NHS Health Records Breach: The Need To Give People Control Over Their Data

700,000 patient health records shared by HSCIC despite explicit written objections from every one of those people.

The body responsible for releasing NHS patient data to organisations including insurance companies has admitted information about patients has been shared against their wishes, it has emerged.

Requests by up to 700,000 patients for details from their records not to be passed on, registered during preparations for the creation of a giant medical database, have not been met.

But the Health and Social Care Information Centre (HSCIC) told MPs that it ā€œdoes not currently have the resources or processes to handle such a significant level of objectionā€ and it also encountered technical issues over logging the preferences.

The UK ā€œCare Dataā€ program is a sham and a shambles, and this contempt for patient privacy and safety - apparently because they couldnā€™t handle the massive number of objections from patients - underlines the need for individuals to have direct control over who can access their data, in all fields, not just the NHS. For example, see: My Health SAFE (Programmer/coder Questions)

Governments and corporations can not be trusted to protect our data from theft, abuse, or even to keep their word on how it will be handled.

Their servers are always going to be vulnerable, and centralising data this way makes them an irresistible, high value target. This was demonstrated yet again yesterday, as the US government revealed the theft of 4 million government employee personnel records, which included sensitive personal and security information, including security clearances back to 1980.

14 Likes

Just came across this related article, which seems to highlight as with your post the glaringly obvious use cases for Safe by Govt:

3 Likes

Assume that data can be controlled by the patient.
You go to the hospital, let them use it, and in order to do that, they need to make a copy. The same or next day, a copy leaks out.
Or, someone falls in coma, they send him to the hospital where no doctor can access his data.

It may be decades before improvements are made to the current processes.

One copy leaking it is unfortunate, but much less likely, and far less of an issue than the kind of bulk data thefts, or deliberate sharing, that are becoming routine.

The coma situation and so on are issues that need to be balanced, and can be addressed if necessary, without putting all patient data on one central database accessable remotely by thousands, and shared for unknown purposes, to unknown bodies, or sold off to corporations without individual consent - as in the OP.

Simply decentralising would make things more secure.

I donā€™t assume thereā€™s any problem that canā€™t be solved while creating a system that makes personal data much more secure.

In the present setup, centralising creates such a high value target that it is impossible to defend. Not just against theft and hacking, but even against placing too much temptation in the hands of those in charge, to abuse, sell etc (legally or otherwise). Two very clear centralisation risks.

If you donā€™t agree centralisation is a fundamental problem, what do you see as the value of SAFENetwork?

1 Like

I said that it will take decades before new decentralized technologies can integrate with government-organized healthcare.
For any technology to be used by the government (or in ā€œpublicā€ healthcare) it must be certified/validated/approved by the govā€™t.

Decentralization is necessary and SAFENetwork can help. Iā€™m pointing out that the bottleneck is not the technology, but the system.

2 Likes

Certainly it will take some time, but in decades it will be irrelevant. I think is itā€™s feasible for things to happen quickly, not least because SAFENetwork or similar technology will either fail or prove itself quite quickly. Once it is working and there is a platform that delivers as we expect, all it requires is for developers to get wise to what they can do with it. It will be such stand out, and easy to apply tech, that things could happen very quickly after launch.

Weā€™ve seen what happened with the web between 1994 and 2004 (Netscape 1.0 was 94). I think this will move much quicker. Governments wonā€™t be the first, but that doesnā€™t mean it will take decades.

People like us could be in quite some demand! :slight_smile:

Here in the US it happens every day with the current corporate caretaker role where personal health information (PHI) is used as leverage to keep patients in their system and also to keep doctors stuck in a system controlled by the corporate body. It is almost impossible to get complete, update information about patient when they have been seen by providers in other systems. I get random faxes of copies of copies of information about patients that make it obvious Iā€™m only getting a fraction of information they have on my patient who wants me to view all of the info like labs, imaging, previous procedures.

I think this loss of privacy between patient and provider (doctor) is the most destructive element to modern computerized medical technology. This myth that PHI controlled by the individual is impossible because of cost, security, and dependability is quickly dissipating as SAFE becomes better understood. I predict personally controlled health information (PCHI) is so disruptively innovative it will be unstoppable and will likely be demanded by patients and creators of PHI (Like doctors). I can tell you as a medical provider I donā€™t want the caretaker role of PHI and I as a patient I definitely do not want government/corporate states to be the caretaker of my PHI.

3 Likes

I added up the number of reported personal health information (PHI) breaches a month ago or so and it was over 120 million (Over a third of our entire country population) U.S. Department of Health & Human Services - Office for Civil Rights

It is amazing how quickly a centralized approach to data quickly becomes destructive. @happybeing thanks for the reference. This is one of many reasons I am so passionate about taking our PHI (Creators and patients) back and keeping it like Hippocrates intended (Hippocratic oath) ā€˜secret.ā€™

3 Likes

NHS England hit by ā€˜cyber attackā€™

NHS services across England have been hit by IT failure, believed to be caused by a large-scale cyber-attack.

If memory serves, David and Nick had discussions with the NHS a couple of years ago, about securing patient data.

5 Likes

Yes, unfortunately security was at that time almost a zero concern. Workload etc. was a much higher issue, so anything that made things easier was priority. I am not surprised really that this happened and I think we will see more again in public companies who are stretched to breaking. Research, security and care seem to be the first casualties of a system that becomes cash poor and has their resources stretched.

5 Likes

Yes, seems like the hack was much wider than the NHS:

3 Likes

Can safecoin present a cost-recovery model for secure storage?

2 Likes

Well it should make access to data certain regardless of your PC, however we would need to spend time looking at what an infected client could do. It looks like it should be much better, but that may mean thereā€™s a much larger issue we donā€™t see just yet. The attack vector should be different for sure though. If an attacker got to a client they could delete stuff, but a client could undelete it (roll back MD etc.). So I imagine SAFE should be able to help a lot, but this local OS thing is a PITA and the edge cases of infection are so wide that itā€™s not easy to reason about it all. I feel we do need to have a real movement to a secured OS and hardware combination really. If we do that (as a society) then SAFE can secure the network part. Then it gets much more interesting and easier to reason.

10 Likes

Previous versions of this virus would encrypt network drive content too. With thinking about when fuse mounts are currently being experimented with.

1 Like

Solution is for SAFE NFS to ensure file histories are preserved as immutable data. = Ransomware Killer

5 Likes

Yes, that would be a perfect solution!

1 Like

so who gets first mover advantage?