- Making opt-in the default instead of opt-out...
- Obeying all relevant privacy laws...
- Informing people in clear (no legalese) language who has access to their data, why and what they're doing with it...
UK firms are being asked to pitch digital solutions to "overcome privacy challenges" related to the increasing use of data in the health sector as part of a £9m competition to boost the NHS's use of technology. The cash is for firms that want to do collaborative or early stage development work on digital tools or solutions …
Or just employ some ex Cambridge Analytica staff. They know how to say nice things such as, "Your data is perfectly safe with us" while meaning exactly the opposite.
Hell, pay me £9m and I'll even write a ChatBot for the NHS that they can put on their website to reassure
consumers customers patients taxpayers
- Your data will never be shared outside the NHS without your individual, informed consent.
And spend the £8m on researching how to safeguard 'anonymised' data, especially when aggregators have the potential to combine ID128731623 with other personal data they hold to come up with a pretty good idea who that 'anonymous' person is.
Hello, Moorfields Hospital and their decision to share patients data with Google..
>Your data will never be shared outside the NHS without your individual, informed consent.
Include a few million generated accounts so miners can't tell if a non-response to access requests means useless zombie data or a real patient who doesn't consent.
....admittedly that's Facebook now, but I'd guess that advertisers there are less concerned with sample validity than the researchers hoping to get their latex gloved paws on our NHS data.
Thats a bit old fashioned. They don't hand contracts to Capita by default anymore they changed the rules on bidding for contracts.
What I think they should do is split the £9million up and give it 9 companies owned by Capita, so that they can go over budget and deliver too little too late.
It's the modern way.
This article reads like one of those BOFH stories that begins:
So the boss wheezes in, all a dither about an article he's read in "I.T bigshots weekly".....
So the government is saying:
"we've got a phat stack of cash here for anyone who wants to do some of that amazing techy stuff for our NHS , you know get us some Apps up in here , or a cloud maybe . Oh , and lets get some of that Big Data we read about . And if theres time lets buy a blockchain.
Theres a whole lotta buzzwords there.
To me , its blindingly obvious what the first step to any kind of NHS I.T. reform would be - Standardise.
Currently you have 50 odd trusts doing what the hell they want , all buying in one Patient admin system after another , none of which talk to each other and so you have the situation on the news last week - ambulance crews saying "if we end up at a different hospital we cant access patients records"
For Fucks sake! that basic shit surely .
Think of the duplication of effort going on.
Its like herding cats....
> They seem to be doing a lot more joined up work than NHS England, yeah being smaller obviously helps them but they have a lot of cross-trust (board?) systems now and seem to heading ever more down that route.
Ehhh, maybe going forward into the brave new world. The stuff that's actually running here and now - not so much.
"Currently you have 50 odd trusts doing what the hell they want "
207 care commissioning Groups,
35 community providers,
10 ambulance trusts
~7500 GP Practices.
AND 853 independent commercial and non commercial organisations providing care on behalf of the NHS
All doing their own stuff buying their own solutions and creating their own Silos
I agree with centralisation as LONG as its is built with security first and Ministers go to Jail if there is a data breach. and data ONLY used within the NHS for treating an individual unless individual "informed consent" is given for each use not related to that individual patients care.
Force standardisation of the *interfaces* between systems - that does make sense.
HL7 made good inroads despite being a bit of a ball-ache to work with. Speaking as a developer I'd prefer it if FHIR got more traction. Helluva lot easier to work with especially if (as we are) you're just a consumer of data.
RESTful is way easier than getting involved in passing ASCII messages around.
I've an alternate idea.... How about we abandon tech altogether, turn our backs on it, let it rot. For a decade or more. Until security is completely re-worked and privacy is better understood and legislated for. Why not? Some Reg'ers are already doing this in part... Whose buying IoT etc?!
Otherwise enjoy getting a data proctology every time you just want to buy a f'ing ice-cream... Never mind an insurance policy (John Hancock adds fitness tracking to all policies). Meanwhile health info in a Govt silo is perfect for a China 2020 social-credit-score system in the West. * It will be abused *
"Singapore personal data hack hits 1.5m, health authority says - BBC News - Hackers have stolen personal data in Singapore belonging to some 1.5 million people, or about a quarter of the population, officials say. They broke into the government health database in a "deliberate, targeted and well-planned" attack, according to a government statement."
"The data of Prime Minister Lee Hsien Loong, including information on his outpatient dispensed medicines, was "specifically and repeatedly targeted"
"How were systems breached? It appears that a computer belonging to SingHealth, one of the state's two major government healthcare groups, was infected with malware through which the hackers gained access to the database."
The situation right now is that the NHS is being asked on many occasions to release data for research purposes yet receives nothing from the outcomes of that research. If it is used to develop a commercial tool there's no % funds fed back to the NHS - the private company and university benefit, yet the data they relied on came from the NHS.
Researchers are demanding more and more access to NHS data, in many cases asking for data which isn't properly anonymised, or entirely untouched data for research purposes.
No data is properly anonymised especially when dealing with complex medical conditions.
combining different anonymised datasets has been shown to enable the individuals to be identified. due to matching of data intersections.
OPT in and Informed consent for each and every separate data use is the only way to go.
OPT in and Informed consent for each and every separate data use is the only way to go.
Well said. And I've just done this. So I've donated my DNA to a research group looking at possible genetic linkages to something I've got. The consent form stated they'd only sequence a limited number of genes for the purposes of their study, and no sharing outside of the study. Ok, so that could potentially mean other researchers studying the same thing, but given some enlightened self-interest, it was good enough for me to enrol.
One clause that stood out was regarding patient access to the results. Which AFAIK would be a right anyway, but largely meaningless to a non-geneticist. Then again, DNA stripes could be turned into a personalised desktop backdrop, or CTAG<etc etc> chunks used as a personalised crypto sig I guess.
I have a nice letter from Professor Martin Severs reassuring me that the NHS has respected my decision not to allow sharing of my records with outside organisations. Except that we know that one of the NHS suppliers somehow forgot about this and sold my records anyway.
The Bio-statisticians I worked with in the 1990s claimed that they could de-anonymise my records, given a 4-digit postcode and my age decade in about 30min. *That's* why our data is valuable.
*Everyone* has something to hide in their medical records - even if you think you haven't you don't know what a potential employer might find out that means you aren't considered for a job.
NHS security model was fine with paper records - only your immediate health-care providers could access your notes. But on computer, *everyone* can access your notes. Look how insecure Police National Computer is. You think NHS data is as well secured?
"Researchers are demanding more and more access to NHS data, in many cases asking for data which isn't properly anonymised, or entirely untouched data for research purposes."
They should be told:
1. You can't have non-anonymized data.
2. If you leak it somehow, and there is any indication that anonymization can be reversed, you will be heavily fined (organizations and individuals, both) and you will go to prison for a goodly period of time.
3. If the anonymization is actually reversed, fines and prison terms will double.
Oh that £9m is mine.
Maintain a list of people: NHS trust CEO, heath secretary and handul of MoH senior servants.
Sack them all if there's a data breach.
This prize bullsht is annoyig. It works well for moonshot stuff -reuable rockets where there's various billionaires funding the development.
It doesnt work for the everyday, should be doing this default stuff.
I smell a bright young PPE/Ecomomics Oxbridgey civil servant's hand in this.
Well look at what I got as I was reading this!!
World first for Rebo the NHS Research Bot!
This month, CRN xxxx will be launching the world's first interactive game to tell the story of how research discovered treatments for diabetes! Taking Rebo the Research Bot on a research adventure through time, players visit moments in history when medical breakthroughs in diabetes were made, collecting credits in the form of 'insulin' and 'French lilac' to help progress the science further. It is hoped that as they make the virtual journey through time, players will learn how health research is integral to finding life-changing new treatments for patients in the NHS and across the world. The game will be launched by the CRN xxx team at the xxxx Science Festival. The team will be inviting visitors to play the game and spread the word from 10am to 4pm at the xx, xx so drop by if you are in the area and please let your friends and family know.
Would this count toward the available funding?
Anonymous to protect the innocent of course!!
Let me guess the Govt are getting this work done then handing it to NHS Digital to run and manage.
an organisation formerly known as HSCIC the organisation behind Care.Data and the release of records in an even earlier incarnation to actuaries.
AND despite their name rebrand NHS Digital is NOT part of the NHS. they are totally separate and not answerable to the NHS and not bound by its confidentiality covenant.
My consultancies blockchain-based system incorporating the latest cloud-based machine learning and AI will solve all of your issues.
I'm so confident of the success of this system that I can assure you of a place on the board of directors once the money is in our bank account.
- good blockchain, not the stuff you lost money on.
- cloud-based: we have setup a single test server in the cloud that offers minimal functionality to pass the demo using a stolen credit card to minimise our startup costs
- machine learning/AI: well some one has to have the brains and its clearly not the people asking for this or us....
"...digital tools or solutions that can be used to improve healthcare provision or clinical decision-making..." means empowering beancounters and Manglement to overturn whatever the medical staff say and order the cheapest possible option ('improve healthcare provision') without having to go through the long and dreary hassle of building up the real-world knowledge and experience that would make them capable of safely controlling someone's healthcare ('clinical decision-making').
"...patient-led management..." means allowing the patient to decide what they think is best for them - so the NHS bill for painkillers and methadone will skyrocket in the short term and then tail off as the patients medicate themselves into drug-induced comas and shortly thereafter remove themselves from the NHS lists by overdosing. And it also means hospitals no longer need to employ Doctors on vastly inflated salaries* because the patients, in collaboration with the beancounters and manglement, will be controlling their own care.
*Your definition of "vastly inflated" probably differs somewhat from that of a politician...
The trouble is that the people involved with "Digital" within the NHS - and further up the chain - have little clue as to what they're asking for. It's often a case that there are simple solutions but they aren't educated enough to understand what they're asking for, or know the risks if they're given something which doesn't meet the criteria.
As a case in point I've witnessed a web application - made for the NHS - which was supposed to store data privately. The requirement being that nobody outside the NHS was allowed to access it. What they overlooked was the fact that both the hosting company and developers had full access to said database. This is probably something they didn't even consider because they didn't know how the underlying technology works. Where do they think the data is being stored? Where do they think it's being backed up to? Oh yes, they don't think, because in their minds that's the remit of Jonny Developer and totally not their concern. Even though it's their sodding data.
The NHS, and indeed the government, should start with being educated on the basics of how software/applications/the web actually works, and then take things from there. It's a very sad (unless you're a developer and want to "cash in"!) state of affairs when £9 million of tax payers money is being pissed away because the people that are in positions of power are so bloody thick.
There are many challenges to be addressed e.g. ....
- De-identification - more challenging than it seems since often data has to be longitudinal (maintains individual patient histories) to get the best value out of it, but if not properly performed then knowledge of one patient event can allow you to re-identify that patient's entire record
- Application Audit for created initiatives/devices etc. Essentially data access audit at the Application level (why does doctor x prescribe drugs where the patient address matches addresses in the HR database). Scotland has invested in tools to do this. Needs to extend into these uses as well.
- Appropriate review and oversight by Data Access Committee/Research Ethics Board which have suitable skilled members (the last bit being very important) to consider the benefits and risks to proposed initiatives. As well as establishing appropriate oversight of the actual access.
As a side matter - I did work with a large hospital that was slicing and dicing data in their own data-mart for research purposes, but had also poured all the HR data into it... I said - oh so now you can compare how many patients of doctor x die versus doctor y and factor in how much you pay them, to optomise staff on a kill-cost basis!
The N in NHS stands for national and it is not as much the case as it used to be.
All these different Trusts and local groups can only look after what they control. Given that this also upsets Tories (not a bad thing), let the NHS become truly national again and adopt some national standards.
I see someone else her has observed that NHS Scotland has got it slightly more together than its southern subsidiary. Culturally and historically, Scotland has a lot lower opinion of conservatism than England. Antisocial behaviour is more likely to receive a bad reaction than advice to take up politics! Despite the efforts of the SNP (Tartan Tories), it has been less badly underfunded, less sold off to future employers of civil servants and ministers and less insulted in the media as their press is not "slightly to the right of Genghis Khan" like much of ours!
use finger print scanners for a start, to access computers, the receptionists and nurses are always leaving their cards in, in the surgery i have to clean
while they are being implimented, add a security key to them for secondary file access so you can open PDF's like PGP keys, which never leave the network
and use magnetic locks on file cabinets with classified information, they are never locked, and virgin healthcare files are always hanging around on the floor even if they has classified written on
Patient data should be stored in the health authority region it is collected in, which would normally be where the patient lives.
Releasing that data outside of the region should first be reviewed by medical records who can take note of any flags that may have been set.
Two types of data release should be made possible:-
1. An image format. To be used by other authorities who are temporarily caring for you, and is therefore not in a format that can easily be spammed about and misused in some hideous mass data gathering scenario.
2. Full data access. To be used where the patient has moved to another region.
Obviously transmission of both the image and data needs to be heavily encrypted.
No information whatsoever should be stored at a GP surgery, as that's just asking for trouble, instead the surgery has limited access to the regional records over dedicated terminals, and certainly not the laptops they're busily emailing their mates, organising the next pharmaceutical sponsored golfing holiday.
I wonder if anyone steering this thing has even thought to have a chat with the people who have cared so diligently all this time for the medical records in their charge?
From my past experience in medical records, I assume not.
1) You have a pre-existing medical condition meaning you absolutely must *not* be given Medicine X.
2) You live in London.
3) You go to Devon for a weekend break.
4) Whilst there you suffer shortness of breath and lose consciousness. Fortunately the paramedics that attend have Medicine X on board, which is ideal for your circumstances.
5) You die of a reaction to the medicine, because nobody could get clearance to view your medical records in time.
Transmission of data in the NHS *is* heavily encrypted. The focus on "overcoming" privacy concerns is not a reference to ignoring privacy, but relates to setting up systems to enable the people that *need* to see your records to get them as fast as possible. The challenge is doing this without sacrificing security of data, but it's being worked on, hence the news article above.
The idea of locking down records even more will leads to more delays in treatment and deaths.
"You die of a reaction to the medicine, because nobody could get clearance to view your medical records in time."
Ummm You could do what I do. I carry a warning card (written in English, French, Spanish and German) stating in big red letters that I am severely allergic to medicine X. Anyone attempting to identify me from the contents of my wallet would find it.
"5) You die of a reaction to the medicine, because nobody could get clearance to view your medical records in time."
In fact, you die because you are too foolish to wear a medic alert bracelet... which does not need a working phone, network or any other delays in order to function.
Biting the hand that feeds IT © 1998–2021