GCHQ Granted Access to NHS Data as Privacy Concerns Increase

The Health Secretary Matt Hancock has permitted GCHQ to access NHS data.

According to HSJ, GCHQ now has the power to make the NHS disclose any information which relates to “the security” of the health service’s networks and information systems. This move is intended to better protect the NHS from cyber-attack.

A statement claimed that Hancock has permitted GCHQ access to “any information relating to the security of any network and information system held by or on behalf of the NHS or a public health body during the period ending on December 31 2020.”

The statement also noted that “any activities carried out by GCHQ for the purpose of supporting and maintaining the security of any network and information system” which is held by, or on behalf of, the NHS or a public health body, and supports, directly or indirectly, the provision of NHS services or public health services intended to address coronavirus, are permitted.

Jake Moore, cybersecurity specialist at ESET, said that since WannaCry, the NHS has been highlighted as an increasing target by not just financially-motivated hackers, but by mayhem creators too. “They therefore require all the help they can get right now from both the NCSC and the private sector where possible,” he added. “The NHS environment currently needs as much bolstering as possible – although some of this may be difficult to deliver while social distancing is in place.” 

Irene Ng, CEO of Dataswift, said that the news is likely to add fuel to already existing privacy concerns around the handling of the COVID-19 pandemic with the use of contact tracing apps. “The debate around these issues tends to focus heavily on whether or not we can trust Governments, and the NHS, with our health data,” she said. “These debates often conflate trust with privacy. If there is trust, then should privacy not follow?”

The news comes as more concerns are raised about the use of contact tracing apps. In a joint statement signed by 192 UK academics, concerns about an NHSX contact tracing app were raised, and the undersigned urged “that the health benefits of a digital solution be analyzed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved.”

With reports claiming that an approach where the de-anonymized ID of someone who is infected, and also the IDs of all those with whom the infected person has been in contact with, is being considered. The academics said: “This facility would enable (via mission creep) a form of surveillance. We note that it is vital that, when we come out of the current crisis, we have not created a tool that enables data collection on the population, or on targeted sections of society, for surveillance.”

The academics also asked NHSX to publicly commit that there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system at a minimum, and asked how NHSX plans to phase out the application after the pandemic has passed to prevent mission creep.

NHSX has been approached for comment.

What’s Hot on Infosecurity Magazine?