Why are they allowed to continue to provide services to the NHS at all?
NHS slaps private firm Health IQ for moving Brits' data offshore
Health insurance and financial data management biz Health IQ is the latest outfit to have its wrists slapped by NHS Digital in the UK for failing to comply with data processing rules. A technical audit of Health IQ concluded the company had breached its Data Sharing Agreement with the NHS "by holding and processing data …
-
-
Friday 26th August 2016 15:43 GMT Only me!
Change Control
Now I both love and hate change control and always push for "risk balance", I deal with small software houses, but they delver critical bespoke stuff. So it is just impossible to enforce enterprise governance.....but even me pushing the limits always asks wheres the data and what are you doing with it!? I then ask for a nice picture to show me.
So if this happens what the F$^% is going on?
End contact, sack the people involved in procuring the contract.
Lessons learned:
Understand what the heck you are asking for in the first place!
Go for a beer, it's a Bank Holiday weekend here :-)
-
Friday 26th August 2016 17:39 GMT BillG
Phil Booth, coordinator of pressure group medConfidential, questioned why private companies are continue to break the rules around data sharing... "We get told that there are rules in place to protect the privacy of patients. But yet again they've been ignored without penalty."
Because no one has been subject to a serious penalty for breaking the rules. Hit them with a fine of a few million £. Until then, private companies will have the attitude of "we'll host offshore and save money until someone tells us not to. Then we'll pretend to obey the rules until we do it again".
-
Thursday 1st September 2016 16:19 GMT John Smith 19
"Why are they allowed to continue to provide services to the NHS at all?"
That's the really effective penalty, along with deleting all copies held of the data, so you can't go on data mining the old data set.
If the NHS did that to a company or two the attitude of the rest would change fairly quickly.
-
-
-
-
Monday 29th August 2016 10:42 GMT DocJames
Re: BASTARDS
it that important that the FUCKNAUTS at the NSA have to know about the fungal infection i had on my bell end?
Yes, it allow(sic) them to make a blackmail profile of you for possible future use.
Fungal infections on bell ends are not related to hanky panky. They may be due to lack of cleaning (more colonisation than infection IMH (but professional) O), corticosteroids, poorly controlled diabetes mellitus, HIV or recent antibiotics, but I don't think any of these things are blackmailable really (except HIV, and even that isn't for most people living with it now). This is just another example of data fetishisation (which should definitely be blackmail material), aka "I'm having trouble finding the needle, so I added 31 more haystacks to make it easier"
-
-
-
Friday 26th August 2016 11:44 GMT frank ly
"... the errors are often basic and avoidable."
They are not errors. It's deliberate, probably to save money, and they know there will be no penalty if they get detected. You can't trust anybody with data. They wouldn't store it for you unless they thought they could make a profit in some way and then the profit becomes the driving and only consideration.
-
-
Monday 29th August 2016 10:54 GMT werdsmith
Re: "... the errors are often basic and avoidable."
I know this one. When working with NHS data in our own UK secure data centre, we cannot let our outsourced overseas developers near it. The developers are always complaining about it, but may only work with dummy data, and cannot get involved in support of the system where the real data lives.
But you just adapt and learn to work that way and it's fine. There's no excuse for taking liberties.
-
-
Friday 26th August 2016 11:56 GMT Anonymous Coward
"This helps to ensure that ... data is kept safe and secure"
So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.
Except there is this thing called "The Internet" which connects all the clouds together.
-
Friday 26th August 2016 12:37 GMT TitterYeNot
Re: "This helps to ensure that ... data is kept safe and secure"
"So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.
Except there is this thing called "The Internet" which connects all the clouds together."
Having briefly scanned the audit report, I don't think that's quite what the auditors are saying. I can't see any reference to data being stored in a non-UK datacentre, but I do see a reference to aggregated data in the London data centre being available 'online' i.e. presumably internet facing, and so available to users in other countries (that's probably why the London data centre is no longer used.)
This is most likely what the main point of the story is - servers storing NHS data should never be accessible via the internet, only via internal LAN / WAN (with WAN connections encrypted over point-to-point VPN.)
The only other failings I can see in the report are the usual suspects - logins shared between 2 admins, unlocked unattended laptops, poor audit trail for information governance training etc. etc.
-
Friday 26th August 2016 16:28 GMT Steve 114
Re: "This helps to ensure that ... data is kept safe and secure"
Huge thanks for actually reading the report. This stuff is genuinely difficult, and well-meaning 'committees' have, to my personal knowledge, floundered for 15 years+ in trying to make constructive and responsible use of anonymised health data, in a way that any other industry (aviation?) would have (equally defectively?) cracked years ago.
-
-
Friday 26th August 2016 15:40 GMT Blane Bramble
Re: "This helps to ensure that ... data is kept safe and secure"
So what they're saying is: if it's stored in a cloud hosting provider in the UK, it's safe; if it's stored in a cloud hosting provider outside the UK, it isn't.
Except there is this thing called "The Internet" which connects all the clouds together.
No, what they are saying is that whilst it is stored in a cloud hosting provider in the UK it is subject to, and protected by UK law.
Whilst it is hosted outside the UK it is subject to, and protected by the laws of that country.
-
-
Friday 26th August 2016 12:04 GMT Anonymous Coward
Why has this company got access to NHS data anyway?
From their website,
"The data we use is non-identifiable and non-sensitive, and we never give direct access to raw data, rather we provide insight, build tools and aggregate data."
"Real World Data Collector is powered by Health iQ who are leaders in real world data with an outstanding NHS informatics and health intelligence heritage. We work with many of the biggest names in life sciences providing market-leading insight and are pioneers in Simulation Modeling and Prospective Data Collection for Market Access and digital informatics."
Why make it anonymous? Market Access?
Did someone claim care.data was dead?
-
Friday 26th August 2016 12:57 GMT Warm Braw
Health iQ ... are leaders in real world data with an outstanding NHS informatics and health intelligence heritage
They seem to have been a very unremarkable small company operating out of serviced office premises in Whitechapel until the end of their accounting period in 31st Jan 2014. Then suddenly it seems they acquired substantial debt and a compensating sizeable chunk of "intangible assets", apparently in the form of a patent license of some kind, so it looks like they have some ambitious plans for the data they hold.
The "offshore" bit is perhaps the least concern - they're using servers based in Ireland. More worryingly, they were sharing passwords to the NHS Secure Electronic File Transfer system from which they obtain the NHS data. They are currently not in receipt of NHS data until the audit issues are addressed, but the audit suggests they only conduct a penetration test of their new system (presumably after relocating from Ireland) "once Health IQ has received a full data set": I would have thought one would conduct the penetration test (to the extent they're useful) before loading the system with live health data. Also, their staff were leaving the office leaving their laptops unlocked with access, presumably, to the raw NHS data. The audit also says that the contracts with Health IQ customers - sub-licences for the NHS data - were undated and used scanned signatures.
Having said all that, I suspect a snap audit of a hospital would find a great deal worse...
-
-
Friday 26th August 2016 12:57 GMT Chris G
So how about deleting the back ups
The data held offshore would presumably be backed up, posssibly at more than one other site, were the back ups assuredly deleted or are they still out there?
I' m guessing the potential profits from breaking the rules are greater than the losses from a slapped wrist.
For the most part once data is out there it stays out there, I'm too cynical to think that anything moved incorrectly or ilegally will not be copied before being 'deleted' if it is valuable.
-
-
Friday 26th August 2016 21:58 GMT Doctor Syntax
"Why do charities need access to medical data?"
They're probably charities such as http://www.cruk.manchester.ac.uk/
I think it's reasonable that they may require medical data.
But as for data processing firms who can't be bothered to comply with the T&Cs under which they have access, it should be end of contract for good. Once one or two discover the hard way that the T&Cs aren't just collections of black marks on paper or screens the rest will get the message.
-
-
Monday 29th August 2016 16:58 GMT LindaJoyAdams
An international cabal has gabbed hold of the official records of governments and individuals held in trust by governments. USA lost control in the COUP OF 2002 when Congress defunded any real internal audit controls, criminal investigations and SEC also as contracting out became the norm and an international maze of shell companies and illegal secret del partnerships took control . as governments contracted out systems work rather than hiring in house civil servant programmers and paying them a larger salary as they once did. Off shoring expected to be completed as soon as he Trans Pacific Asia Partnership treaty is passed by all nation. ONE PERSON ON ONE SERVER WILL SOON BE ABLE TOCONTROL EVERY PERSON , ENTITY AND NATION IN THE WORLD AND DO IT IN A PLACE NO GOVERNMENT CAN ARREST.ONE NOT STOP IT :Absolute power corrupts absolutely and should never be done. THIS IS NOT A WORLD GOVERNMENT BY A one world beast system that answers to not human government .
Biting the hand that feeds IT
