Feeds

back to article Triple-headed NHS privacy scare after hospital data reach marketers, Google

The UK's National Health Service (NHS) and the NHS Information Centre are riding out a three-pronged privacy storm. The first privacy incident starts with this PA Consulting document titled “Placing the patient at the centre of healthcare: PA report on the future of healthcare.” On page eight, a section titled “The cloud can …

COMMENTS

This topic is closed for new posts.

Page:

What has it got on its serverses?

It's mines. Nasty dirty NHSICes. Master tricked us, nasty tricksy NHSICes.

But NHSICes is kind, and wants best for us, makes us all more healthy helps research

NO. They messes it all up. Master will sell us all and they don't know their arses from their elbowses.

STOP IT NOW!

41
0
Silver badge
Happy

Re: What has it got on its serverses?

Can you do that again as Yodo?

4
0
Silver badge

Re: What has it got on its serverses?

In all seriousness, I wonder if they'd be able to get Google to tell them exactly where in the world the data was stored, and where BigTable ran? If the answer to both is "in the UK," then what's the problem?

1
8
Anonymous Coward

Re: What has it got on its serverses?

The problem is that google has access to the data, any use of public cloud for personal data such as this should be punished..

17
1

Re: What has it got on its serverses?

>... then what's the problem?

Maybe that the data was supposed to be strictly confidential, accessible to named individuals within PA Consulting only? Instead, a company with the business model - in essence - of violating privacy for profit on a massive scale was given a copy. It does not help that Google fancies that the EU data protection law does not appy to them (on record, no less: http://www.cnil.fr/linstitution/actualite/article/article/google-failure-to-comply-before-deadline-set-in-the-enforcement-notice/).

14
0
Bronze badge

Re: What has it got on its serverses?

It's also a stupid mis-use of technology. Uploading the data into a local SQL server should always be quicker than sending the same data over the internet, unless you are particularity stupid.

1TB isn't a lot of data these days and while I'm not a big fan of MS SQL server, queries should easily run in an acceptable time on a 1TB data set. It sounds to me like the person doing the work didn't know what they were doing with SQL server but had a friend at Google. I wouldn't be too fussed if it wasn't for the privacy concerns.

There are loads of Data Warehouse products out there, like Sybase IQ which can run these types of queries in seconds and don't require you to send your data to some dodgy location like Google.

12
0
Anonymous Coward

Re: What has it got on its serverses?

@theodore Google don't have any data centres in the UK do they? (http://www.google.com/about/datacenters/inside/locations/index.html)

3
0
Silver badge

Re: What has it got on its serverses?

"Can you do that again as Yodo?"

Computerisation of health records leads to big data.

Big data leads to cloud.

Cloud leads to suffering.

Not quite as snappy as the original.

1
0
Bronze badge
Black Helicopters

Re: What has it got on its serverses?

In all seriousness, I wonder if they'd be able to get Google to tell them exactly where in the world the data was stored, and where BigTable ran? If the answer to both is "in the UK," then what's the problem?

If Google has the data, the US has the data. And the US will misuse foreign medical data:

U.S. Border and Immigration Officials May Have your Mental Health History

Disabled woman denied entry to U.S. after agent cites supposedly private medical details / A Toronto woman is shocked after she was denied entry into the U.S. because she had been hospitalized for clinical depression.

2
0
Anonymous Coward

Re: What has it got on its serverses?

SQL server? That MS things? Well, it's getting there. It still sucks compared to SQLite. JK. Any local DB server should be faster to dump data into that uploading it to... wait a second, maybe they were on site. The plot thickens!

1
0

HES Data

As far as I know, HES Data is publicly available to anyone who wants access to it from here http://www.hscic.gov.uk/hesdata

1
6

Re: HES Data

Various analyses and extracts are. I bet they'd look at you funny if you said "giz the lot".

8
0
Anonymous Coward

Re: HES Data

On current form they'd say "Twenty quid the lot mate" and chuck in a years subscription to Data Pimp Monthly.

3
0
Silver badge

Placing the patient at the centre of healthcare

It's actually "Placing the patient at the centre of the feeding trough."

20
0
Silver badge
Unhappy

Not surprised

Annoyed - yes, but not surprised.

8
0

This post has been deleted by its author

Silver badge
Facepalm

Summary Care Record? Brill Idea... Sharing that data? moronic.....

As always the government have to balance a good idea with something very stupid.

the idea of a single record for each patient is brilliant, no more will I have to waste time confirming information every time I go for a scan or similar, they can even have my DNA an fingerprints if that will help with my care...

BUT if you share that data with private companies? no thanks, that is idiotic.. Allowing any public cloud services to be used is even dumber, oh no one at google has access? sure... its not like the data is encrypted with external keys is it?

I assume I am able to ask who accessed my records, when and why?

12
0
Silver badge

Re: Summary Care Record? Brill Idea... Sharing that data? moronic.....

Actually no.

I do want someone to confirm my name address etc. every time I go for a hospital appointment. I really, really don't want a flip of a digit to result in me having a leg amputated instead of a cyst removal.

Also, the more varied and different parts there are to your overall ID, in totally different locations (preferably some of them paper) the harder it is for anyone to fake it.

3
0
Anonymous Coward

Re: Summary Care Record? Brill Idea... Sharing that data? moronic.....

think you'll find the every doc taking a history at each initial consultation.

1
0
FAIL

Sysadmins...

> "that no Google staff would be able to access the data"...

This just goes to show that they *really* have no idea what they're talking about. Of *courrse* Google staff have access. They have access to *all* data on their servers! Not all staff, but the sysadmins do.

20
0

So we're screwed what ever happens with the Care Data then? Confidential information has already been released by hospitals and is being ingested by Google. I'm sure they're able to mine it for their own use when ever they want. Nothing to say they aren't already and are storing the results to save themselves time when they have 'permission' to do so.

9
0
Bronze badge
Facepalm

Damned easily predictable

I knew this would happen, these morons can't help themselves; this is why I opted out of care.data!

8
0
Bronze badge

Re: Damned easily predictable

Except that your data will be extracted along with everyone elses....is you are lucky your dissent for use of and dissent from disclosure for codes will take effect after that. However, it is guaranteed that if a large number of opt-outs happen, and they are sufficient to materially affect the data adequacy, the codes will be legislated away.

Nothing is more temporary with gov data than confidentiality.

1
0
Bronze badge
Black Helicopters

Healthcare information stored on Google?

Well, shit. Welcome to Google Britain! As of now, we are part of the collective - every mother-to-be's records will be on Google, ergo Google will have complete records on every child from before they're even born.

Add this to Google glass - probably with an addition of transmitting audio as well as visual data back to base - and we're watched, monitored and profiled from cradle to grave, with Google in a position to push us onto whatever path they choose.

This kind of power is dangerous beyond the comprehension of most and needs to be broken before it's too late - if it isn't already.

10
1
Big Brother

Re: Healthcare information stored on Google?

In the 1930s "Your papers!" In the near future "Why aren't you wearing your Google glasses?"

6
1
Bronze badge

Re: Healthcare information stored on Google?

Oh look...my house on google earth now has my NHS number by its side....and I just click on it to find my appointment for the GUM clinic..

1
0

Access to data

"no Google staff would be able to access the data"

WTF? of course they would! how naive are people?

Just because no member of google staff would have an account on the frontend application that's typically used to access the data, doesn't mean they don't have administrative access to the underlying server on which the data is stored or even physical access to the servers/drives its stored on.

It is obvious that any number of google staff could gain access to the data if they wanted to, and to claim otherwise is ridiculous.

17
2

Re: Access to data @Joe Montana

WTF

So you are assuming that both the data and database tables are unencrypted?

There is no mention of this in the article.

1
9
Anonymous Coward

Re: Access to data @Joe Montana

@Amiga500

If they were working on an encrypted dataset, they wouldn't be able to do any analysis using Google's analytical tools (they're tailored to work with big datasets- if you only decrypted part of the dataset at once, you'd have a large number of small datasets).

2
0

Re: Access to data @Joe Montana

There is also no mention of any Third Party assessment (Google). You will probably find that Google take their security more seriously than the NHS. The NHS has an awful track record of data loss and breaches, and I would suggest that their would be more access to this data from the NHS than by Google as some are suggesting here.

0
0

Re: Access to data

Dear Mr Montana,

may I be so free and correct a common misunderstanding that I see very often nowadays? Thank you.

And I quote "underlying server on which the data is stored or even physical access to the servers/drives its stored on". That's the whole point of storing data on the cloud: There's no underlying server, which is not even physical, and therefore can't be physically accessed.

Oh... See how easy it is to pretend that I could work for the government... Cranking stupidity is far easier than cranking up intelligence... But nowadays even stupid people must somehow be able to survive, even if they are clearly not the fittest :D :P :O

Now, as far as Google Admin access is concerned: All you nitwits who assume that one Admin goes in and mines the data... *FAIL* The point here would be that a Google Admin can create a backdoor into the data because (s)he has access as a privileged user to the virtual(!) server the data sits on. Through the thusly tampered backdoor, Google advertising experts can then mine the data for purposes of displaying adverts to patients undergoing surgery via a beamer mounted on the surgeon's back, and pointing to the ceiling....

Oh and never mind the rant about the encrypted data. Imagine this: Google has more than 1 server. In fact, they have more than 100 servers. Some of them are operated in such a way that they can spawn hosted virtual servers at the click of a virtual button. So then, imagine Google (or more likely a rampant Googler) ramps up say 1000 virtual servers. That Googler knows how to parallelize workloads and runs a decrypt attack on your stale but encrypted data. The Googler soon finds out that 1000 is not enough, and employs a 1000 instances at the premises of competitioned giant Amazon. Et voila: 2000 servers working together on cracking your uhm our data.

So... go THINK before you burn down some commentary... Oh yeah: The first part of this post is uhm sarcastic?!

Regards,

Guus

1
1
Anonymous Coward

Re: Access to data

So you would pay for a service then the service provider would use all it's computing power to work to crack your encryption.

I think you are right there are no physical servers in the cloud

The second part of my post is sarcastic

0
0
Anonymous Coward

PA Consulting, haven't they been in the headlines (a few times) for data breaches?

Regarding Earthware's map;

a/ it was not false data thus it was taken down, or

b/ it revealed just how much scary shit they could do with your information

5
0
Gold badge
Gimp

TL:DR version. US company +US data centres gets *all* NHS Hospital data.

THE PATRIOT Act then makes any notion of privacy absurd.

1TB of data sounds a lot but I wonder.

How many servers? How many processors? How many predefined indexes? How much disk for the indexes?

4
0
Anonymous Coward

Follow Ross Anderson's dealings too

Professor Ross Anderson from Cambridge Uni is also very active in this matter. Follow his posts on the Light Blue Touchpaper blog

http://www.lightbluetouchpaper.org/

and his very interesting FOI exchanges with the MHRA, in which they are displaying real ignorance of the issues involved.

https://www.whatdotheyknow.com/request/privacy_mechanisms_in_cprd

4
0
Anonymous Coward

Re: Follow Ross Anderson's dealings too

had to laugh at that:

Anderson to hsick "what are your threat- and security models?"

hsick to Anderson "we don't understand what you mean by threat model and security model, please elucidate"

honestly. I mean wtf?

Anderson then told them to get a copy of his book!

2
0
Joke

pseudonymised?

"The NHS Information Centre (NHS IC) signed an agreement to share pseudonymised Hospital Episodes Statistics data with PA Consulting in November 2011."

Did someone mis-spell sodomised?

3
0

Oh dear HSCIC.

They can't even handle their website, I don't trust them to handle our data.

https://dl.dropboxusercontent.com/u/17978475/lolwat.png <- screenshot taken at 11:28am.

3
0

"Target health improvement"

"identify trends and patterns in order to target health improvement more effectively"

What they mean is target their advertising. Another marketingspeak win.

2
0

meh

A Google engineer is probably more trust worthy than any PR company and 99.9% of the entire civil service.

1
4
Gold badge
Joke

Re: meh

"A Google engineer is probably more trust worthy than any PR company and 99.9% of the entire civil service."

So about 0.01% as trustworthy as a normal human being?

Some days it's just too hard to pass them up.

4
0
Silver badge
Facepalm

Hanlon's razor...

"Never attribute to malice that which is adequately explained by stupidity."

2
0
Black Helicopters

Lets look at the real reasons behind this

PA consulting are a front for this, they get the data onto a US companies servers, get well paid and take some flak for it.

Meanwhile the NSA using the patriot act can now access all that information and do as they wish with it before passing the results back to GCHQ.

So the goverment can analyse all this juicy data without the need for any legal oversight, warrants etc etc.

A year ago this would have been a tin foiled hatted conspiracy theory, today its a different story.......

14
0
Anonymous Coward

Re: Lets look at the real reasons behind this

indeed, plenty of scope for blackmail there. looking on the bright side, a few politicians might cop for some unintended consequences.

2
0
Anonymous Coward

Keep digging

No doubt theres going to be a lot more (and a lot murkier) where this came from. That 'six months' delay is already starting to look very, very optimistic; a couple of wrong footed appearances on Newsnight and Care.data will head the way of ID cards and the Dodo.

5
0
Gold badge
Unhappy

Re: Keep digging

"That 'six months' delay is already starting to look very, very optimistic; a couple of wrong footed appearances on Newsnight and Care.data will head the way of ID cards and the Dodo."

We can hope.

1
0

UK cloud and Google

I stick my data on the cloud and it's not leaving the UK. So, the NSA and GCHQ are not interested? The only sure way of it not going where the sun don't shine is not connect to the web. Simples.

0
1

Anonymised data - why the problem

This data cannot be used to identify you. It does not contain details about who you are or where you live. You record is reduced to an unidentifiable number.

So why the concern?

1
4

Re: Anonymised data - why the problem

It's not anonymised. It's "pseudonymized". Experience has shown that such data is vulnerable to inference attacks. You can take "cleaned up" data and either process it or combine it with other data sources to infer the missing parts.

2
0

Re: Anonymised data - why the problem

Except aggregate data isn't susceptible to inference attacks. Only the per-patient data, which isn't included in that dataset.

0
0

Page:

This topic is closed for new posts.