UK Just Banned the National Health Service From Buying Any More Fax Machines

The UK's NHS will be banned from buying fax machines from next month -- and has been told by the government to phase out the machines entirely by 31 March 2020. From a report: More than 9,000 fax machines are in use by the NHS, a July survey found. All will be replaced by email, according to a report from the BBC. The shift, ordered by UK health secretary Matt Hancock, is intended to improve patient safety and make communications more secure. Rebecca McIntyre, a cognitive behavioral therapist, told the BBC that using fax machines made it difficult to ensure patient's information was actually sent to the right place, and that it wasn't being seen by non-authorized people. "You would not believe the palaver we have in the work place trying to communicate important documents to services (referrals etc)," she said. "We constantly receive faxes meant for other places in error but this is never reported." Further reading: The Fax is Not Yet Obsolete.

UK vs. US

[dtmos]

The fascinating part is that, at least in the health care facilities with which I am familiar, the explanation given for not using fax machines in the UK is the same reason for not using email in the US: Just change "using fax machines made it difficult to ensure patient's information was actually sent to the right place, and that it wasn't being seen by non-authorized people" to "using email made it difficult to ensure patient's information was actually sent to the right place, and that it wasn't being seen by non-authorized people."

The privacy of a phone call used for a fax is seen by these institutions as greater than the multi-hop routing of Internet email. (It used to be true that one knew (or could find out) a defined physical location for the ends of a phone call, but that, of course, is no longer true.)

Re:

[AmiMoJo]

While interception of email is possible (although you would hope that they were mostly using transport encryption these days) there are far bigger risks, e.g. sending to the wrong person or the wrong people seeing the paper as it comes out of the fax machine and sits in the in-tray. At least with email there is a decent audit trail too, fax machines at best might store the last N numbers dialed but certainly not the message content.

Re:UK vs. US

[ShanghaiBill]

Emails may be stored by who knows how many servers between the sender and the recipient.

So can faxes. The days of circuit switching ended long ago.

Obvious solution for email: Encryption

Obvious solution for faxes: There isn't one.

Re:

[Anonymous Coward]

My company has a big bank of fax machines in a locked room with badge-controlled access and all they are getting is customer orders. Surely something as sensitive as patient medical data could be physically secured as easily.

Re:

[necro81]

Surely something as sensitive as patient medical data could be physically secured as easily

Could be but are not. (Spoken from experience as a former employee of medical facilities and as an observant patient.)

Re:

[scdeimos]

I never understood companies (or government departments) buying teams of fax machines to receive faxes. We've had these things called fax modems for decades already as well as software to receive faxes - some of them even integrate with Collabra, Exchange, Google Docs and that thing called Lotus (e.g.: GFI FaxMaker has been around over 20 years).

Re:

[sjames]

They can be secured and their firmware can be conscientiously updated whenever a CVE comes out, but don't count on it.

Re: FAX

[cc1984_]

PGP can handle multiple recipients

Spy vs I

[Ostracus]

Maybe someone will revive Google Health?

Abject failure of the tech industry

[Xylantiel]

I see it as an essential abject failure of the tech industry that most people have no way to securely send a simple document to someone else they know or have a real-world relationship with (doctor/patient, vendor/customer, service/client). Thinking about it, the closest I can come to a genuinely accessible solution is Signal [wikipedia.org]. What's even more sad is that the reason that this problem is unsolved is that the major tech players are so addicted to spying on their customers that they can't bring themselves to

Re:

[rtb61]

I would point to the fact, the Google as a corporation made the claim that email is equivalent to postcards, they wanted the excuse to examine everyone's email. So NHS by law can not send patient information to a GMail address because privacy laws are in force for the medical profession. In fact by law, unless the email is encrypted or goes direct to that persons in home email server which would be the equivalent of a fax machine in their home, would probably be illegal because the ISP has full access to em

Re:

[Mal-2]

Would it be so hard though to provide an email address on government servers which people have to log into like any other webmail provider? Then at least you'd know who was holding the data. If people choose to forward the emails on to external addresses, then they did that and it ceases to be a legal problem.

Re: UK vs. US

[Anonymous Coward]

It's an occupational hazard. I work for a major US health insurer. We are doing what we can to eliminate faxes and year by year they are less important, but can we talk about secure email? There are so many platforms and for each one you have to have a login. Once you are inside the secure site, the functionality varies. Some allow you to download the message and attachments all together. Others do not, which is a huge pain when some sends over dozens of documents and you are taxed with downloading each one

Re:

[omnichad]

That's about as useful in the real world as write-only disks.

Re:

[CronoCloud]

What? GPG and S/MIME are the standards for e-mail encryption, good e-mail clients support both.

Re:

[omnichad]

The problem isn't the standards is my point.

Re:

[Anonymous Coward]

GPG and S/MIME are ok, but the public / private key mechanism is far from foolproof and ubiquitous. If every email address was registered, identity verified, and assigned keys, then it would be a usable option.

Medical communication also needs to be accessible by other people. So the encrypted message that's sent to Dr. A needs to be read by Dr A., Nurse B, PreCert C, Medical Records D, Consultant E - G, OnCall DR's H - M. It's not as simple as encrypt message to 1 user.

There's a lot of activity in this

Re:

[CronoCloud]

Yes, let's talk about secure e-mail. If you're talking about "platforms" you're doing it wrong because secure e-mail should be done within the e-mail client, not by using some kind of proprietary "secure-messaging" service.

A good e-mail client supports both gpg and S/MIME encryption.

Re:

[chipperdog]

I wish I could mod you up.... there are standards for encrypting email that have been around since the 1990s, but no one cared back then and our current "app" culture rather use a trendy, usually proprietary, app instead following a standard...but then again most healthcare providers around here are already using electronic records (which currently send faxes to external providers), you's think there could be an Owncloud/Dropbox/Gdrive style sharing via https link/api (maybe some inter-provider standard for

Re:

[Comboman]

The difference is, each individual has a private email address whereas fax machines are shared for a whole department and anyone walking by can read them. Both are equally vulnerable to misdirection due to the errors by the sender (wrong digit in fax number or wrong character in email address). Both phone and email are (typically) unencrypted, and as long as the government wants to maintain the ability to snoop, that's unlikely to change.

It's a bullshit argument

[Anonymous Coward]

The UK civil servantry has no trouble sending sensitive data every which wrong way, regardless of medium.

Fax sent wrong, email accidentally the whole contact list, dvds lost in the mail, usb left on the bus, papers left in taxis, laptops stolen from cars, briefcases left on trains, it's all been sent wrong, left behind, lost, stolen, or whatever else, at one time or another. Usually unencrypted, of course.

So this is just a big fat gesture in lieu of doing something useful. Like "banning all diesels", "banni

Re:

[jabuzz]

Worse than that, a whole range of devices from photocopies to multifunction printers come with a built in fax facility. So you would have to ban all dual usage devices too which I doubt they are doing.

Re:

[tepples]

If the regulation were "Buy no more dedicated fax machines, and fill the telephone connector of fax-copiers with epoxy," would you find that practical?

Re:

[gmack]

It really doesn't need to be either fax or email. Here, my doctor has a 2FA dongle to access his account with the Government of Quebec, yet the pharmacy faxes him prescription update requests and his receptionist faxes his reply. I don't see why they can't have some secure, medical professional only system for sending medical related information.

Both Suck

[jellomizer]

Both methods of Faxing and Emails are bad options for sharing Medical Data.
The better method which would actually require strong IT in healthcare would be appropriate HL7 communications either via Clearing House or direct VPN connection between systems.
This technology isn't new, but it better for sending healthcare info, as the data can be parsed and categories more easily into the EHR and EDM systems.

Re:

[bill_mcgonigle]

They usually pre-program "speed dials" on these things to help ensure that most records don't get sent to the wrong place.

Twenty-ish years ago I got an HP Digital Sender - paper in one side, email out the other - and integrated it with the employee directory of the hospital I was working for. Everybody loved the speed and reliability, plus the clarity was way better than FAX, but nobody wanted to type in a whole name on the chicklet keyboard when they were used to one-button dialing. Even 10 numbers was s

Re:

[max99ted]

haha nice! I still have my HP 9100c on the home network. They did colour scanning as well which was not nearly as common at the time.

Re:

[sjames]

Of course, when you fax, it just drops into a tray. Often a FAX machine is shared, so anyone can rifle through the faxes that have arrived.

Re:

[Mal-2]

Many times, I have called someone to let them know I would be sending a fax. If they ask me to wait ten minutes because they can't hover over the machine right now, then I wait ten minutes.

Re:

[Bruce66423]

Flawed because the NHS has a 'walled garden' of a secure network within which data is secure.

But email is not secure

[paulej72]

But email is not secure.

Re:

[Luthair]

The BBC article which the summary references yet doesn't link to (presumably because qz spammed this submission) specifically mentions how faxing to the wrong place is a common occurrence.

Re:

[CronoCloud]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GPG and S/MIME encryption is a thing that exists.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBAgAdFiEE0YU0isbenb1PGb7IaCsut4kt6eEFAlwOoLwACgkQaCsut4kt
6eH+5Af8CvAPqfbIMUt7dxCgECFrzweDYo641tDoD1eW0AUrCC25+Aiy9x98zJyZ
KV2EjL9TGCtrq83z5mJlwCd3mXXCGpcLp1nMG9Pi7X0ddXEdN2XQWlkvzpCIeygx
I/AKbY9foiKQ6YsrUS7GtKR7ErN5QaooGKFGciAa4a5pZHdDBqDwTehC8blkGyHI
S1RDIGUJpqIKT+wVPHdMoPj6TEJBy+S0AvKX/trBd+EqYOYF4OU9vWncKLYnFxDT
cFqDcICSoCyxFLQBlsz/P0mlycx76yFY3/UBSjHXhaYlUsmibtf3LwIasDzA4CEp
cgE479

You can't be sure with email

[jd]

Unless certificates are issued to all staff in the form of Class III cards, same as the US military use, and all emails are encrypted using certified correct chips (software is too easily infected as heartbleed showed) then you provide only the illusion of assurance.

Re:

[Anonymous Coward]

Good thing the UK is an EU member state...

Re:

[necro81]

Unless certificates are issued to all staff in the form of Class III cards, same as the US military use, and all emails are encrypted using certified correct chips (software is too easily infected as heartbleed showed) then you provide only the illusion of assurance.

I do not disagree. But practically speaking this seems like an impossible goal.

Given the fractured nature of healthcare in the U.S., getting everyone on the same page regarding encryption and certificates is more or less impossible. And a

Could be done (in theory)

[sjbe]

Given the fractured nature of healthcare in the U.S., getting everyone on the same page regarding encryption and certificates is more or less impossible.

It's only impossible in the sense that it would require an act of our currently dysfunctional congress. Congress could make a standard required with the stroke of a pen and everyone would have to get on board. It really wouldn't be all that hard. But of course we have elected a quorum of of asshats who think that somehow this would be a bad thing.

Not different in the US

[Anonymous Coward]

My wife works at a hospital in the US, where the hospital still uses paper charts, and sends faxes *internally* to different departments.

The problem has never been technical. Email + Smart Card + Encryption is simple to set up, and baseline simple to use. The resistance is administration, staff, doctors, coworkers, etc. You've got to remember, that medical people are generally smart and capable, but figuratively suck-ass-at tech. I'm talking rebooting-a-computer-is-hard suck-at-tech. Think about traini

Fax still works

[Socguy]

As someone who now works in health care (not the UK), I can say that this is dumb. Fax machines are actually very convenient since most documents are still filled at least partially by hand. In order to email, I would have to log onto a computer, wait for it to secure-boot then scan the doc in then open email, attach and send. For privacy reasons every time I walk away from a computer, it must be logged off. The other issue with sites that use email is that any documents with personal information (that would be all of them) must be encrypted using a unique password that must be pre-arranged with the recipient. Therefore, before I can email someone their document, I must call them and work out a password with them This would not be any great burden if it was only once a day but with the amount of documents flying around, the simplicity of dropping a document in the feeder and pushing a single button is invaluable.

The other reason that email is frowned upon in the healthcare industry is that it's far too easy to print multiple identical copies of documents. Patients more and more often want their prescriptions emailed to them and I have to tell them no. How great would it be to get a prescription for Oxy over email and then print a hundred copies, one for each pharmacy in the city?

Re:

[mccalli]

You need to do none of that. Worst case, get a scanner that can email directly. And you're done.

Re:

[freeze128]

In the US healthcare Insurance industry, there is just no substitute for FAX. Your insured cardholders often have papers that need to be transferred to your company. These cardholders are from all over the globe, may not be computer savvy enough to figure out scanning and encryption, and only need to transfer the documents when they submit a claim - possibly only once or twice. The FAX is the fastest, simplest answer. You just cant spend hours on the phone trying to tell a novice how to scan a document and

Re:

[es330td]

In the US healthcare Insurance industry, there is just no substitute for FAX.

The same is true in my industry, financial services. Only a fax provides positive confirmation that a message was received in good order. When a person is making a six figure investment both sides need to have the confidence that information was sent AND received as intended.

Confirmation?

[sjbe]

Only a fax provides positive confirmation that a message was received in good order.

No it does not. It provides confirmation that the message was delivered to a particular fax machine but provides no information beyond that, including whether or not it printed legibly on the other end.

When a person is making a six figure investment both sides need to have the confidence that information was sent AND received as intended.

If that's the goal a fax is definitely not the technology you want. You have absolutely no idea who picked up that piece of paper on the other end and what they did with it. Might have gone straight to the trash for all you know. Pretending that a fax is some sort of reliable means of logging communicatio

Re:

[lgw]

Phone calls are probably easier to hijack than email these days. Fun fact: authorities in in Las Vegas area have given up on maintaining control of the phone system (organized crime redirects calls to call-girls to their own girls). At least email can be encrypted.

Of course, almost all "six figure investments" are made with a click in a broker's web UI (or an ibank's internal web UI).

Re:

[Vicious Penguin]

You need to do none of that. Worst case, get a scanner that can email directly. And you're done.

If you are speaking from a capability point of view, then you are entirely correct. But the parent was talking about the layers of regulations that hamstring data sharing in medicine.

All that hullabaloo the parent mentioned is real and my staff spends hours each day fooling around with it. Oh yes, and it is the law too (at least in the US).

Re:

[mccalli]

I'm in the UK - here there are plenty of email solutions here for health care, and I can order repeat prescriptions through an app. Please understand - I'm interested and learning from the comments about the US health care system. However the story comes from the UK - there's literally no reason here at all to be using a fax machine since there's plenty of already in use alternatives.

Re:

[mejustme]

The other reason that email is frowned upon in the healthcare industry is that it's far too easy to print multiple identical copies of documents. Patients more and more often want their prescriptions emailed to them and I have to tell them no. How great would it be to get a prescription for Oxy over email and then print a hundred copies, one for each pharmacy in the city?

Are your faxes printed on magical paper that prevent copying?

Re:

[Rick Schumann]

There are email services in existence as I write this that don't allow copying, forwarding, and self-destruct upon opening/reading messages received. Based on the knowledge of this it seems trivial to me for there to be email services specifically for the healthcare industry that operates the same way, plus fully encrypted with strong encryption. Could be designed to be as simple to use as normal email. For once this is a problem that technology can actually solve properly.

Re:

[PsychoSlashDot]

As someone who now works in health care (not the UK), I can say that this is dumb. Fax machines are actually very convenient since most documents are still filled at least partially by hand.

Washing your hands frequently is also inconvenient,but best serves your patients.

In an age of enlightenment with regards to patient privacy and accountability, fax just doesn't have the ability to do the job right. Adequately, yes, I grant. But all of the processes you name could benefit from modernization.

Re:

[Jahta]

Plus the Fax network wasn't affected when the NHS computer systems were taken off the air by the WannaCry malware.

Re:

[RatherBeAnonymous]

Email is forbidden and fax machines persist (in the US) primarily due to HIPPA regulation 45 CFR 164.312(e)(1).

(1)Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Email can not guarantee that all hops in the SMTP path are encrypted. Fax bypasses this regulation because POTS is not considered an electronic communications network. There are work arounds. Encrypted attachments are OK, but better are secure email services where the message recipient receives an HTTPS link to download the message and they manage user accounts and passwords. I assume these ar

Re: Fax still works

[tangent]

> Fax machines are actually very convenient

My grandmother was in a US hospital recently, in another state. She was traveling with my parents and fell ill there. Since my grandmother was living with my parents at the time, all of her medical records were back home, and the out-of-state hospital had no way to get her records from the local hospital that produced them, so they called me to drive over to my parentsâ(TM) house to fetch them.

I did that, then called the out-of-state hospital to ask what em

Re:

[ben_kelley]

Fax machines are actually very convenient

Not for the patient.

Re:

[JSG]

In the UK, the prescription document is simply a thing to hand over to a pharmacy - mostly vestigial. The prescription itself is transmitted electronically. Nowadays you don't even have to sign a prescription charge waiver form: the machine knows already. To be honest, I haven't actually seen a prescription form for quite a while. It is almost as though at least part of the NHS has noticed that it is 2018 8)

Re:

[Mal-2]

You don't need fax machines to receive or send faxes, though. Nor do the documents received ever have to be printed. A fax server on the local network is actually a lot more convenient, both sending and receiving.

Re:

[havana9]

How in Italy have solved the problem. Every recipe, except those for OTC drugs, have a barcode, and when you go to a pharmacy they scan the barcode and the software checks if that is valid. This works both with handwritten recipes, that you normally get on an home visit, or a printed or PDF recipe. If you need opiates or other controlled drugs you have to ask the pharmacy in advance, and they normally phone the doctor for confirmation.
This is a recipe that could be handwritten [piemonte.it] You can clearly se on the rig

Don't Tell Them About eFax

[Anonymous Coward]

eFax would make their heads explode.

Re:

[jfdavis668]

Yes! They should upgrade to Vista!

What are they even faxing?

[ltbarcly]

It amazes me that there is even any need to fax patient information at all in the UK. They have had centrally run and managed and funded healthcare since the end of WWII ! I would have thought they would have some terminal text-based records system from the 1980's that was universally deployed. I mean the closest thing I have experienced to the UK system is the US military's system, which has been computerized with centralized records since I was a baby in the 80's (parents were in air force). Sure, th

Re:

[lgw]

It's almost as if competition spurs efficiency. Nah, that's crazy talk.

Re:

[Vicious Penguin]

It's almost as if competition spurs efficiency. Nah, that's crazy talk.

You are certainly correct, but the use of fax in the healthcare industry has more to do with another huge painful thing that the government does to us: unintended consequences.

HIPPA laws greatly restrict the use of electronic distribution of patient records. Thus, we fax everything. Again, to your point, reality is not optional.

It is 2018

[Impy the Impiuos Imp]

"They don't really need to stop this, as all modern, 2018 medical facilities are happy with fax machines," said a representative for the firm contracted to supply fax machines, The McFly Corporation.

Faxes are good enough for government work

[g01d4]

Industries that still rely on fax machines usually have little incentive to improve productivity, especially if the status quo can be deemed good enough. This is particularly true for government agencies. When politicians attempt to foist productivity improvements on the bureaucrats the outcome often doesn't bode well. It typically takes some kind of crisis for such improvements to be implemented.

Re:

[RatherBeAnonymous]

But, it's not "on a computer", so it's safe.

Why Email?

[chipperdog]

Most healthcare providers around here already have electronic records (EPIC being dominant platform). Why not some open, standardized protocol for exchanging health data between systems? Records could be shared just like sharing a file in Owncloud/Gdrive/Dropbox....It would provide an audit log of every access and could be simpler than faxing

Re:

[ClickOnThis]

The Stock Market only turned downward when it became obvious that the Dems would take the House. It's been positive for two years, and suddenly it starts tanking, mostly after the midterms handed the purse to the dems.

Wrong. Try again.

Stock markets hate uncertainty. There's loads of uncertainty right now coming from Trump's trade wars and a teetering Brexit. There is no uncertainty regarding who has the House. In fact, the market has expected it for months, and whatever effect it was going to have happened months ago.