NHS meltdown raises Security questions

Like the opening strains of Sinatra’s ‘My Way’, a certain melancholy descends as we look at the last days of centralised NHS IT programmes.

The aspirations of the programme were laudable, but the execution was less so. No doubt in years to come it will be used as a case study on how not to do stuff. Trying to draw together the myriad strands of NHS Authorities, GPs and Central Government has proved to be impossible from a technology perspective. I’m not going to offer an opinion as to why since I suspect we are years from a full understanding, but its ending does leave me concerned.

Rather like clearing up after a particularly good party, clearing up after the NHS programme is going to uncover some things we’d perhaps not wish to find metaphorically stuck to the carpet. One of my biggest fears is what is going to happen to all the data that has been created. And of that data, a fair subset is likely to contain personal data. Brutally, the NHS does not have a good record on data retention – to the point where I’m loathe to even quote examples for fear of repetition. If you are reading this, then you probably know the cases.

Shutting down any project requires a wind-down period, and this project will require it more than most. The very reason the project was in place was to move personal/clinical data about, and I want to know how we are guaranteeing that this data is properly wiped from systems being decommissioned. I want to know how they are doing it, when they are doing it, and what checks are in place to make sure it gets done properly. And to follow the party analogy, I want to know that if the mess is really sticky and unpleasant, that a professional cleaner is called in to return the rug to its former glory.

We haven’t really got stuck into the whole NHS programme wind-down yet, and there’s going to be one huge argument after another over it, but I do believe that unlike clearing up after the party, you can’t just do a run to the tip afterwards with the data. Keep your eyes peeled folks….


About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Information Security, InfoSec, NHS IT, NPfIT, Security, Sophos and tagged , , , , , . Bookmark the permalink.

One Response to NHS meltdown raises Security questions

  1. An interesting blog discussing the possible issues facing the decommissioning of the NHS IT Programme.

    This programme has spent some time bringing together a significant amount of personal and sensitive personal information, this has undoubtedly resulted in aggregation, not just by accumulation, but also by association. It is absolutely vital that this programme is securely decommissioned, that all systems, storage media and other repositories are appropriately sanitised or destroyed (i wonder how much of the IT kit is earmarked for re-use and re-dedeployment?)

    Neither the programme nor the wider NHS has shown any real competence in the management, protection and secure disposal of information. Given the quantities and sensitivities that we are talking about hwe, it is absolutely vital that expert opinion is both sought AND taken to ensure that the risks of this information being comprmised are adequately and effectively addressed.

    We have already seen £11bn spent on this programme to date, I am sure nobody will object to a little bit more being spent to ensure it is securely wound down.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s