypt it locally on the client or even a hospital owned proxy server, then the data should be fine.
At no point should this type of data reside on the cloud or the connecting networks outside of the hospital in any unencrypted form.
Re:No issues (Score:5, Insightful)
Re: (Score:3)
Protection from malware is an advantage of the cloud. Cloud services are much more likely to have proper, secure backups that are much less vulnerable to attack than some random organisation with a small IT department. Yes, client devices will get infected with ransomware and encrypted files will replace the originals in the cloud. Who's more likely to have good backups: underfunded IT in the next building or a cloud provider?
Not saying I don't have serious reservations about putting personal data in for
Re: No issues (Score:2)
Malware will hit locally owned data just as hard and fast as it will Cloud data. The hospitals hit recently with the ransomware crap comes to mind.
Make sure your Cloud provider is doing backups or, better yet, use more than one provider.
We all know how this is gonna turn out, right? (Score:1)
Re: (Score:2)
Find out what most people will need to be medicated with long term and offer new expensive medical support for that.
The data sets will be a marketing dream for any new sales pitch to the UK gov.
Screw it, may as well (Score:2)
On an associated subject: with all the advances being made with neural interfaces, how long do y'all think it'll be before they have ransomware for your w
Russia/China will offer cheap off-shoring... (Score:4, Interesting)
And I am sure they will keep that data safe, and well back-up-ed, given how valuable it might become when tinkering with the next election or blackmailing the next politician.
Re: (Score:1)
Just like this [sfgate.com].
Cost savings is largely a myth (Score:1)
For any deployment of reasonable size, the cloud is not economical. Yes it does save you from having to hire hardware jockeys, but you have to replace them all with experts in cloud provisioning and configuration. For the UK NHS to move to the cloud is going to cost them a boatload of money.
At least all those pounds sterling will likely pay for actual security and robustness, but it’s bothing they couldn’t have gotten by spending even less to build and maintain it themselves.
Re: (Score:2)
This American craves online medical records (Score:2)
One of the first rules of database design is to capture every piece of data only once, and then keep it secure. I don't want to have to tell every new doctor I visit my mediacal history all over again from the beginning, and then keep regurgitating it everyyear for every practitioner. If information like my age when I had measles is important, we can't keep running the risk that I will start getting the date wrong as the years go by.
I want an online medical jacket that contains my entire history, accessible
Re: This American craves online medical records (Score:1)
Your bank and your brokerage would lose a lot of money and clients should it happen thus they spend a lot on security and hiring talent.
The NHS won't lose clients as a result of a data breech/hack. They will get a slap on the wrist and issue an apology. They can't be fined as it their current state they can't afford it.
They spend little on IT and what talent they have is hamstrung by red tape to the extent they're get bent over by ransomware.
Apples and oranges don't make for a good comparison.
It'll be fine, they all leaked already: (Score:3)
https://www.google.com/search?... [google.com]