Fail NHS privacy security Summary Care Records Uncategorized

NHS Data Confidentiality #Fail

I have been on an interesting and lengthy journey through the NHS IT project and the data that is (or is not) held on me. In 2007 my wife and I lodged with the GP our objection to our medical data being uploaded from the GP practice to a central NHS database. Given the ability of National Government bodies to lose personal information I wanted to have as little as possible to be lost. This was all accepted and done, and then the Summary Care Records farce began. If you want to read more try these:
The big optout campaign
NHS Statement on opting out
Computer Weekly’s view on matters
And their report on Janet Street-Porter’s article

Frankly I think that it is more likely that either
a) an inaccurate SCR will cause my death or injury, or
b) my medical data will be leaked to someone who has no need to read it
than my being injured/killed as a result of no SCR being held.

Think about it – when you arrive in A&E you’re mostly conscious, or have conscious friends/family with you. If neither occur, then emergency life saving procedures rarely run the risk of killing you with the wrong thing, yet an inaccurate SCR (and there are reports of significant inaccuracies – I\’ve seen numbers like 1 in 10 bandied around) will be taken as Gospel and used.  I\’d much rather the well understood and exercised defensive A&E practices kept me alive.  That link also includes the observation that there is \”No evidence of safer care\”
Nor is it clear who is responsible for errors and ensuring that the records are corrected .

If you have a serious allergy (some of my family members are allergic to penicillin) then an SCR will not prevent A&E killing you with the wrong substance if you are outside the scope of the SCR (say Ireland, Scotland, Europe, Asia…. anywhere outside England & Wales in fact).
Besides, really, if you have a serious allergy or similar then wear a medical alert bracelet!

But back to the point – the website detailing what can and cannot happen with your records seems to have a contradiction at its core.
On the page detailing Access to medical records  it is stated that \”Access to a patient\’s demographic record does not require a legitimate relationship.\”
Yet, when you click on the link from the words \”Legitimate Relationship\” you go to (surprise suprise) Legitimate Relationships page  you get the statements
\”A legitimate relationship (LR) is an electronic record stored on the Spine. It details the care relationship between a patient and a healthcare professional (or group of healthcare professionals).
It is used to restrict access so only the healthcare professionals involved in the patient\’s care can access clinical information\”

So which is it?  Can anyone read my records, or only closely involved medical staff – I’ve asked, maybe you should too; and in the meantime maybe you should opt out of the SCR process too.

Google privacy security Uncategorized WiFi

Dear @Google, just how much Wi-Fi data did you take; and did you decrypt?

Firstly – please note I am happy to be educated about Wi-Fi in the comments!
We recently visited my sister in law and family (see previous article for why); and as I wanted to do a bit of data work on my phone, I asked if I could hook myself up to their Wi-Fi (that I setup a few years ago when they first got it).
We were planning a couple of journeys so I fired up Google Maps and was then surprised to find that my location was showing as accurate within 40m, but in totally the wrong part of town.  Then a penny dropped.
My sister in law and husband moved this year.
So Google had recognised the Wi-Fi data that they had taken on the street view crawl.  Now I don’t profess to be a Wi-Fi cryptography and protocol expert; but:
  • my in-laws\’ network does not broadcast SSID
  • and is encrypted with WPA2-PSK
  • the data take by Google was allegedly very small (just how long was the Street View car in range anyway?).
So how on earth did they get enough useable information in such a short space of time to be able to get a big enough fingerprint to geo-locate me?