The Tory party has put forward a rescue plan for the NHS IT system in the wake of the latest government data losses, which were revealed over the weekend. Nine English NHS trusts have owned up to large scale losses of personal data, and although in most cases the nature of this data has yet to be revealed, City & Hackney Primary …
Data WILL leak
Every time some government spokes-person defends the proposed NHS database, they always carefully avoid mentioning a couple of things.
First, the database will not be managed by the NHS but by a commercial
company via a PFI contract.
Secondly, the government will be selling access to the data to various organisations.
Both of these actions will potentially expose the data to third parties
whose data security is not necessarily as good as set up in the average
More or less?
If the data is stored on, say, 6 regional databases, doesn't that just mean there are 6 times as many DBAs etc. to lose data, make a mistake etc?
DBA's To Make mistakes...
It was Doctors with USB keys loosing data. An entirely avoidable problem. Decentralising databases as suggested by the Tory party (Suddenly experts in relational databases!?) seems a very retrograde step to me.
Lansley's proposals slightly miss the point
Andrew Lansley is being slightly disingenuous with his references to theoretical access by 300K individuals - for starters they are normally called Clinicians, not "individuals".
Currently, well over 300,000 Clinicians in the NHS in England already have access to electronic and paper based patient records, with little or any audit trail of who is accessing what or whether they should be. Whilst the majority of Clinicians are limited to accessing locally held data, the controls around access and use vary widely across NHS Trusts as illustrated by sharing of user logins to access systems.
The system that Andrew Lansley proposes would still enable variance in access / use / control by Clinicians at Local Trusts - this needs to be addressed as much as the controls for national access and associated operating procedures / security models.
One useful exemplar design for a national database of electronic patient records can be seen in Estonia, which is piloting an eHealth Record prior to a national roll out in 2009. Robust controls have been implemented to control access and use of medical data by Clinicians. Critically, members of the public can log in to see who has accessed their personal medical information and when (the same principle applying to much of the information held on them by central government).
The fact that access to personal medical data is so transparent means that Clinicians in Estonia are reported to be very careful about seeking clear consent before accessing patient records via the pilot systems - this same care and consideration is still lacking in some NHS Trusts with the result that a national solution should at the very least drive a greater level of consistency in controls, access and usage.
A few years ago i helped set up a privately run NHS clinic. The patient database was hooked up to the NHSNet and all the controls were put in with smart cards and no touching of external networks etc.
This was all fine, until i asked to be shown how the backup was done.
Insert cartridge every day and rotate off site.
Then i asked to see the backup command:
mysqldump -uroot -ppassword database > backup.sql
On querying why they were taking unencrypted data offsite, the company responded by stating that it is the approved way of doing it and data must be taken offsite.
I advised the private company NOT to follow this NHS procedure and to buy a fireproof safe instead. Which they did.
Until all the individually run practices and treatment centres have all their systems and procedures updated, this will keep on happening. All it takes is one purse to be snatched. I hate to think how many installations of this software (let alone other software i've also seen that does the same thing) there are in the country...
Tories play bogie man fears to get elected
Once again politicians adopt the easy to say, tough to do act to play the bogie man card over data centres.
Aimed at the conservative middle classes (there's a co-incidence) to get electoral support for a something that will waste millions of pounds to implement.
In all honesty -a centralised secure database will stop the local amateurs from sending discs to each other and loosing the damn things.
once they are central, permissions to gain access and the national skills to remover personalised data will be easily available, rather than relying on the office boy who knows a bit about IT from playing WoW
Sleep easy, the Tories have a rescue plan
...maybe, after all, they've learned their lessons from their own IT disasters like the CSA and their idea is worth a closer look?
Yes, they might be 6 times as many DBAs, but the problem when (note, that I say when not if) it occurs will be less. Rather than potentially losing all records, the potential will be only be 1/6 of the number of records. If split even further, the proportion will be even less. Also, it will be extemely unlikely that all 6 DBA (or more) will all have the same problem at the same time, as opposed to it only needing 1 DBA* to make a mistake to affect every single record on the database.
National access is probably required for some uses, but transfer those via electronic wires rather than sneakernet/snailmail in the limited circumstances necessary.
The best solution though is transparent access like the Estonian method where people's access is not hidden but displayed openly so no sneaky accesses can be carried out. Access controls can limit the number of people accessing the data, but a bit of social engineering can easily break that. And then who is monitoring the accesses and checking that they are appropriate? Some civil servant who doesn't know the reletionship between accessor and accessee? The best person to judge if access was appropriate is the person the record pertains to as they will know all the circumstances.
* It's unlikely to be one person, but the 1 DBA term is still stands if assigned to a small team of people.
A conservative shuffle in the right direction
A centralized database is a hugely bad idea.
It works for banks just about, but hey money is easy to trace.
Online shops with a centralized database are pretty bad when it comes to security though they tend to get linked to the banks.
A medical database though should be as decentralized as possible, I advocate we all take responsibility for our own data.
Seriously, why do they need to store medical data on us?
If you are really some worry wart then why not wear a data bracelet or necklace.
Why not allow the person who's data it is decide what can be given and to who. A memory stick, even an ID Card with secure encryption could be used and then it is up to the individual if they give it to a doctor or other individual.
You can then decide what parts of the information you hold on yourself is available to whom.
Mind you the ID Cards data would be maintained by the owner and NOT the government or any other body, with copy protection such that it was view only unless otherwise agreed. This of course would entail giving every household in Britain a free computer and other hardware to maintain for themselves.
Its already a decentralized system. Thats why it doesn't work properly. Too many trusts implementing crap in the wrong way. I know I used to work for one of the vendors involved.
The entire solution is an over engineered waste of time that panders to much to political in fighting between trusts.
why not have everyone carry a medical card
on the card will be a number and the owners name.
Then when the person ends up in hospital unable to communicate you enter the number into a centralized database.
All that is included in the database is
Citizens Name, Medical ID number, GP's Name, GP's office (and details regarding contact of office) actually thinking about it just have all the GP details in a seperate instance and link across. So have a GP ID number too.
If someone steals a copy all they have are a list of names and, random numbers instead of personal records. From there you get the records you need over the phone, maybe fax. No email - you can't trust email.
There you go. Sure rolling out the cards and numbers may be a chore but it's probably better then a monolithic database, also you don't carry your card it's your own fault you get paracetamol when you're allergic to the stuff.
Wasn't it . . .
. . the Tories that started this whole exercise in consultant pocket filling many years back with at least one failed system and one that the next mob in power 'inherited'?.
Remember? back in the days when 'local authority' was seen as a threat to central government and the withdrawing of funding for local projects used to feed the insatiable appetite of systems consultants. S'funny how things are so much clearer from the outside.
It's all politics so where's the It angle? ;-)
Experts can debate the pros and cons of centralized vs decentralized for a long, long time, (and I think either, done *well*, might be fine) but one of the many flaws, security wise, with NPfIT is that it has centralized data but very decentralized controls of access to that data.
E.g. A credit card and PIN are supplied centrally from the bank - very few people can change that PIN or issue that card. Contrast this with NPfIT where literally thousands of people are able to unlock and even issue smartcards (a large number of whom aren't even NHS employees).
True, there are a few other security 'extras' like to use a smartcard you'd need access to the Spine, and there are 'audit trails', but not exactly bullet proof, is it?
@ Jon Axtell
Why is loosing 1/6th of the data better than all of it? This is not a collateral decision, this is patient records of their health and status. 300,000 is no better than 53 million.
A central database is just as volatile as a distributed one, however by strictly managing mass access there is less chance of a mass security issue as we have now. We need to look at why these unsanitised and unencrypted bulk transfers were permitted to travel in the public domain. A procedure needs to be put in place where database reports are generated to meet the exact needs to the organisation that needs them and with the least excess of detail. The NAO does not need to know names/addresses and every clinician does not need 300,000 complete records.
Lets have some policies and safeguards in place to physically prevent access to all information by all staff. I like the sound of Estonia's process, although it is early to tell.
do the db shuffle
Banks don't have centralised databases. In fact retail banks run on the very basis of localised data, hence why you have to supply your actual bank address when requesting things like direct debits, because your main account info is held at the bank, your transactions and other sub info is held off that in load balanced databases at various other secure locations but it requests back to the source bank where you set the account up for your actual info. quite cool actually.
Anyway it's not about the system, there will always be good ideas, but when it comes down to it the system specs will continually change, people will cut corners to save money, and people will screw up. doesn't matter how well the original plans are touted, govt projects always seem to go down the same route.
There's an easy answer to all this ID theft business..
Shouldn't costs a penny more than the hair-brained schemes they've already commissioned. Simply give everyone a new form of identification based on how attractive they are. This way ugly criminal types will no longer be able to steal the identities of the beautiful people with good credit, and it won't matter how many hospital records or child support CDs fall into the hands of ne'erdowells. That'll seem 'em.
Well it makes about as much sense as giving mortgages to the homeless (I'm looking at you America - thanks for killing all the banks) or biometric ID cards.
Crackerjack job btw. I wonder what happens to America when their stock markets finally figure out their banks haven't stopped doing that.. and where both our governments think they'll be getting the money to fund all these wonderful data-leaking projects when that happens.
Surely the answer is obvious....
....massive increases in budgets for IS projects.
You're suggesting that the best way forward is simply to just not hire you?
And a general off-topic comment .... what's the best suggested El Reg unit for the amount of volts to apply to people who stick an addition o into the word lose?
The only reason
to have a central medical database is to be able to track disease outbreaks like SARs or a flu pandemic right now this is simply not possible anywhere.Hospitals don't share patient information quickly enough to do anything about them like limiting travel etc.
Taking you argument to its ultimate conclusion, we will see individual data stored on individual devices. Where will these devices be stored and how will they be accessed by those in need of access (legally or otherwise) ?? Can they be clone-proofed if they were "acquired" for what ever time period; e.g. "borrowed" ?? Can they be damage/destruction-proofed in the event of a disaster ??
My friends and I had this argument before and one suggestion is to keep the data store up where the sun don't shine and, thereby, limiting the amount of damage to it. Data access can be obtained by the insertion of a data probe.....
Sorry, blame it on the Christmas spirits....
General Practice has done this well for years
And we have patient records for groups of around 2000 (per GP) to 30 000 (largest Practice at present. They have since 1900 or so been intended to be cradle to grave records, thus having extracts of hospitals' etc records in them. With electronic records one may be a bit more clever.
There is something to be said for automating access by other healthcare entities to the record held by the Practice, among other things it significantly increases the difficulty of obtaining the record of a specific person, if some finite number of holes exist, and it vastly multiplies the effort of getting all the records, or trawling all or some of the records for particular profitable information. (The address of someone for instance who has reason not to want to be found by someone non-official. Oh, and who has what as well).
For making queries about disease tracking and other bits of epidemiology there are a couple of considerations:-
1. It is actually more economical and more virtuous to send the query to everyone, than to collect all the data from everyone and then run the query on it...
2. Medical records like other records tend to be very bad at answering questions that they were not designed or intended or used so as to be able to answer - random data mining is something that is presented as solving problems and valuable, but many of us are unconvinced as yet.
Compare and contrast "Send me all your medical records on everyone, I wish to count the cases diagnosed and coded as Typhoid" and "How many cases diagnosed and coded as TYphoid have you?"
One gets a gigabyte, the other gets "0". (Or in the context of an epidemic, perhaps a small set of names and addresses and geocodes.)
I quite like "loose" for what has happened - I've not seen the detailed reports to know whether the people involved were clinicians (whatever they are - I'm a doctor and there are another 100 000 or so of us, and then a bunch of people playing doctor whose informational needs and abilities may well be very different) and the 300 000 users for the NHS Net seems a low number to me, actually, given the access via Whitehall and the porters' lodge. Think 1 000 000 as a start, I'd say.
The data is not lost. That construction is one with the RIAA and FAST and the like. It has indeed been let loose. The media have been lost. Precision in talking about NHS IT was lost long ago among the politicians and managers, and is worth trying to recapture here.
If each trust runs its own database then when another trust needs the data they must have some way of accessing it. This means either a link between the trusts databases or transferring the data on memory stick, CD, DVD etc.
The fact that NHS England is still made up of lots of little trusts makes it a nightmare.
If the Primary Care Trust for Sommerset has the patients GP data, the University Hospital trust for Sommerset has the patients hospital records from their hospitals and the Sommerset General Hospital trust has the hospital records from the patients visits to that hospital how does the patients GP know where and who has treated the patient?
It's a bit easier in NHS Scotland as the trusts were abandoned and returned to the regional boards. But you still have cross border issues. Patients from the edges of Fife and Grampian Board areas often end up being treated in NHS Tayside Board hospitals and if they have a chronic disease will probably go to clinics at that NHS Tayside hospital as well.
There are central systems in place for some Chronic Diseases.
And there are things that a GP may hold on their system and the clinic not. For example the Drug Metformin is a common Diabetes drug, but if this is prescribed then there are treatments the clinic may suggest that are incompatible with this drug. If those were 2 different trusts as is the case in England with separate Databases how would the Clinician know a patient was on Metformin? Asking the patient may only result in knowing that they take the blue ones at lunch time and the pink ones before going to bed. A patient may know they are on insulin but do they know which type of insulin they are on? And of course asking the patient all this takes time, precious, expensive time.
The potential of such systems if built, maintained and used properly can be massive and well beyond the risk of some dodgy DBA getting in the system and stealing data or 3rd party suppliers using the data for things they aren't meant to.
While there is really no need for a central patient record for a relatively health patient removing the need for their data to be transmitted on physical media which is very easy to intercept/loose is a good thing. However any NHS project must be based on one thing and one thing only. Improving patient care with minimal security risk. Will NpfIT deliver this? The Conservatives Health Secretary's plan certainly wouldn't but it wouldn't be any worse than what is currently in place (in England).
Leave it where it is
My opinion, it seems, is the same as the MD I trust my health and medical history to at present, and a large number of his colleagues. I have trusted *him* with this stuff and I am currently trusting *him* with the answer to the question "Who gets to see my medical details". I am happy with this arrangement and wish for it to continue. To that end I have signed an official order preventing my data from being exported to the NHS spine. I strongly suggest that the NHS simply take the existing model, as explained above and extend it into the electronic domain. This centralists wet dream they are currently peddling is a nightmare and will fail and when it does, *we* are the ones who will suffer. The stuffed suits who designed the thing will be luxuriating in their Indian/American/Chinese (whatever) office chairs immune from the fallout.
Surprised more of you aren't seeing the bigger threat
When asked, the Govt refused to deny that our medical records would one day be linked to our ID records (along with our tax records, ANPR car tracking, DNA records and God knows what else).
The first centralised database of citizens was built by the Nazis and was a significant factor in rounding up the Jews.
Oh but our Government has nothing in common with the Nazis. Apart from the above and:
- Locking up people without trial.
- Annexing oil-rich countries.
- Passing laws which bypass 800 years of checks and balances on govt power.
The villification of Hitler hides the facts that his crimes grew in proportion to both his power and the prevailing attitudes towards civil liberties and minorities.
Who says it's the new system?
Computers in NHS organisations are nothing new. Any leak that's NHS related is blamed on the new system, this is not proven.
The new system has safeguards, you only get to download the data for your organisation and you download it over the NHS network. There's no CDs posted (unlike the old system). There's access restrictions when viewing patient records, you have to request access to patient identifiable data.
So if any data is being compromised it's systems at PCTs and practices. Not the NPFit system.
If anyone can see the records of individual cases that is OK running a query to get data dump is something else.
If it is impossible to print a record, only view & edit it. Anyone wishing to steal data would work very hard having to write down the data by hand.
Querys would be a management function & only properly authorised personell could have access & an audit trail could be created.
One of my parents works as an IT bod in the NHS. We have discussed the "spine" issue before. The thing is that there are systems already in place for sharing data without sharing a massive database. These were originally done through the post, but have been done through email as well. With minor tweaking (off the top of my head, some set of keys for signing and encrypting messages between institutions, which are dispersed through other means, like recorded deliveries) this could be a superb system. However this method has a major drawback. Due to "security concerns" GPs are forced to print out the notes, send them through post, and verified against what was sent electronically at the receiving end. For some reason these concerns aren't being raised in order to cripple the central database idea. My proposal below is largely based on these discussions.
I have spoken to many GPs in my region (job interviews, don't ask) and they are deeply concerned about the spine; you don't need a degree in IT to see what a risk to privacy it is.
I think governments can learn a lot from peer-to-peer file sharing networks.
It doesn't matter where the data is stored, even the indexing information. All that is important is that patient notes are transmitted between two points on a network, without third parties getting a look in easily. The whole thing could be achieved with some kademlia-style key sharing protocol, with some simple common-sense security tweaks. The channels that are already followed at the moment, the negotiation, validation and transfer, don't require a server, and could be easily adapted to such a regime. Without the server the system would be far more robust and secure, because breaking the security of a node won't take down the system or compromise everyone's records; there isn't any obvious starting point for someone to try to break the system.
A peer-to-peer system wouldn't be perfect, but it would certainly be an improvement. As people who follow the subject, regardless of their specific technical knowledge, can see the dangers in a central database, and can voice intelligent opinions on alternatives, one wonders what was going through the minds of advisors, or what kind of remit these advisors were given. I can only really explain the decisions thus far as being those of politicians and bureaucrats who are either so ill informed, or so unconcerned about security, that alternatives were never seriously considered. But I'm a cynical bastard, so what else would I say?
Split into six regional dbs?
That's insane. Lose one, and you lose a sixth of the population?
Build a clustered HACMP for the db, and build a Disaster Recovery failover box in some other physical location. Replicate (rsync) production data to the DR box to keep them in sync.
That's two systems (well, two identical clusters) you'll have to shore up security on, not six, and losing one doesn't lose a sixth of the population. One set of admins and dbas can easily handle the lot. 24/7 support contracts are available (I don't work for those vendors, btw).
This is established technology, used by corporations the world over.
BTW, *yes* you want off-site backups, but encrypt them first!
Small leaks too, can sink big ships
I think there maybe too much emphasis on the 'bulk' side of data security with NPfIT. Obviously (to anybody who deals with it), it's a bit feeble, but it's the smaller breaches that might be most insidious.
As there is a market for information on where a particular individual lives, what their state of health is, when their appointments might be, all you need to do to make a few quid is acquire a smartcard and access to the Spine, which is stupidly easy to do, thanks to NPfIT. Audit trails are no good after the horse has bolted, and if my information is correct, they can easily be outrun/fooled anyway.
The really worrying thing is that Connecting for Health seem to be so convinced that it's a robust system from top to bottom. Who are they kidding? Or are they just comfortable in their ignorance?
@ Dave Gould
The moment you started cracking one off with your 'this is just like Nazi Germany' I sighed and moved on. Please, spare us the drama bollocks. Apart from cheapening the memories of the millions of people slaughtered by a twisted regime you decide to compare two vastly different times, cultures and ethics to promote a blatently immature view of data collection.
It's a pity that Nazi Germany is brought up in a debate about Government data collection in the UK, 2007, but to dismiss it as just a twisted regime misses one frightening aspect of it that is relevant - the 'twisted regime' might have set up the system, but once that system was up and running, people who wouldn't have normally been considered 'twisted' then did what the 'system' told them to do.
Once you have a government 'machine' that does something, it's difficult to switch it off, and if it's a badly designed machine (even if not intentionally designed as evil) it will still do what it does, and pretty relentlessly. If you don't think this happens now, you never had a taste of the CSA. Obviously not remotely on the same scale, but that system did cause real human misery (to all sides), largely due to a badly designed computer system and blind faith in its abilities. Even though everyone knew it wasn't working, it just carried on causing misery and injustice, and people still served it.
When the government has every bit of information on you, including tax, criminal, financial, educational, medical, travel records, etc, and it's all linked and subject to the latest badly designed government IT project, even without an evil regime, the possibilities are truly scary.
All it might take is a change in the law, bad data or poor security and you could be inexplicably finding it hard to get insured, employed, attain certain medical treatment, get a loan, travel abroad, etc. Governement data collection and linking makes this much easier to do and yet it will be very, very difficult to put right once the system is in place.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire