TD wrote:

"Ian Stirling" wrote in message
...
snip
Ok...

If I was a rapist, I'd quite like to get a list of girls 12 20, with a
history of assorted mental health problems, a nominal BMI, and no
history of STIs.

If I was a burglar, I'd like to know about OAPs, who are on 'care in the
community', and have had treatment in private hospitals.

Or people living alone, going into private hospital for a stay of
several days.

Or cases where a family has private health insurance, and has gone to
the doctor for immunisations for far off places.

If I was a vigilante, I might want people who've been in secure
hospitals.

If I was an identity thief, I'd like details of people who are
'confused'.

If you get access to medical records, you can read a hell of a lot
between the lines.

May I use your examples on my blog?

You will be credited!

Sure.

"TD" wrote in message
...

"Periander" wrote in message
...
Steve wrote in
:

Periander wrote:
Steve wrote in
:

...


We're working on future releases of the SPINE, most of us are
experienced computer guys if not hackers and it really is hard to
break in. Not impossible but I can't really think of a purely
brute-force way, it would have to be a serious breach led from a
person in high authority, like a smartcard admin for example.

Depends on what you deam to be "damage" and your definition of "serious".

As if by magic,

'Plans to upload medical records onto a central database - the so-called
spine - will put patient confidentiality at risk, Connecting for Health
(CfH) has been told by its own consultants.
'In its own risk analysis of the project, the agency responsible for
centralising the country's medical records has acknowledged that GPs'
concerns about patient confidentiality have merit, and that it would be
safer to store records locally...'

http://www.theregister.co.uk/2006/11/27/care_record_conf/

This is the report referred to in the article - a link within a link and not
as implied by www.theregister.co.uk.

http://www.nhsconfidentiality.org/wp...s%20Report.pdf

Nick

You clearly tantalise us with what seems to be the ease with which you
access medical records - despite the fact that you have nothing to do with
the health service.

"Confidentiality NHS Code of Practice" (DH, November 2003)

snip

I used to work for a contractor to a contractor to the NHS. During that
time I had complete and unrestricted access to the live database of
20,000 patient's medical records. I even made copies of it.

Large corporations are really, really slack with their data. Over the
years I've had customer account details for a high street bank, the
customer database for probably the largest retail chain in the country
and a supermarket's loyalty card database. I only use it for generating
stats and all of it could have anonymised but they never bother.

It seems to me that the only reason that you have a legal right to the
information is if you work for a legal agency or in child protection.

What makes you think people misusing the medical databases are going to
bother with the code of practice?

To the other posters in the thread, what makes you think hackers are
going to bother using the secure access mechanisms?

On Tue, 28 Nov 2006 20:35:03 +0000, " wrote:

You clearly tantalise us with what seems to be the ease with which you
access medical records - despite the fact that you have nothing to do with
the health service.

"Confidentiality NHS Code of Practice" (DH, November 2003)

snip

I used to work for a contractor to a contractor to the NHS. During that
time I had complete and unrestricted access to the live database of
20,000 patient's medical records. I even made copies of it.

Large corporations are really, really slack with their data.

Agreed.

I have had complete and unrestricted access to all social services
data from a number of councils while I have been contracting for them,
and some have even left my access intact after I have left (which can
be useful when they want me to do some more work for them, but it
really should be disabled in the meantime).

This includes things such as financial details of adults going into
nursing care, names and addresses of children on the Child protection
register, etc.

And I have never had any formal vetting or checks carried out into my
background.
--
Alex Heney, Global Villager
It's easier to get older than it is to get wiser.
To reply by email, my address is alexATheneyDOTplusDOTcom

"Nick" wrote in message
...

"TD" wrote in message
...

snip
'Plans to upload medical records onto a central database - the so-called
spine - will put patient confidentiality at risk, Connecting for Health
(CfH) has been told by its own consultants.
'In its own risk analysis of the project, the agency responsible for
centralising the country's medical records has acknowledged that GPs'
concerns about patient confidentiality have merit, and that it would be
safer to store records locally...'

http://www.theregister.co.uk/2006/11/27/care_record_conf/

This is the report referred to in the article - a link within a link and
not
as implied by www.theregister.co.uk.

http://www.nhsconfidentiality.org/wp...s%20Report.pdf

Thanks for the link.

I've yet to read the whole document But the executive summary says the
locally held data solution (ASE) poses a lower 'summed' risk than the
centrally held solution.

What am I missing, which part of the Register article is at fault?

In article ,
says...

"Nick" wrote in message
...

"TD" wrote in message
...

snip
'Plans to upload medical records onto a central database - the so-called
spine - will put patient confidentiality at risk, Connecting for Health
(CfH) has been told by its own consultants.
'In its own risk analysis of the project, the agency responsible for
centralising the country's medical records has acknowledged that GPs'
concerns about patient confidentiality have merit, and that it would be
safer to store records locally...'

http://www.theregister.co.uk/2006/11/27/care_record_conf/

This is the report referred to in the article - a link within a link and
not
as implied by www.theregister.co.uk.

http://www.nhsconfidentiality.org/wp...s%20Report.pdf

Thanks for the link.

I've yet to read the whole document But the executive summary says the
locally held data solution (ASE) poses a lower 'summed' risk than the
centrally held solution.

What am I missing, which part of the Register article is at fault?





I would think that the privacy concern was a trivial matter compared to
the routine flat out incompetence of the people routinely employed to
provide and maintain UK national health computer systems.

-colin-