Streamed to a public YouTube channel...
Any word of whether the cookies relating to other YouTube use on the devices concerned were being hoovered up, potentially linking the medical information to the users' identities?
NHS Digital has opened an inquiry after patients' personal information was revealed during a live-streamed research session for a new app. Yesterday, the UK's National Health Service showed off the software application to members of the public. However, those folks were potentially unaware that the demo session was being video …
There are good reasons that only NHS England is pushing ahead with this, the other NHS bodies in the UK are very wary of going down the app route for access to medical records.
We seem to be putting a huge amount of effort and money into accessibility to information which for a vast majority of people isn't wanted, rarely requested and is soon going to be free to access if they wait for it (and it'll be delivered securely to them).
How many of us have submitted a subject access request to see our medical records? We may do it once in a lifetime or never. There ARE those who regularly request it and for them these apps maybe make sense but not for a vast majority of the population who's medical records are relatively small and incredibly dull.
I'd love to say I was shocked that the NHS would use live data for a demo but I'm really not. I worked as a contractor doing development for the NHS about 10 years ago and we used an old backup of the live database for development & testing. No anonymisation at all. The only protection was there were no records for anyone in the local area where I was working, that didn't stop me looking up the records of an ex-girlfriend from further afield to prove it was an issue.
I also worked for the Home Office at one point on a project to digitise old criminal records. Again their idea of data protection was not to include any records from the area where the work was being done. I was born and grew up 250 miles away and was able to look up all the records for my old home town going back 90 years.
This is just business as usual for UKgov.
It is not all bad. I was in a similar position, assessing some potential interventions indicated by modelling the effect of multiple stages of intervention. While we did work on real data (actually location and GP indicators were important and names were not remotely necessary to disambiguate) we were only allowed to use the analytics, including development, on site, on isolated machines, and asked to agree and sign strict NDAs. So someone was on the ball.
"Yesterday, the Health Service Journal revealed that two online private health providers have been dropped from NHS app library because NHS England decided it is no longer appropriate to promote non-NHS services."
Why was it considered 'appropriate' in the first place?
Would anyone here be surprised if those private providers were owned by friends or relatives of senior politicians or civil servants?
For years...
Why on earth does anyone think they'll change now.
They regularly breach their own guidelines, they refuse to update or use medical tests and services if they didn't design or discover them*.
They're so far out of date in certain fields that Sir Bernard Spilsbury would be appalled at their backwardness (before he was out of short trousers).
To paraphrase "They're utterly incompetent in every way"
How do I know? Personal experience.
* NDH Syndrome (not designed here). It's so prevalent in the NHS they're considering an entry in the new ICD.
"...the video stream was only available to those who had a direct link to the video, and was not searchable via YouTube or accessible without the URL."
Unless somebody involved shared the link in a public forum, then it's actually extremely secure. At least effectively so.
Tom Scott has a video about "Will YouTube run out of addresses" (+/-?), where he explains the YouTube URL addressing scheme and its relative 'address space'. He touches on the utter sparsity of it.
So, why don't you try to find Tom Scott's video by randomly trying various YouTube URL strings until you stumble across it?
Actually, try to find ANY YouTube video by random YouTube URL string. See if you can randomly get a hit.
Good luck!!
Unless somebody involved shared the link in a public forum, then it's actually extremely secure. At least effectively so.
Agreed and I suspect any information leaked is not that useful though it should not have happened.
But El Reg knew the link, so how many more were provided with it?
TB correctly noted, "...sizeable 'unless' [someone shared link]..."
But it's also multiplied by the small fractional odds of anyone noticing the shared link, those noticing actually viewing, noticing the live private data, capturing said private data, and then misusing the data. It's not surprising that nothing came of it.
Still, the initial observation is ultimately correct. Just not any significant risk, unless repeated endlessly. So corrective action to prevent recurrence is A Very Good Thing.
End users rarely think about this sort of thing. That's just life. they assume it's safe because they've not been told any different.
It doesn't matter if they've had general information, they are only concerned with this specific case.
They might panic when it's pointed out to them and all becomes clear, but not before. And IMHO it's too much to expect the rank and file to think about it. They won't. Ever.
I was recently involved in adding network connectivity to a CE marked automated PCR analysis IVD in order to integrate it with hospital patient management systems. The partner companies to which we went who are widely used to provide middleware to integrate devices with NHS IT systems were very surprised when we showed them our implementation that used Atom feeds over HTTPS requiring client & server certificates.
It seems that most of the other devices they'd integrated use unencrypted transfers over the hospital LAN with little or no access control.
I've also been in many a hospital where unprotected Ethernet ports are dotted around everywhere including in waiting rooms.
I'm never going to agree to let the NHS centralize my medical records.
Actually we know a fair bit but Infosec staff are like rare Pokemon within the NHS and are generally ignored.
Wannacry wouldn't have been possible if anyone had listened to use in the YEARS running up to it and I'm not even talking from a patching perspective, ingress routes were highlighted as problems over and over.. but nobody wants to listen to those at the coal face. We're just too damn low in the food chain.
At least until the **** hits the fan, then we're suddenly in demand for a few months until the public forgets about it, then back to minimal resources we go.
This post has been deleted by its author
If any of these apps are being used to assist with diagnosis or to direct treatment then they are medical devices and as such are required to have been developed to the ISO-13485 standard under the Medical Device Directives and have received a CE mark.
If they have not received a CE mark, then it is a criminal offence to use them in a clinical context.
https://www.bsigroup.com/en-GB/medical-devices/our-services/iso-13485/
...doctors, nurses and consultants in an A&E department insisting on the generic login account they use on each PC having its user name and password stuck to the monitor for all patients to see, then this doesn't surprise me. Granted they are very busy and I understand why they do it (if you're on a nightshift and don't know the generic login with no IT available) but still not great practice.
Also shows how messed up the NHS is when in IT you get a request to move a massive PACs monitor from another building. You get there and no one even knows the department exists despite there being a sign in reception pointing to the department. You ask the person over who organised it because you're ID doesn't work in said building (like most areas). Turns out their ID also doesn't work. Great. You eventually find said PACs monitor which isn't massive as stated. You then get chatting with the nurses who explain IT were over earlier but just took the keyboard and mouse. Really!? The guy was massive we were told, and there were two of them.
So turns out they were just being lazy and didn't want to move the monitor. Force the contractors to do it instead despite that not being what they are paid for.
You eventually get it to the building required and told "Your contact there is Dave. He'll sort you out". We get there. Dave knows nothing about it. Then eventually twigs it might be something relating to what was happening earlier so points you to the location it needs to go to. Yet this location doesn't have a lift yet this monitor is kinda heavy. Eventually get it into its place and done.
The lack of communication and everyone just out for themselves (IT palming the crap job they couldn't be bothered to do onto the contractors) is what annoys me about the NHS.
May not be so relevant for the article but its NHS related and I needed to rant.
There isn't one.
There's one in Scotland, and one in England, and although they were (originally) both set up in the same year, i.e. 1948, they're wholly different and quite separate organisations.
I'll bet that many people out there not only know that Scotland has it's own quite separate civil and criminal justice legal systems, but also that the drink/drive limit in Scotland is just over half of that in England and Wales. "Even" the BBC weren't aware of that when they produced an hour-long programme with multiple references to the "UK drink/drive limit" throughout... :-(
I know that NHS Scotland and NHS England are separate and work in different ways (such as free prescriptions, for example), but, even before devolution, was/is there no such thing as an, even nominal, NHS UK that they were/are a part of? (Genuinely just curious.)
(I can understand the situation in Northern Ireland being entirely different, because for complicated, and probably hornets-nest-poking-like reasons, just about everything has always been different there.)