NHS data access problem (Safend)

[Rainmaker]

Dons: Is this a Windows thing? Is it classed as Enterprise stuff? Well it's mostly a moan, and a slight hope someone can help - so I've shoved it in GD.

I applied for my hospital notes/records/images from the hospital I've used all my life. I moved area a couple of years ago and the new Trust doesn't have a full history. It's hard to get treated for some things because they just check their computer and say 'Who diagnosed that? We don't have any record...'. It's become tiresome so I just got a CD ROM from the old hospital with all my notes on it. That way I can print off the relevant bits for my GP and she's happy to add them to my 'new area notes'.

Today I received a CD ROM, and a separate letter with a password for the encrypted volume on the disc. So far so good. I opened it and it's a bloody .exe file called AccessSecureData.123456.exe. That's nice, except I have a Linux PC and a MacBook Pro... So I boot into Windows 10 on a spare SSD. There's no instructions in the letter the Trust sent, just a password.

I click on the AccessSecureData file and it pops up for a nanosecond and disappears completely. I was expecting it to be a portable app. It seems it actually installed a service, as the encrypted volume is now a folder icon with a padlock on it. So, I double click that and a password prompt appears. Nice.

Except the password they sent me - which states it's all uppercase - does nothing. At all. I tried a fake password and that had the same result, namely nothing. I then tried their password with lowercase (in case they'd done CAPS + shift by accident when making the password), and again nothing. I then decided it might need a Windows reboot (everything else on Windows seems to), but that actually removed the Safend service and the volume's icon is now blank - and clicking on it says no app can open this file (.ses format).

The Safend website has absolutely no help, no docs, not even a download page for the tool. Nothing. The Trust website just has a paragraph saying for DPA/GDPR requests email the team I'm already dealing with.

I thought data supplied in this way had to be in an 'accessible format'? Making me install Windows isn't accessible. Having their proprietary app do nothing and fail to open isn't accessible. I'm very chagrined.

Does anyone (Dimple?) have any ideas here? Have I missed something obvious? Is this just a retarded solution? Why couldn't they have just sent an encrypted .tar.bz2 file or a .gzip or a .7zip or something? I suppose I'll have to wait until they open tomorrow, but my current money is on 'they've sent the wrong password'. Place your bets.

 

[touch]

Try running the exe again as administrator. Also try turning off any antivirus, etc.

 

[Rainmaker]

Try running the exe again as administrator. Also try turning off any antivirus, etc.

Yeah, done and done. The account is an admin account, the exe will *only* run as admin, and I only had Windows Defender but I disabled it anyway. No dice. I even made a non-privileged account and copied the files over to its User directory. Double clicking the exe (no 'Run as Admin...') just brings up the Admin password prompt. Le sigh.

 

[Energize]

The NHS have basically ignored the number one rule of data security, don't use proprietary cryptosystems to attempt to secure data.

Having to install a windows service to access it is dodgy as hell.

 

[sideways14a]

Yeah typical of the NHS, i see a lot of issues day to day with people bringing in NHS secured devices (usually usb keys) - also a problem when wanting our students to access Uni resources while on placement in NHS facilities as they are very much a case of "dont care" when it comes to helping unlock or resolve issues. Which is ironic as we bend over backwards to sort there crap out.


As for an accessible format, well thats the problem you have when not using what the vast majority of other folk use. Goes both ways as well, folk wonder why i get irritated having to trouble shoot mac issues that only crop up occasionally as opposed the ones i am swimming in daily.
That said it "should" just work.

 

[Energize]

As for an accessible format, well thats the problem you have when not using what the vast majority of other folk use. Goes both ways as well, folk wonder why i get irritated having to trouble shoot mac issues that only crop up occasionally as opposed the ones i am swimming in daily.
That said it "should" just work.

Completely disagree with that statement, do you honestly believe that having install a service in administrator mode constitutes "accessible" to anyone, regardless of what operating system they use? Irrespective of that, a substantial proportion of lay computer users do not use Windows as their operating system, not just some niche demographic of geeks. Ultimately there is absolutely no technical reason why this data should not be readily accessible to anyone on any operating system, it is purely the use of a proprietary cryptosystem that renders it inaccessible. I would vouch that for GDPR purposes this does not meet the accessibility criteria that the law mandates.

 

[sideways14a]

Actually adding a service as part of the installer does sound right, quite logical when you think about it as your computer now has the ability to open the secured media without installing stuff again. Although why its cocked up i dont know but i presume they have sent you the wrong password.

What has happened here is you have requested your data and it has been supplied in a format the most people will be familiar with, its also what most doctors surgeries and other NHS services will be using so of course thats whats arrived.
Did you ask for a mac supported version? There should be one although.....Of course the person that got the job of packaging this up and sending it to you almost certainly doesn't have a mac, prob doesn't know the difference between a mac,pc and a blueberry and also has dozens of other requests to post out that day.

Also your very much in the minority with the Mac like it or not. I have had plenty of arguments with mac owners over the years about support and why don't we have mac labs and stuff. Simple answer is cost, it costs me 3 times a desktop pc to put a middling to poor mac on a desk, laptops are around 4 to 1 with the mac laptop being rather poor in spec at that.
Same with the software argument, god i have heard it so many times.. .why cant we submit our work in pages format ect...
Because the people your sending it to do not run the software and use the industry standard so if you want to use pages then go ahead but ffs send it in an office format because all that will happen is some clueless lecturer will come and complain to me that they cannot open this attachment and i have to waste 10 mins of my life explaining to them something that will go over the dam head anyway.

If you want to use a mac then fine, really, fine. But come on you have to accept a bit of responsibility when the thing your trying to do doesn't go smoothly because most of the rest of the world uses something else.

Anyway as i said, they prob sent you the wrong password.

 

[Rainmaker]

If you want to use a mac then fine, really, fine. But come on you have to accept a bit of responsibility when the thing your trying to do doesn't go smoothly because most of the rest of the world uses something else.

Anyway as i said, they prob sent you the wrong password.

Thanks for the insightful posts. I do strongly disagree with your sentiments here, however. The law mandates 'accessible' data. That means it should work on Windows, Mac, Linux, BSD, Solaris or anywhere else I decide to open it. Citing encryption needs is nonsense, as I already posted. They could meet the same demands with AES256 or whatever using .7z or .tar.gz.enc or whatever. That's free, open source stuff available to anyone anywhere, with the same rigorous encryption standards.

Having to install their own proprietary service as admin is a huge issue, both from security and privacy standpoints. As to whether I asked for the data in 'Mac format' - no, I didn't. The law was already clear so I didn't regard it as necessary to do so. I actually first accessed the CD under Linux, as I said. As it stands I'll have to wait until they're back in the office on Monday to ask for a resolution. They could have avoided all this - waste of NHS resources, staff hours/costs and all - just by using a plain old open, cross-platform standard. Repeating that 'most people use Windows' doesn't work here either, as it isn't accessible on Windows either. I just now have a deeply-embedded service running as root that's apparently quite hard to remove.

 

[sideways14a]

Your reading too much into this service thing, a lot of windows services work like that. The installer has just added the service so next time you use the drive (or another with the same encryption) it will open (well assuming PW ect).

The reason they are not using some other form of encryption is also pretty straight forward - they dont support them.
99.9% of NHS staff will have no idea what 7zip is (for instance), asking them to work with that while they have a fully operational, secure and supported system that scales is just going to cause problems. Having multiple pieces of software doing the same job is one of an IT departments low hanging fruit when it comes to costs. Supporting multiple software (or systems) to do a job usually costs money.
also on the subject of using open source software, there is a high chance that software simply did not meet there needs analysis.
Had this discussion over moving to open sourced SW for office a few years back, the reason we stuck with MS office was a number of things. Cost, users familiarity, portability (file formats ect), actual capabilities ect... I expect the NHS made a choice to go with there security products because of a similar analysis. For instance this one piece of software prob works well with there AD integration allowing password and account management to be transparent to the user.

Finally i have to also point out the "law mandates" thing.
You seem to believe that accessible data means it should work on everything from an abacus up. I would be very surprised indeed if there was any proper legal document with that kind of wording.
We cannot support every single thing someone walks though the door with, we cannot simply provide file formats that work on everything. Even in this case, there is a fair few macs in the world, the NHS supplied data in a format that is suitable for most folk. You run something different then you will have to do the last bit to make it work. There is prob a mac and linux client somewhere, maybe the NHS can send you it?


The NHS have done there side fine in this i can see, ok well apart from maybe messing up passwords or what not but thats human error and as i mentioned the actual software installing a service is also not a big issue.

 

[Energize]

Actually adding a service as part of the installer does sound right, quite logical when you think about it as your computer now has the ability to open the secured media without installing stuff again. Although why its cocked up i dont know but i presume they have sent you the wrong password.

What has happened here is you have requested your data and it has been supplied in a format the most people will be familiar with, its also what most doctors surgeries and other NHS services will be using so of course thats whats arrived.
Did you ask for a mac supported version? There should be one although.....Of course the person that got the job of packaging this up and sending it to you almost certainly doesn't have a mac, prob doesn't know the difference between a mac,pc and a blueberry and also has dozens of other requests to post out that day.

Also your very much in the minority with the Mac like it or not. I have had plenty of arguments with mac owners over the years about support and why don't we have mac labs and stuff. Simple answer is cost, it costs me 3 times a desktop pc to put a middling to poor mac on a desk, laptops are around 4 to 1 with the mac laptop being rather poor in spec at that.
Same with the software argument, god i have heard it so many times.. .why cant we submit our work in pages format ect...
Because the people your sending it to do not run the software and use the industry standard so if you want to use pages then go ahead but ffs send it in an office format because all that will happen is some clueless lecturer will come and complain to me that they cannot open this attachment and i have to waste 10 mins of my life explaining to them something that will go over the dam head anyway.

If you want to use a mac then fine, really, fine. But come on you have to accept a bit of responsibility when the thing your trying to do doesn't go smoothly because most of the rest of the world uses something else.

Anyway as i said, they prob sent you the wrong password.

Windows handles opening files automatically through file type associations and calls an installed executable whenever a particular file type is clicked on, you don't need to reinstall Word for example every time you want to open up a Word document. There is no reason to be continuously running a service in the background to facilitate the sort of functionality you are talking about. In fact there is no need to install anything at all to facilitate such functionality because the autorun service will run the encryption executable from the cd every time it's put in the drive and does not even require administrator elevation!

The NHS could not go further out of their way to make the data inaccessible. Considering that this is the same organisation that almost collapsed because it used Windows XP, I would put this as a further example of incompetence rather than any rational decision such as scalability and support.

I am not quite sure why you are ranting about Mac owners, it has no relevance. Never would I install some random software bunged on a CD onto my Windows machine.

In law "accessible" is not taken to mean "accessible for the majority", it means accessible for everyone within reason. It is expected that organisations supply data in a standardised format for legal purposes, not that every organisation gets to supply data in it's own proprietary format that can then only be opened on a specific operating system, using their supplied software granted full administrator rights, and on a day when all the planets are in alignment. The country would fall apart within days as every request for legal evidence was obstructed with document.xyz that would only open on some custom Unix kernel etc.

That is not "expecting it to work on an abacus".

 

[Isaach]

@Rainmaker, did you get access to your data in the end?
Today I received the disk and I'm waiting for them to send me a password so I can access the files.
That .exe and encrypted volume is on my disk as well.

 

[Rainmaker]

@Rainmaker, did you get access to your data in the end?
Today I received the disk and I'm waiting for them to send me a password so I can access the files.
That .exe and encrypted volume is on my disk as well.

Yeah, I reiterated my issues with how they had delivered the data. They apologised and asked me to call into the office, where I collected several boxes full of notes, images, and reports. All fine in the end, just no convenient electronic copy.