back to article NHS supplier that holds 40 million UK patient records: AWS is our new cloud-based platform

One of the NHS's major suppliers is upgrading its GP records system and moving millions of patient data to Amazon's cloud. EMIS Group is one of four principal suppliers to the NHS. Its health suite is used by 10,000 organisations and holds more than 40 million records. The firm today announced that it is upgrading its …

  1. Commswonk Silver badge
    Thumb Down

    Bullshit Alert

    "This will also allow new solution providers with interesting technologies such as artificial intelligence to overcome the traditional barriers to market entry, leveraging the interoperability at the heart of our new architecture," he said.

    I'm not sure I want my records stored by a company that can put out garbage like that.

    Where's the mind bleach?

    1. robidy

      Re: Bullshit Alert

      Err erm, how are my or anyone else's medical records out of scope of the US Patriot act in AWS?

      El Reg, this is something we UK citizens need help answering?

      1. JohnFen Silver badge

        Re: Bullshit Alert

        "how are my or anyone else's medical records out of scope of the US Patriot act in AWS?"

        If those records are being kept in servers on US soil, then they are absolutely in scope and will remain so. Further, if the Patriot act is invoked to get at those records, nobody outside of Amazon will be told.

        However, if those records are encrypted and the keys aren't available to Amazon, then what the government would get is a bunch of encrypted data.

        1. Mark 85 Silver badge

          Re: Bullshit Alert

          This also presumes that someone has set the access to said servers and locked them down instead of leaving them in the default settings like we've heard about here on El Reg.

          1. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

            Re: Bullshit Alert

            ...not if my experience of NHS "systems" is anything to go by, they couldn't even secure MSAccess.

        2. Anonymous Coward
          Anonymous Coward

          Re: Bullshit Alert

          And what EMIS could get is sued under the data protection act. The records cannot be kept outside the EU so they will need to ensure they on to specific regions inside AWS. Whatever safe harbour is calling itself today it is still not valid.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bullshit Alert

            The records cannot be kept outside the EU so they will need to ensure they on to specific regions inside AWS.

            ---------------------------------------------------------------------

            Doesn't matter.

            AWS is from a US firm, thus the CLOUD act says they have to hand it over to US agencies.

          2. Anonymous Coward
            Anonymous Coward

            Re: Bullshit Alert

            So when the U.K. leaves the EU they will not be able to host the U.K. data in the U.K.?

        3. Peter Gathercole Silver badge

          Re: Bullshit Alert

          "...the keys aren't available"

          Someone please correct me. If this data is encryped, but being used by cloud based analysis applications, then those cloud based applications must have the keys necessary to access the data (I accept that using the data from, for example, GP surgerys. there is scope for keys to be on the surgery's systems, and presented for every request, but that does not cope with bulk analysis mentioned here).

          And they're in the same cloud, so if someone really wants the data, they half inch the data and the keys (OK, you could go down the rabbit hole of needing a key to decrypt the key store in the cloud, but how often do you go round this loop until you must store a key somewhere readable).

          So where is the security?

          I'm sure I must have missed something, so I'm asking for someone to point out where I'm being stupid?

          1. Anonymous Coward
            Anonymous Coward

            Re: Bullshit Alert

            We use exchange online for processing UK medical insurance claims, all traffic to the cloud goes through a gateway server in-house that does pass through encryption, so all the records stored in the cloud are encrypted with their own individual AES 256 key which never leaves our physical control.

            The obvious downsides are we still need a small server room so can't go full crazy cloud and we are responsible for backing up the keys securely.

            The legal beagles have gone through this setup with a fine-toothed comb and barring some new case law popping up they think its good for the foreseeable future.

            1. Peter Gathercole Silver badge

              Re: Bullshit Alert

              OK. Thanks for your scenario. You're using only cloud storage, I can understand that. Encrypted as it goes to/from the cloud, and never actually used in the cloud. Cheap storage, but to do any volume analysis, will be very expensive on data transfer costs.

              But actually running the application in the cloud? Or using cloud-based desktop (not mentioned here, I'm extrapolating)? In these cases, the keys need to be in the cloud.

              OK. Encrypted region within a cloud domain? You're trusting the cloud provider cannot be coerced to hand the data and the keys over to some TLA or hacker, and backed up by a warranty which will not exceed the cost of the service (even if you can prove that the data's been nabbed?) This cannot be considered a good move.

          2. Anonymous Coward
            Anonymous Coward

            Re: Bullshit Alert

            I'm sure I must have missed something, so I'm asking for someone to point out where I'm being stupid?

            -------------------------

            No, you are right.

            As for the keys, the US agencies can simply demand the decrypted data from Amazon, under the CLOUD act. And IIRC, Amazon can't tell anyone they have handed it over.

        4. Anonymous Coward
          Anonymous Coward

          Re: Bullshit Alert

          If those records are being kept in servers on US soil, then they are absolutely in scope and will remain so. Further, if the Patriot act is invoked to get at those records, nobody outside of Amazon will be told.

          However, if those records are encrypted and the keys aren't available to Amazon, then what the government would get is a bunch of encrypted data.

          ---------------------------------------------------------------------------------------------

          And how are the keys not going to be in the cloud servers delivering the applications?

          And the CLOUD act says US agencies must have access to any data available to any US corporation, no matter where it resides.

        5. Alan Brown Silver badge

          Re: Bullshit Alert

          "If those records are being kept in servers on US soil, then they are absolutely in scope and will remain so"

          It doesn't matter if they are on US soil or not. if they are kept on servers operated by a US _COMPANY_ then they are in scope.

          And by "US company" - I mean "any company which does business and has an office in the USA", which includes a surprising number of European outfits.

      2. Local Laddie

        Storing PII Data in AWS (S3)

        When selecting a location to store your Data on AWS - You need to choose a region (which has multiple redundancy) and your data is then stored in physical data centres in the geographic boundaries of that region (Region EU-West-2 is the UK).

        My understanding of the US Patriot Act is that it currently does not apply to data and data centers physically in the UK.

        The US Cloud Act is may be a different matter entirely!

        1. Tom Chiverton 1

          Re: Storing PII Data in AWS (S3)

          "EU-West-2 is the UK"

          Not for long!

          #Brexit

          1. JaimieV

            Re: Storing PII Data in AWS (S3)

            London's leaving the UK?

            1. BebopWeBop Silver badge

              Re: Storing PII Data in AWS (S3)

              Well it will not be EU!

            2. boltar

              Re: Storing PII Data in AWS (S3)

              >London's leaving the UK?

              There are some genuine ... umm, lets be nice and say "confused" people who have mooted it. Whatever you may think of Brexit the idea of London becoming a self governning city state is absurd and would be a disaster for everyone except rich financiers. Who could clear off to their 2nd homes in their helicopters anyway when the food and water started to run out.

              1. tfb Silver badge
                Alien

                Re: Storing PII Data in AWS (S3)

                You have this all wrong. London is going to become part of Scotland, and will then join the EU as such. The current sticking point is whether Scotland will need a long tendril which reaches down to London (the A1, in other words) or whether topologically-disconnected countries are OK (when not separated by sea).

                1. Ken 16 Silver badge
                  Paris Hilton

                  Re: Storing PII Data in AWS (S3)

                  I thought England and Wales were leaving the United Kingdom???

            3. charlieboywoof
              Coat

              Re: Storing PII Data in AWS (S3)

              Its not in the UK

          2. easytoby

            Re: Storing PII Data in AWS (S3)

            "EU-West-2 is the UK" - yes, London.

        2. robidy

          Re: Storing PII Data in AWS (S3)

          Correct me if I'm wrong but the US Patriot Act covers US corporations regardless of server location.

          The act covers corporations not their location...otherwise there would be some massive data centres in Canada and Mexico to avoid it.

        3. Alan Brown Silver badge

          Re: Storing PII Data in AWS (S3)

          "My understanding of the US Patriot Act is that it currently does not apply to data and data centers physically in the UK."

          Your understanding is flat out wrong.

      3. easytoby

        Re: Bullshit Alert

        I assume they will be on a London AWS instance(s), not US

  2. Martijn Otto

    Cloud of Confusion

    I've always wondered whether people who consider this kind of cruft to be a good idea have cloud formations inside their own head where the gray matter should be.

    1. John Brown (no body) Silver badge

      Re: Cloud of Confusion

      For that matter, do Amazon have BitBarns inside the post_Brexit borders?

      1. jamesdagger

        Re: Cloud of Confusion

        Yep. eu-west-2 region aka London.

  3. Craig (well, I was until The Reg changed it to Craig 16)

    Interoperability be damned

    "Part of the aim is to encourage new businesses into the market, which is currently dominated by four suppliers – TPP SystmOne, EMIS Web, INPS Vision and Microtest Evolution – and offer care providers greater choice"

    Snake-oil sales-cretin: "Choose our fandabbydozy clinical system and it'll make your life wonderful! Guaranteed a billionty one times better than EMIS/SystmOne (others are available) at getting patients in and out faster!"

    (small print around 1 point text and in white on white: "This clinical system will barely co-operate with your printers and will certainly never work with any other NHS clinical system outside of manually retyping things between computers. Oh and don't try to install it on anything other than Windows Millenium Edition with an obscure 2005 release of Java and open access to t'interweb.)

    There must be a hard interoperability clause in any clinical system approval into the NHS. If it can't talk to the core clinical systems already approved then it doesn't get in the door.

    1. sebbb

      Re: Interoperability be damned

      What if I tell you that SystmOne ship with its own "hidden" JRE version 1.6.0_04?

      And there is no other clinical software out there that's less crap than these four.

  4. Pascal Monett Silver badge
    Stop

    Just a minute there

    It starts out by saying "unprecedented levels of protection", and then we get this :

    "Clinicians working in any location with any third-party technology will be able to view and share vital patient information safely and ethically"

    So you're telling me that any 3rd party app is going to be able to hook into this data container that has "unprecedented levels of protection" ?

    Because zero protection is not exactly unprecedented, and anything more is going to be a big hassle for 3rd party apps to be able to use.

    1. Commswonk Silver badge

      Re: Just a minute there

      Clinicians working in any location with any third-party technology will be able to view and share vital patient information safely and ethically

      More bullshit. The upshot of the above is that individual patients' data can finish up <Deity> knows where with no protection whatsoever. Will all this "third-party technology" be properly and securely tracked? Not that that would prevent the leaking of patient data, of course.

      Dreadful idea... <shudder>

    2. JohnFen Silver badge

      Re: Just a minute there

      Don't worry! Those third party apps will have to engage in authentication to ensure they're authorized. They recognize that this poses an addition burden on app developers, though, and so to mitigate that they've decided the authentication will be a simple, standardized password: "password".

      1. DavCrav Silver badge

        Re: Just a minute there

        "standardized password: "password"."

        That's hideously insecure and now deprecated. We know that all passwords need a number and a capital letter. The new standard is 'Password1'.

        (This is not actually a joke. A friend of mine used the password 'guitars' until he was forced to abide by new rules. He chose the password 'Guitars1'. Much safer. I was unsuccessful in convincing him it was not that much safer.)

        1. JohnFen Silver badge

          Re: Just a minute there

          "I was unsuccessful in convincing him it was not that much safer."

          I believe you're mistaken in saying "not that much safer". In reality, it's not any safer at all. But you're dealing with someone who is using a single word (that's in the dictionary, no less) as their password -- so obviously they couldn't care less about being secure in the first place.

    3. Doctor Syntax Silver badge

      Re: Just a minute there

      "unprecedented levels of protection"

      It's probably a fair description. It's just unprecedented in a way you don't want it to be.

  5. A.P. Veening

    Switch over

    "A spokeswoman said the transfer would be module by module, not a whole system switchover, which El Reg presumes is meant to reassure folk there won't be an IT disaster involving the billions of health-related documents held by EMIS."

    This isn't reassuring to me, I foresee databases getting out of sync. And that is going to be extremely nice when one medication interacts with another and the prescription for each being in a different database due to that out of sync situation.

    I've already seen similar things in a previous job. Fortunately, it didn't involve medication and lives. And due to a confidentiality clause in my contract, I can't tell anything more about it.

  6. sad_loser

    Half-baked babble

    This is going to go catastrophically wrong, and will be a magnet for ne'er do wells.

    There are companies in this space who operate private clouds and that is fine - I even think it is fine to have cloud based back-up, and I could see a role for cloud-based dockers providing the front end, but hosting the data? I don't see this ending happily - there is a reason the banks are not on the cloud.

    1. Doctor Syntax Silver badge

      Re: Half-baked babble

      "I even think it is fine to have cloud based back-up"

      What about all those reports of stuff found hanging out online unencrypted and unsecured which turned out to be cloud based back-ups. And even if properly secured still vulnerable to US "we own the world" legislation.

  7. Severus

    Shifting patient records to the cloud requires approval from NHS Digital

    This would be the same NHS digital that presided over the Wannacry Clusterphuq that affected 45 NHS organisations including at least 81 out of 236 trusts across England plus a further 603 primary care and other NHS organisations including 595 GP practices would it? Well they obviously couldn't find their own @rses with both hands and a mirror on a stick, so should NOT be making this decision, the security services should be responsible for ensuring the data is secure. As it stands I may as well put my own health records up for sale and get a couple of quid for them because sure as the sun sets in the evening these records WILL be compromised and sold to the highest bidder.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shifting patient records to the cloud requires approval from NHS Digital

      NHS Digital have no say over trusts at all, they definitely have no say of GP practices, the majority of which are private businesses. As it stands it is always best to check facts before you go off on a rant.

      1. Doctor Syntax Silver badge

        Re: Shifting patient records to the cloud requires approval from NHS Digital

        "As it stands it is always best to check facts before you go off on a rant."

        Never. It just gets in the way.

      2. sebbb

        Re: Shifting patient records to the cloud requires approval from NHS Digital

        It depends, because although lots of GPs are private businesses, they are often fed IT by a CCG/CSU, which are quite rubbish in some things (just to mention, Wannacry problem was that there was no firewalling on the private network routers between WAN and GPs LAN, i.e. tcp/139 and 445 open for fun!)

        1. easytoby

          Re: Shifting patient records to the cloud requires approval from NHS Digital

          The EMIS contract claims that EMIS owns the patient data anyway, claim the customer is renting from EMIS.

      3. Dan 55 Silver badge

        Re: Shifting patient records to the cloud requires approval from NHS Digital

        NHS Digital have no say over trusts at all, they definitely have no say of GP practices, the majority of which are private businesses. As it stands it is always best to check facts before you go off on a rant.

        So what are they there for then?

  8. alain williams Silver badge

    USA Patriot act

    Amazon is a USA company and thus subject to the Patriot Act, so once it is on their servers it would, if asked by the USA government, have to hand it over.

    1. Anonymous Coward
      Anonymous Coward

      Re: USA Patriot act

      The Amazon they are dealing with probably isn’t Amazon US though so the Patriot Act would have no force. The same way Microsoft aren’t handing over data on servers in Ireland, different company for tax also means diffe4ent company legally.

      1. Doctor Syntax Silver badge

        Re: USA Patriot act

        "the Patriot Act would have no force"

        But the CLOUD Act would.

      2. SImon Hobson Silver badge

        Re: USA Patriot act

        Would that be the same Microsoft that "just handed over" data located on servers in Ireland once the US passed the CLOUD act ?

        https://www.theregister.co.uk/2018/04/04/microsoft_agrees_doj_cloud_act_renders_email_battle_moot/

        As such, the Feds issued a fresh warrant under the CLOUD Act instead and – hey presto – Microsoft responded.

        If there was the legal and technical separation claimed, then Microsoft in the US would not have been able to access the data, and Microsoft Europe would have refused to hand it over. Also, the recent SNAFUs affecting Microsoft's authentication services prove that there is no technical separation as claimed since an outage of a server in the US would be unable to affect users not supposedly connected to the US. If a user authenticates using a server in the US, then subverting that authentication process can over-ride any supposed technical separation.

      3. Alan Brown Silver badge

        Re: USA Patriot act

        " The same way Microsoft aren’t handing over data on servers in Ireland"

        Wrong. The reason MS aren't handing over data in Ireland is that the Patriot act hasn't been invoked.

        If it is, then they have no choice and they will in a heartbeat.

  9. Making Bacon
    Facepalm

    What could possibly go wrong ..?

    1. Dan 55 Silver badge

      All 40 million records spill out of an open S3 bucket...

      1. BrownishMonstr

        The alternative is they put it on their servers,and since it seems like they're being cheap asses, I'm sure this is better. Although how much better, I'm not quite sure.

  10. Oor Nonny-Muss

    This is the same EMIS...

    ... that want me to pay out £30k so they can provide a system that will run on a 64 bit OS (I regard this as a bugfix, not an enhancement)

    NHS needs to tell these charlatans who the customer is here

    1. Oor Nonny-Muss

      Re: This is the same EMIS...

      That £30k is on top of the £42kpa they get to support it (I use the term support because that's what the contract says it is)

  11. JohnFen Silver badge

    Red flag

    "unprecedented levels of protection"

    When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed.

    1. Commswonk Silver badge

      Re: Red flag

      When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed.

      With all sorts of people having "legitimate" access to the records I'm not certain that any flaws in the inherent security will actually matter that much. The greatest vulnerability will be end users, and will be down to stupidity rather than malice.(Hanlon's Razor)

      1. JohnFen Silver badge

        Re: Red flag

        "The greatest vulnerability will be end users"

        If this follows the same pattern as 80% of security issues, it isn't the end users that will be the biggest weakness, it will be the employees of the agencies that have access to this data.

      2. Anonymous Coward
        Anonymous Coward

        Re: Red flag

        With all sorts of people having "legitimate" access to the records I'm not certain that any flaws in the inherent security will actually matter that much. The greatest vulnerability will be end users, and will be down to stupidity rather than malice.(Hanlon's Razor)

        --------------------------------------------------------------------------------------------

        Except, of course, for the foreign and local government agencies, and the criminal groups, who will just take *all* the records.

    2. Doctor Syntax Silver badge

      Re: Red flag

      "When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed."

      When I seem them I look carefully at the alternative meanings that can be attached. e.g."you've never seen anything this poor".

    3. Lotaresco

      Re: Red flag

      "unprecedented levels of protection"

      Having no protection at all is unprecedented.

    4. The Real Tony Smith

      Re: Red flag

      "unprecedented levels of protection"

      When I see hyperbolic statements like this in relation to security issues, I get very, very suspicious that the security is flawed.

      Me too, I remember some time ago I was looking at dongle based software protection only to be told by one vendor that they used 'Military Grade Security'.

      Having been in the military in the past I immediately deleted their email and went to another company who were happy to specify which algorithm and key length they used.

    5. Anonymous Coward
      Anonymous Coward

      maybe

      but flawed at a level that's never been seen before though

  12. Anonymous Coward
    Anonymous Coward

    Nope

    (1) You can google the locations of Amazon data centers, take a look at GDPR and maybe Caldicott Two and work out where the data will likely move. This is a groundless worry.

    (2) EMIS are notoriously unhelpful in providing legitimate access to their data. Moving platforms doesn't really affect this either way - it's not relevant.

    (3) Synchronisation of multiple data sets is technically trivial. EMIS have done this for years, just like everyone else.

    (4) There's no vector from that bored NHS employee's obsolete desktop browser to the existing EMIS data. I thought people here were technical. Stringing together a bunch of jargon words doesn't make a rational point.

    Is that the best you can do?

    1. Doctor Syntax Silver badge

      Re: Nope

      "You can google the locations of Amazon data centers, take a look at GDPR and maybe Caldicott Two and work out where the data will likely move. This is a groundless worry."

      What precautions do they have to move stuff out of scope of the CLOUD Act and anything else the US Govt. will come up with when it can't get its own way?

  13. TrumpSlurp the Troll
    WTF?

    Someone else's computer

    Is still a computer on the Internet.

    I don't see how moving to a cloud makes any difference in ease of communication and integration.

    In fact, it shouldn't.

  14. david 12 Bronze badge

    "encourage new businesses into the market"

    By shifting to AWS.

    Because surely Amazon is just one of many new businesses competing in that space?

    1. rmason Silver badge

      Re: "encourage new businesses into the market"

      In our experience AWS have the pricing nailed. It's hardly a surprise.

      The entirety of this strategy/announcement can be summarised like this:

      We need to replace the kit at the datacentre(s). It's going to cost £Incredible_Sum, or we can go to AWS who will charge us £Incredible_sum-%10

      It is as simple as that, the rest is fluff and waffle.

  15. Anonymous Coward
    Anonymous Coward

    Would be interesting to see the DPIA for that move.

    As with all cloudy type moves it is entirely possible for this to be done safely, legally and transparently. I just have little confidence that it'll happen with this project.

    But don't worry your politicians have every confidence in 'cloud'. They have utterly no understanding of it but have every confidence that their stocks in technology providers will keep going up.

    As for your data and privacy, who gives a shit about that? If you're using the NHS please hurry up and die to stop using up so much of your politicians precious pennies.

    1. Barnstormer

      You're assuming that a DPIA has been completed... Who could we ask?

  16. Anonymous Coward
    Anonymous Coward

    You're stuff is going in the cloud regardless of this.

    Hospitals are frequently using free services e.g. dropbox for stuff already and yes that includes PII on occasion (sometimes encrypted files, sometimes not).

    Media has not woken up to this yet. There are also health services looking to use Office 365 which means all their admin stuff being punted into the cloud wholesale.

    1. Anonymous Coward
      Anonymous Coward

      Re: You're stuff is going in the cloud regardless of this.

      Hospitals are frequently using free services e.g. dropbox.

      They are blocked on N3. If someone was to invent a new one, that would be blocked too, first locally and then nationally after enough Information Security Officers report it.

    2. ibmalone Silver badge

      Re: You're stuff is going in the cloud regardless of this.

      Hospitals are frequently using free services e.g. dropbox for stuff already and yes that includes PII on occasion (sometimes encrypted files, sometimes not).

      And their local rules will tell them not too unless encrypted. My employer is a university and even we have that.

    3. Dan 55 Silver badge

      Re: You're stuff is going in the cloud regardless of this.

      Of course. If it's not because 1) the IT dept can't make basic services work so employees have to work around the problems created by the IT dept, it's because 2) the IT dept themselves willingly outsource everything to Office 354 or 3) someone starts and has to make their mark.

      1. 0laf Silver badge
        Childcatcher

        Re: You're stuff is going in the cloud regardless of this.

        But doctors can use their own equipment (BYOD) in many trusts and they like dropbox and Whatsapp so you can have some certainty a lot of PII is in those cloudy shitboxes as well.

  17. steviebuk Silver badge

    Say goodbye...

    ...to SQL access to that data. Cloud is useful but too many companies consed access to the provider for some weird reason. I know of such a place who gave some of their databases to a company to manage. Then the inhouse dev team needed access and it was a

    "No".

    What? But it's our data.

    "So, you still can't have full SQL access. Just use that low code shit you've been given".

    What? So I have to waste time making a basic front end just to be able to access the data in our own database, because you won't give us a remote access SQL solution?

    "Yep"

    Is this because you just don't want to have to provide us, free of charge, an RDP solution to SQL?

    "Not saying anything".

    But the low code software is quite basic compared to SQL so the data we get back isn't great.

    "Don't care. We have your money now".

    So the answer is. Put your database's in the cloud if you wish but DEMAND, before you sign the effing contract, to have full SQL access if/when needed.

  18. ibmalone Silver badge

    Going to make life interesting for the rest of us

    If the NHS decides patient data can be moved onto cloud storage, those of us who have maintained that it's a bad idea for PII we look after are now going to have to work harder to justify that stance. Barring, of course, some absolutely stupendous disaster, but I suspect the real problem will be that smaller operations are going to be more likely to slip up. At least EMIS may have sufficient resources to make sure it's secured at all points.

  19. Anonymous Coward
    Anonymous Coward

    new IBM

    "Nobody ever got fired for choosing IBM Amazon Web Services"

    Except, at least, with IBM, incompetent third parties were generally not involved?

  20. adam payne Silver badge

    EMIS Group is one of four principal suppliers to the NHS. Its health suite is used by 10,000 organisations and holds more than 40 million records. 40 million records going into the cloud, what could possibly go wrong?

    Shifting patient records to the cloud requires approval from NHS Digital, so there isn't a timeline yet, It will be rubber stamped by NHS Digital without any discussions regarding security.

    1. Anonymous Coward
      Anonymous Coward

      Of course it'll be rubber stamped, they'll claim it'll save money = job done.

      Doesn't actually mean the end result will be savings though..

  21. Marketing Hack Silver badge
    Big Brother

    "bake in voice recognition and AI so applications can listen in to patient-doctor conversations"

    Um, did anyone else catch this? Fine, if those recordings are immediately destroyed, and are do not somehow become subject to access by criminal, civil, intelligence-gathering, business or regulatory proceedings.

    "Hey, we found that so-and-so was struggling with medical condition X, so we declined to hire/promote/keep him onboard."

    1. Anonymous Coward
      Anonymous Coward

      Re: "bake in voice recognition and AI so applications can listen in to patient-doctor conversations"

      "Hey, we found that so-and-so was struggling with medical condition X, so we declined to hire/promote/keep him onboard."

      ----------------------------------------------------------------------------------------

      And in the real world:

      "Hey, we found that so-and-so was struggling with medical condition X, so we should offer his father/wife/daughter, who works for YZ, enough to pay for treatment if he gives us the right files and passwords."

      There is a reason the same hackers went after millions of records from all of:

      1, The US government's Office of Personnel Management's dossiers for security clearances

      2. Travel records for the biggest travel services (used by the government)

      3. The health records of more than 100 million US citizens, from health insurance providers.

  22. cam

    Sounds like a DPA breach to me. That data is being shared without patient consent outside of the organisation.

  23. Dan 55 Silver badge

    Having trouble reconciling the headline for this story with this other one:

    Foreign hackers have tried to access the genetic blueprints of thousands of NHS patients, say officials

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019