back to article NHS supplier that holds 40 million UK patient records: AWS is our new cloud-based platform

One of the NHS's major suppliers is upgrading its GP records system and moving millions of patient data to Amazon's cloud. EMIS Group is one of four principal suppliers to the NHS. Its health suite is used by 10,000 organisations and holds more than 40 million records. The firm today announced that it is upgrading its …

Alan Brown
Silver badge

Re: USA Patriot act

" The same way Microsoft aren’t handing over data on servers in Ireland"

Wrong. The reason MS aren't handing over data in Ireland is that the Patriot act hasn't been invoked.

If it is, then they have no choice and they will in a heartbeat.

Making Bacon
Facepalm

What could possibly go wrong ..?

Dan 55
Silver badge

All 40 million records spill out of an open S3 bucket...

BrownishMonstr

The alternative is they put it on their servers,and since it seems like they're being cheap asses, I'm sure this is better. Although how much better, I'm not quite sure.

Oor Nonny-Muss

This is the same EMIS...

... that want me to pay out £30k so they can provide a system that will run on a 64 bit OS (I regard this as a bugfix, not an enhancement)

NHS needs to tell these charlatans who the customer is here

Oor Nonny-Muss

Re: This is the same EMIS...

That £30k is on top of the £42kpa they get to support it (I use the term support because that's what the contract says it is)

JohnFen
Silver badge

Red flag

"unprecedented levels of protection"

When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed.

Commswonk
Silver badge

Re: Red flag

When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed.

With all sorts of people having "legitimate" access to the records I'm not certain that any flaws in the inherent security will actually matter that much. The greatest vulnerability will be end users, and will be down to stupidity rather than malice.(Hanlon's Razor)

Doctor Syntax
Silver badge

Re: Red flag

"When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed."

When I seem them I look carefully at the alternative meanings that can be attached. e.g."you've never seen anything this poor".

Lotaresco
Silver badge

Re: Red flag

"unprecedented levels of protection"

Having no protection at all is unprecedented.

The Real Tony Smith

Re: Red flag

"unprecedented levels of protection"

When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed.

Me too, I remember some time ago I was looking at dongle based software protection only to be told by one vendor that they used 'Military Grade Security'.

Having been in the military in the past I immediately deleted their email and went to another company who were happy to specify which algorithm and key length they used.

Anonymous Coward
Anonymous Coward

maybe

but flawed at a level that's never been seen before though

JohnFen
Silver badge

Re: Red flag

"The greatest vulnerability will be end users"

If this follows the same pattern as 80% of security issues, it isn't the end users that will be the biggest weakness, it will be the employees of the agencies that have access to this data.

Anonymous Coward
Anonymous Coward

Re: Red flag

With all sorts of people having "legitimate" access to the records I'm not certain that any flaws in the inherent security will actually matter that much. The greatest vulnerability will be end users, and will be down to stupidity rather than malice.(Hanlon's Razor)

--------------------------------------------------------------------------------------------

Except, of course, for the foreign and local government agencies, and the criminal groups, who will just take *all* the records.

Anonymous Coward
Anonymous Coward

Nope

(1) You can google the locations of Amazon data centers, take a look at GDPR and maybe Caldicott Two and work out where the data will likely move. This is a groundless worry.

(2) EMIS are notoriously unhelpful in providing legitimate access to their data. Moving platforms doesn't really affect this either way - it's not relevant.

(3) Synchronisation of multiple data sets is technically trivial. EMIS have done this for years, just like everyone else.

(4) There's no vector from that bored NHS employee's obsolete desktop browser to the existing EMIS data. I thought people here were technical. Stringing together a bunch of jargon words doesn't make a rational point.

Is that the best you can do?

Doctor Syntax
Silver badge

Re: Nope

"You can google the locations of Amazon data centers, take a look at GDPR and maybe Caldicott Two and work out where the data will likely move. This is a groundless worry."

What precautions do they have to move stuff out of scope of the CLOUD Act and anything else the US Govt. will come up with when it can't get its own way?

TrumpSlurp the Troll
Silver badge
WTF?

Someone else's computer

Is still a computer on the Internet.

I don't see how moving to a cloud makes any difference in ease of communication and integration.

In fact, it shouldn't.

david 12
Bronze badge

"encourage new businesses into the market"

By shifting to AWS.

Because surely Amazon is just one of many new businesses competing in that space?

rmason
Silver badge

Re: "encourage new businesses into the market"

In our experience AWS have the pricing nailed. It's hardly a surprise.

The entirety of this strategy/announcement can be summarised like this:

We need to replace the kit at the datacentre(s). It's going to cost £Incredible_Sum, or we can go to AWS who will charge us £Incredible_sum-%10

It is as simple as that, the rest is fluff and waffle.

Anonymous Coward
Anonymous Coward

Would be interesting to see the DPIA for that move.

As with all cloudy type moves it is entirely possible for this to be done safely, legally and transparently. I just have little confidence that it'll happen with this project.

But don't worry your politicians have every confidence in 'cloud'. They have utterly no understanding of it but have every confidence that their stocks in technology providers will keep going up.

As for your data and privacy, who gives a shit about that? If you're using the NHS please hurry up and die to stop using up so much of your politicians precious pennies.

Barnstormer

You're assuming that a DPIA has been completed... Who could we ask?

Anonymous Coward
Anonymous Coward

You're stuff is going in the cloud regardless of this.

Hospitals are frequently using free services e.g. dropbox for stuff already and yes that includes PII on occasion (sometimes encrypted files, sometimes not).

Media has not woken up to this yet. There are also health services looking to use Office 365 which means all their admin stuff being punted into the cloud wholesale.

Anonymous Coward
Anonymous Coward

Re: You're stuff is going in the cloud regardless of this.

Hospitals are frequently using free services e.g. dropbox.

They are blocked on N3. If someone was to invent a new one, that would be blocked too, first locally and then nationally after enough Information Security Officers report it.

ibmalone
Silver badge

Re: You're stuff is going in the cloud regardless of this.

Hospitals are frequently using free services e.g. dropbox for stuff already and yes that includes PII on occasion (sometimes encrypted files, sometimes not).

And their local rules will tell them not too unless encrypted. My employer is a university and even we have that.

Dan 55
Silver badge

Re: You're stuff is going in the cloud regardless of this.

Of course. If it's not because 1) the IT dept can't make basic services work so employees have to work around the problems created by the IT dept, it's because 2) the IT dept themselves willingly outsource everything to Office 354 or 3) someone starts and has to make their mark.

0laf
Silver badge
Childcatcher

Re: You're stuff is going in the cloud regardless of this.

But doctors can use their own equipment (BYOD) in many trusts and they like dropbox and Whatsapp so you can have some certainty a lot of PII is in those cloudy shitboxes as well.

steviebuk
Silver badge

Say goodbye...

...to SQL access to that data. Cloud is useful but too many companies consed access to the provider for some weird reason. I know of such a place who gave some of their databases to a company to manage. Then the inhouse dev team needed access and it was a

"No".

What? But it's our data.

"So, you still can't have full SQL access. Just use that low code shit you've been given".

What? So I have to waste time making a basic front end just to be able to access the data in our own database, because you won't give us a remote access SQL solution?

"Yep"

Is this because you just don't want to have to provide us, free of charge, an RDP solution to SQL?

"Not saying anything".

But the low code software is quite basic compared to SQL so the data we get back isn't great.

"Don't care. We have your money now".

So the answer is. Put your database's in the cloud if you wish but DEMAND, before you sign the effing contract, to have full SQL access if/when needed.

ibmalone
Silver badge

Going to make life interesting for the rest of us

If the NHS decides patient data can be moved onto cloud storage, those of us who have maintained that it's a bad idea for PII we look after are now going to have to work harder to justify that stance. Barring, of course, some absolutely stupendous disaster, but I suspect the real problem will be that smaller operations are going to be more likely to slip up. At least EMIS may have sufficient resources to make sure it's secured at all points.

Anonymous Coward
Anonymous Coward

new IBM

"Nobody ever got fired for choosing IBM Amazon Web Services"

Except, at least, with IBM, incompetent third parties were generally not involved?

adam payne
Silver badge

EMIS Group is one of four principal suppliers to the NHS. Its health suite is used by 10,000 organisations and holds more than 40 million records. 40 million records going into the cloud, what could possibly go wrong?

Shifting patient records to the cloud requires approval from NHS Digital, so there isn't a timeline yet, It will be rubber stamped by NHS Digital without any discussions regarding security.

Anonymous Coward
Anonymous Coward

Of course it'll be rubber stamped, they'll claim it'll save money = job done.

Doesn't actually mean the end result will be savings though..

Marketing Hack
Silver badge
Big Brother

"bake in voice recognition and AI so applications can listen in to patient-doctor conversations"

Um, did anyone else catch this? Fine, if those recordings are immediately destroyed, and are do not somehow become subject to access by criminal, civil, intelligence-gathering, business or regulatory proceedings.

"Hey, we found that so-and-so was struggling with medical condition X, so we declined to hire/promote/keep him onboard."

Anonymous Coward
Anonymous Coward

Re: "bake in voice recognition and AI so applications can listen in to patient-doctor conversations"

"Hey, we found that so-and-so was struggling with medical condition X, so we declined to hire/promote/keep him onboard."

----------------------------------------------------------------------------------------

And in the real world:

"Hey, we found that so-and-so was struggling with medical condition X, so we should offer his father/wife/daughter, who works for YZ, enough to pay for treatment if he gives us the right files and passwords."

There is a reason the same hackers went after millions of records from all of:

1, The US government's Office of Personnel Management's dossiers for security clearances

2. Travel records for the biggest travel services (used by the government)

3. The health records of more than 100 million US citizens, from health insurance providers.

cam

Sounds like a DPA breach to me. That data is being shared without patient consent outside of the organisation.

Dan 55
Silver badge

Having trouble reconciling the headline for this story with this other one:

Foreign hackers have tried to access the genetic blueprints of thousands of NHS patients, say officials

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018