If I was a betting man I’m sure I could make a lot of money one one thing. I would put all I could afford on a bet that the new NHS national database about to be set up will be hacked within five years.
I was listening to an interesting debate on the NHS database on the today program this morning, and I have to say I agreed with Ross Anderson, people should be opting out of this system in droves, for one reason:
Your data WILL be stolen, I can guarantee it, there’s just nothing more appealing than a massive central system. It’s a golden grail to organized crime, and to kiddie hackers who want to prove their spurs.
I’m not against a central repository of data, hey I’m a developer, I want it to happen, the things you can do with such things are wonderfully powerful. The problem I have with it is that it’s built to be safe and secure, when I’m afraid it is inherently not.
Instead I would like a system build to be stolen, if all the data was obfuscated, and could only be pieced together when requested by the correct chain of events, (many of which being a password, credential based system) or not holding personal data beyond an identifying number, and information directly relevant to a medical professional.
If I can use any of the data in the system (on it’s own) to impersonate or steal someone’s identity or otherwise break someone’s privacy in a detrimental way (whooo… did you know Pete across the road is a nut case!!) then I don’t think the system is built in the correct way.
Data loss is an inherent and real risk when centralizing such systems, who is going to break into your GPs practice just to steal medical records? I suspect there would be little monetary gain there, but to have an easy access (I use easy as in you can take your time over it without it costing you money) and highly rewarding system (if the data is valuable to someone it has a monetary value) is foolhardy.
They speak about making it a criminal offense to break into the system but I submit that we have little jurisdiction over most of the people connected to the Internet.
Ok so I’m going down worst case scenarios now, but it’s all, in my opinion, valid.
So opt out. now. The data protection act says that there MUST be an opt out for such collections of data on electronic media.I suspect that there will be a law suit coming up if they don’t allow people to opt out.
If you don’t care too much, please please please, ask to check the data that’s going on the system with your GP.
This is a serious issue and as an IT professional I feel I must warn people that no computer system is safe.
There’s always someone smarter.