UK Hospitals Can Now Store Confidential Patient Records In the Public Cloud

The National Health Service (NHS) has given hospitals the go-ahead to store sensitive patient records in the cloud. "NHS Digital said the advantages of using cloud services include cost savings associated with not having to buy and maintain hardware and software, and availability of backup and fast system recovery," reports ZDNet. "'Together these features cut the risk of health information not being available due to local hardware failure,' said the report." From ZDNet: Rob Shaw, deputy chief executive at NHS Digital, said: "It is for individual organizations to decide if they wish to use cloud and data offshoring but there are a huge range of benefits in doing so, such as greater data security protection and reduced running costs when implemented effectively." The UK government introduced a 'cloud first' policy for public sector IT in 2013, and NHS Choices and NHS England's Code4Health initiative are already successfully using the cloud. NHS Digital's guidance said that the NHS and social care providers may use cloud computing services for NHS data, although data must only be hosted within the European Economic Area, a country deemed adequate by the European Commission, or in the U.S. where covered by Privacy Shield.

Re:

[ls671]

Why would they care?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission

https://en.wikipedia.org/wiki/... [wikipedia.org]

Brexit is the prospective withdrawal of the United Kingdom (UK) from the European Union (EU).

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[mrbester]

The UK version of the principles of GDPR, as in the country specific legislation, which all in EU are implementing, is already agreed to be enacted. Brexit has nothing to do with it and doesn't mean it will be discarded.

Re:

[ls671]

Brexit has nothing to do with it

Brexit has something to do with it.

and doesn't mean it will be discarded.

But it means they can adapt it as they see fit:
http://www.computerweekly.com/... [computerweekly.com]

Re:

[Computershack]

Brexit has nothing to do with it. There is currently a bill going through Parliament that will implement all current EU laws at the time of our exit in March into UK law.

Re:

[pacman on prozac]

Brexit isn't going to change GDPR, it'll come in place before Brexit happens and such regulations will be applied in UK law. The UK was heavily involved in developing GDPR so isn't going to be looking to dodge it. Plus it's the easiest way to be considered "adequate" to keep doing business with the rest of Europe and not need some custom arrangement for data transfers.

Not sure what relevance the OP has anyway, using cloud services doesn't mean you're not compliant with GDPR or any other regulation.

Re:

[niks42]

They also might remember the Health and Social Care Act of 2015 which makes a hospital liable if patient care is adversely affected by not sharing patient data with another hospital.

Re:

[AHuxley]

If one company gets to encrypt for the gov then other contractors cant get the money thats on the table.
Thats why so much of the US gov/mil work is plain text, on internet facing networks.

What can possibly go wrong...

[toonces33]

n/t.

Re:

[thegarbz]

Likely much less than what goes wrong when left up to a bunch of lowly paid doctors and administration assistants.

Re:

[Anonymous Coward]

Likely much less than what goes wrong when left up to a bunch of lowly paid doctors and administration assistants.

When we find 5,000 doctors offices all get sold the same sub-standard cloud solution that gets hacked, I highly doubt it.

Re:What can possibly go wrong...

[Rick Schumann]

Having worked for a medical device company (device incorporated a computer running Windows; not my choice, man!) and having had to provide tech support for it, I can attest to the fact that despite doctors having 8+ years of schooling, they very often can be quite dumb especially when it comes to computers and operational security procedures. Seriously, when you have your device show back up at your company for service and it's got virii and/or malware installed on it because so-called 'medical professionals' were browsing the internet (porn) on it, you must conclude they weren't very smart. Then there's the time I get a call from a doctor from the operating room (no lie; I heard the beep.. beep.. beep.. of the patients' heart monitor) expecting me walk him through how to operate the device because he couldn't be bothered to learn how to do it beforehand. And some people wonder why I don't take everything doctors tell me as 'word of God'.

Re:

[Anonymous Coward]

Doctors probably think so-called "IT" people are stupid when they come in with high blood pressure from all the Cheetos and pizza.

Are we done now, or shall we go on with unflattering generalizations?

Hint: The "stupid" users you hate so much make for a lot of support jobs.

Re:

[Rick Schumann]

Idiot, you think that's the ONLY example I have? You expect me to write something the size of War and Peace just to satisfy your shitty expectations? Fuck off.

Re:What can possibly go wrong...

[thegarbz]

And some people wonder why I don't take everything doctors tell me as 'word of God'

And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.

Re:

[cascadingstylesheet]

And some people wonder why I don't take everything doctors tell me as 'word of God'

And we'll continue to do so. You're comparing someone's knowledge of some completely unrelated skill to something they spent years honing at medical school. I'm a safety systems engineer. The fact I haven't a clue how to knit a sweater and have no intention of ever putting any effort into learning how to knit a sweater doesn't make me a worse engineer as a result.

Generically I of course agree with you, but his examples were pretty specific. Calling tech support from the operating room to learn how to use equipment is pretty scary. It speaks to horrible judgment, however specialized and extensive your education.

Re:

[thegarbz]

It speaks to horrible judgment

Maybe. Maybe it also speaks to his quick thinking in an emergency where an unpredictable event forced him to do something he doesn't normally do.

Re:

[Rick Schumann]

No. We're talking about eye surgery, not emergency surgery, and we're talking about an ophthalamic ultrasound machine. I wouldn't trust any doctor to do a damned thing to me if he couldn't be smart enough to know how his tools work before cutting on me.

You (and whoever else) can't seriously think that all doctors graduate top of their class and are all god-like intellects, do you? Or do you blindly do whatever they tell you to do without thinking about it at all?

Re:

[thegarbz]

not emergency surgery

I didn't say emergency surgery, I said emergency situation. There are a long list of routine tasks that can get turned into an emergency situation. Someone swapped out a machine, normal person who works with machine calls in sick, I mean if we trusted doctors with all their tools there wouldn't be 3 other people in every surgery.

You are drawing way too many conclusions from a lack of data on the other end of a tech support phone line.

Or do you blindly do whatever they tell you to do without thinking about it at all?

Define the alternative: Shop for a doctor who's opinions you agree with? W

Re:

[Rick Schumann]

You're utterly ridiculous. Cut back on the coffee or something.

Re:

[thegarbz]

You're utterly ridiculous. Cut back on the coffee or something.

Now you're making assumptions on my coffee intake from a forum post. You're good at this.

Re:

[Rick Schumann]

It's irresponsible for someone in the position of a surgeon to not to understand the tools (s)he needs to use before actually operating on a patient, and it's also not very smart.

Re:

[niks42]

Doctors are very educated people - spent most of their 20s in higher education, and they do look down their noses at IT people. They think they understand computers, and this may be their problem. I have endless debates with clinicians about doing 'skills transfer' of my knowledge and experience to more junior members of staff - why can't they do the job I do? I have to bite my lip to stop making pointed remarks about having spent 40 years working in IT, I know that skills transfer is not something that can

Probably not much more...

[Roger W Moore]

...than letting hundreds of hospitals store their own records individually on their own systems with variable levels of IT security competence in the teams managing them.

Re:

[Teun]

For which there is no valid reason.
British National Health is a huge organisation that can easily implement their own nation-wide 'cloud' service thereby setting their own privacy and security standards without relying on outsiders, esp. leaks like the US 'Privacy Shield'.

Re:

[niks42]

If only there were some National body in the NHS UK ... we could call it NHS Digital for instance, who you might charge with the task of setting up some data centres, using some third parties like Accenture, CSC (now DXC), BT and Fujitsu to provide them ..

Oh my stars and garters!

[Chas]

Yes! I can see THIS ending well!

*Facepalm*

Re:

[serviscope_minor]

Yes! I can see THIS ending well!

compared ot the alternative?

I'm not a huge cloud fan, but the servers are physically secure from any of the major vendors. All then that remains is the software security, but that's no harder in the cloud than it is locally.

Re:

[Chas]

Sure. You trust that it isn't on some server being run out of a communal basement someplace.
And you trust that the people on the other end know what they're doing.

Sorry, I don't trust.

Also, in cases of downtime, I prefer to have local access to the data.
Not have to wait on a call back while they wank for a couple of hours trying to figure out what they broke.

Re:

[serviscope_minor]

you think AWS or GCE instances are running in someone's communal basement?

Or you think that the chance of that is higher than some random doctor breaking into the hospital basement? I think you're very much mistaken. No matter the system you have to trust stuff, you're just pretending that some of the trusted things don't exist merely because they're local.

And yes. You do have to trust that ultimately people know what they're doing. How many successful attacks have there been against Google or Amazon infras

PR disaster in the making

[Tablizer]

"The cloud" is setting itself up for a really huge public failure because a breach in one portion can more easily be re-used in all portions. If the back ends are consistent enough to get the economy-of-scale cloud promises, that consistency also means hackers can leverage their knowledge to get access to a larger group of systems.

This is NOT saying that on average clouds are riskier, it only means that breaches will be quite public because it will affect more organizations.

It's sort of comparable to travelling by car versus plane. Cars are overall more risky per mile, but you don't see car crashes in the news very often, at least not in proportion to those killed. But plane crashes are usually headlines. The cloud is a plane.

Re:

[Anonymous Brave Guy]

Maybe that should be the case, but the reality is quite different.

Time and again, we have seen that even serious data breaches on a massive scale have no real consequences for the negligent party, even if the data involved is highly sensitive.

Meanwhile, the NHS getting hit by WannaCry not so long ago was headline news for a long time, and rightly so given the crippling effect it had on real world patient care.

The GDPR looks like a significant overhead for small businesses and a good excuse for the EU to fin

Re:

[pacman on prozac]

Possibly but many organisations have two options:
1) Use on-premise gear which is often out-of-support, has limited patching/updating due to risk of things breaking and high cost of testing properly, probably not monitored all that well, often not configured particularly securely, managed on a cheapest outsource arrangement.
2) Use a cloud service from a company who only does that one specific thing, their entire business model hinges on them doing it well and securely. Who wrote the software so can monitor a

Re:

[Tablizer]

As I stated, I don't necessarily believe clouds are less secure, and don't disagree with your points from a technical standpoint. But if hundreds of companies get borked at the same time, some of them prominent, it will make the cloud look bad and the companies on it look bad.

Probably better than a bunch of WinXP Machines

[phorm]

They "dispute" the figure of course.

Around the time of WannaCry

"A reported 90 percent of NHS trusts run at least one Windows XP device, an operating system Microsoft first introduced in 2001 and hasn't supported since 2014."

https://www.wired.com/2017/05/... [wired.com]

Re:Probably better than a bunch of WinXP Machines

[tepples]

"At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.

Re:

[tepples]

Thank you for volunteering to foot the bill to replace a multi-ten-thousand-pound peripheral that's mechanically working but has no driver for new Windows with a multi-ten-thousand-pound replacement that has a driver for new Windows.

Re:

[The123king]

And this is the reason these devices need to run Linux, or another open-source OS

Re:

[tepples]

particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system

And this is the reason these devices need to run Linux, or another open-source OS

In the long term, I agree that free software is the answer. In the short term, needs to use its paid-for peripherals.

Re:

[jezwel]

"At least one" could refer to one air-gapped PC in the whole department that runs a particular application or device driver whose publisher refuses to make available a version compatible with a more recent version of Windows or a competing operating system at a reasonable or any price.

Not health related, and yes we have these. Quite a few actually. *Not* spending tens to hundred of thousands on new hardware just so you can upgrade the OS of an airgapped device to a newer version of Windows is good sense.

Re:

[tepples]

These are hospitals we're talking about, and medical equipment tends to have fewer providers because its manufacture and sale is restricted by national regulation. When all three regulator-approved providers of a particular component that is essential to your business require "buying into a locked in ecosystem", then "[n]ot buying into a locked in ecosystem" means going out of business.

Re:

[phorm]

It could, but obviously in the case of NHS and WannaCry they had a significant amount of machines running XP that were *not* air-gapped.

An air-gap also only works for network-layer stuff. Iran's centrifuges were air-gapped but still had available USB ports which allowed transmission by physical device. The devices in this case are only really safe if they never interact in any way with any other devices.

A stealth virus could work in much the same way. To be fair with that though, a modern OS still might bot

Re:

[niks42]

At least some of those WinXP devices are embedded in some clinical solution; one hospital I know of had a leak in to their network from a remote third party administrator logging in to a medical imaging device. They were still running WinXP since their device is a medical device that has been certified at a particular software level, and can't easily be patched or upgraded.

Re:

[phorm]

Yeah. I think part of this shows an pretty big need to reassess the use and longevity of major industrial and medical devices in a connected world. I've seen local hospitals with XP devices etc as well but they're not connected to anything (even then there's a risk if people are using USB devices). Obviously there's a cost but it should be considered part of maintenance because a breach or a disabling worm could lead to catastrophic downtime.

Imagine if you've got some sort of very important medical device m

D'oh

[Archon]

What could possibly go wrong?

Re:

[Applehu Akbar]

What could possibly go wrong?

The universal excuse for not trying anything innovative. It's so much easier to do nothing until we get bypassed by other countries, which we can then flame for "stealing" "our" tech.

Re:

[Archon]

Outsourcing data storage is innovation? Client/server architectures are novel?

No issues

[nehumanuscrede]

as long as the data is fully encrypted while sitting on or traversing cloud networks.

If they decrypt / encrypt it locally on the client or even a hospital owned proxy server, then the data should be fine.

At no point should this type of data reside on the cloud or the connecting networks outside of the hospital in any unencrypted form.

Re:No issues

[Rick Schumann]

You can encrypt it to the Nth degree and it means nothing if some ransomware re-encypts it, or other malware destroys it. And the backups.

Re:

[jaa101]

Protection from malware is an advantage of the cloud. Cloud services are much more likely to have proper, secure backups that are much less vulnerable to attack than some random organisation with a small IT department. Yes, client devices will get infected with ransomware and encrypted files will replace the originals in the cloud. Who's more likely to have good backups: underfunded IT in the next building or a cloud provider?

Not saying I don't have serious reservations about putting personal data in for

Re: No issues

[nehumanuscrede]

Malware will hit locally owned data just as hard and fast as it will Cloud data. The hospitals hit recently with the ransomware crap comes to mind.

Make sure your Cloud provider is doing backups or, better yet, use more than one provider.

We all know how this is gonna turn out, right?

[shubus]

Hacking the NHS records should turn out to be more profitable than some of the crappy ransomware going around.

Re:

[AHuxley]

Think of the heath "care" work that can be done to shape a new sales pitch the perfect new medicine to the UK gov.
Find out what most people will need to be medicated with long term and offer new expensive medical support for that.
The data sets will be a marketing dream for any new sales pitch to the UK gov.

Screw it, may as well

[Rick Schumann]

It's not like anything is safe anymore, unless it's literally offline storage -- and then only if you do a backup of your backup with a machine that's never connected to the Internet, ever. Better print out paper copies and copy those, too, just to be safe. At least until the criminal hacker organizations find a way to ransomware your paper copies, too.

On an associated subject: with all the advances being made with neural interfaces, how long do y'all think it'll be before they have ransomware for your w

Russia/China will offer cheap off-shoring...

[ffkom]

... of course not openly, but through a maze of sub-sub-sub-sub-contractors ultimately handling the "cloud" hardware the NHS information will reside on.

And I am sure they will keep that data safe, and well back-up-ed, given how valuable it might become when tinkering with the next election or blackmailing the next politician.

Re:

[Anonymous Coward]

Just like this [sfgate.com].

Cost savings is largely a myth

[Anonymous Coward]

For any deployment of reasonable size, the cloud is not economical. Yes it does save you from having to hire hardware jockeys, but you have to replace them all with experts in cloud provisioning and configuration. For the UK NHS to move to the cloud is going to cost them a boatload of money.

At least all those pounds sterling will likely pay for actual security and robustness, but it’s bothing they couldn’t have gotten by spending even less to build and maintain it themselves.

Re:

[niks42]

I've been challenged to consider a cloud solution for a Radiology refresh. The problem I have is the cost of transferring 400TB of data to the Cloud - and supporting a growth of 3TB a month for the foreseeable, and making it cheaper than the JBOD alternative.

This American craves online medical records

[Applehu Akbar]

One of the first rules of database design is to capture every piece of data only once, and then keep it secure. I don't want to have to tell every new doctor I visit my mediacal history all over again from the beginning, and then keep regurgitating it everyyear for every practitioner. If information like my age when I had measles is important, we can't keep running the risk that I will start getting the date wrong as the years go by.

I want an online medical jacket that contains my entire history, accessible

Re: This American craves online medical records

[Anonymous Coward]

Your bank and your brokerage would lose a lot of money and clients should it happen thus they spend a lot on security and hiring talent.

The NHS won't lose clients as a result of a data breech/hack. They will get a slap on the wrist and issue an apology. They can't be fined as it their current state they can't afford it.

They spend little on IT and what talent they have is hamstrung by red tape to the extent they're get bent over by ransomware.

Apples and oranges don't make for a good comparison.

It'll be fine, they all leaked already:

[DCFusor]

First google search on NHS leak records:
https://www.google.com/search?... [google.com]