4 May 2016

NHS Trust shares information of 1.6 million patients with a service run by Google

This blog was updated – skip to the end for the update, new readers start here:

News that an NHS Trust has shared the information of 1.6 million patients with a service run by Google has raised concerns about how health data is being treated.

There are obvious and important questions about what information is involved and how it’s being protected. Here are some answers I’ve gained from the Trust involved, the Royal Free, which runs Barnet, Chase Farm and Royal Free hospitals.

  • Information handed over by the Trust includes patients’ names, addresses, NHS numbers, and dates of birth

  • But the Trust says that before this data is sent, it is encrypted, or scrambled (the standard used is AES256 for those in the know)

  • This scrambled information is then sent to a computer server in the UK, which the Trust says is secure (again the standard used is ISO27001)

  • That computer server is not actually inside a Google office, it’s run by a third party (not named by the Trust). It is running software developed by the Google’s DeepMind artificial intelligence subsidiary

  • That software uses the scrambled info to work out which patients are at high risk of acute kidney injury

  • The scrambled results are then sent back to doctors working for the Trust, where it is unscrambled and used to tell them who’s at higher risk

Of course, even this level of detail won’t answer all the concerns of privacy and security watchers: some of them have worries about how robust that ISO27001 standard is, for example.

But if you are worried, here is perhaps the most important fact: you can opt out of the scheme by writing to the hospital’s data protection officer here.

(Keep the letter handy: with the explosion in the data-sharing industry, you may need to use it again for another service soon)

UPDATE: 6th May, 2pm

After writing the above I was contacted by a number of people raising two basic but important questions – answers are below:

  1. Why does the Trust send patients’ names, addresses & dates of birth to the server, if the purpose is to calculate risk of kidney problems?

    Answer: Once the risk is calculated by Google’s software it is sent back, encrypted, to the NHS Trust. At that point, clinicians need to inform the at-risk patients, and therefore (so the Trust argues) the name and address needs to stay “attached” to the rest of the patients’ info so they know which patients to inform

  2. If the patient info is encrypted when it leaves the Trust, how can Google’s software do anything with it?

    Answer: It turns out that the info is decryted once it’s inside the computer server running Google’s software (it’s encrypted as it travels to that server, and while it’s waiting to be analysed, but as soon as Google’s software wants to analyse it, the info is decrypted). The info is then re-encrypted and sent back to the Trust after analysis

This blows a bit of a hole in the Trust’s reassurance that all patient data is encrypted (because it’s only encrypted until it’s not), but in their defence Google points out that this scheme has been given a 100% approval score from the HSCIC, which oversees how health info is treated.

Google also points out that similar data-sharing arrangements are in place between other Trusts and private companies.


, ,