NHS data security
Earlier in the week we discussed fears that the Spine - the national electronic database planned for the NHS - could be insecure. Two thirds of family doctors have said they'll boycott it - and this before the saga of the missing CDs.
Dr David Everett is a security consultant at Micro Expert, who was commissioned by BT earlier this year to examine the security of the Spine. We asked him first for his thoughts on the Child Benefit data breach:
We'll be doing more on this for Saturday's programme, perhaps speaking to some doctors to find out their concerns over the new systems.
Email us
Our Twitter
Join our Facebook group
Listen to iPM
Technorati
Google
Ice Rocket
© MMIX~RS~q~RS~~RS~z~RS~28~RS~)
Comments
George
"Earlier in the week we discussed fears that the Spine - the national electronic database planned for the NHS - could be insecure"
"... could be insecure" I assume you're being polite..?
If the Chinese can (and did 3 or 4 weeks ago) "hack" into the Pentagon and the Pentagon periodically does the same to the Chinese Military, what hope I wonder is there for an NHS system?
My guess is "Spine" will leak like a sieve. How could it do otherwise..?
We shall see
erm... not sure if this is (still?) true but the spine has an air gap to the internet - ie there is no connection to the internet so can't be 'hacked' via the internet.
However, this may no longer be true (ask Connecting for Health whether any development teams have done anything they shouldn't) but more importantly it's also not the most likely way for the information to get into the hands of people who really don't need it, as evidenced by the HMRC fiasco (btw that's probably more the 'revenue' fiasco as the Customs people were traditionally a lot better at security...)
The number of individuals with access to the spine is staggering and (imo) beyond secure protection. (btw is it a criminal offence to access it without good reason as I believe it is to access the Police National Computer?)
I do feel that everything that Dr David Everett said about a secure system is correct, so let us test it for a few years on a set of data that would be less private to individuals. If the test is successful , then we can go ahead with the full medical records.
Naturally the data stored for the test would have to be readily exploitable if leaked.
My background - over 30 years ago, was a Tax Officer for 6 years, in the days when 5 GCE's were required (incl English and Maths)
Subsequently - Commercial Specialist with a multinational commercial co, now retired after 30+ years.
In the "olden" days of commercial computer systems, two essential personnel were required.
1/ A "systems analyst" to interface between the "system user" and the system programmers, and
2/ An expert "system user" who could define, in clear terms, the specific detailed requirements (and trouble-shoot the IT solutions prior to implementation).
The ideal system provides Company management with the order/invoicing/stock control and management reports it required, at the touch of a button. It also down-grades the core users (the customer support and logistics staff) to "button-pushers" - the only requirement being the ability to follow a pre-defined computer entry procedure.
Company benefit - staffing cost savings - less staff, and lower qualifications (= lower pay scales).
Technology advanced - more powerful computers AND Corporate program advances - "off-the-shelf" core systems which (allegedly) can be tailored to individual Client need (SAP is possibly the most powerful example). One good thing is that "security" is a watchword - individual users are limited to specific data access on a pre-defined "need" basis.
BUT - gone are the individual Company user experts, and also gone are the Company Systems Analysts. Small wonder then, that Customer Service complaints abound against chain stores and utilities, when events outside the pre-defined system occur.
Now, escalate a commercial requirement into a National requirement, be it NHS, Revenue and Customs, or whatever body.
It's not the VOLUME of data that's the limiting factor, it's the lack of coherent communication. There's neither a "specialist" user nor a "systems analyst" any more - it's all "meetings". High-level committee meetings rarely if ever address "detail" problems. "Decision-makers" have little if any practical knowledge, with the consequences that are in the news today.
The reason that "IT" costs so much to implement is that lack of clear communication.
Back to basics - have someone who actually KNOWS what data is needed, define the data required.
Have someone who understands the capability of the IT system to be used, to tailor it to deliver.
Employ a security expert to define individual access needs (and restrict data download to that needed for the job responsibility)
If inter-departmental data transfer is needed - design a specific secure access port to allow the "needy" department to access /transfer specific data. Other than "secure back-up" to a secure off-site location, there should never be a need (or access) to download the entire database.
Of course it will be insecure. All such large systems are insecure. The question is whether it will be more insecure than the current system. And the current system is VERY insecure.
Currently, you hospital records are largely paper based. They are left lying around on trolleys and bookshelves (and on the floor etc. etc.)
It's quite hard to walk through a hospital *without* viewing someone's records. Currently, a lot of patient data is known by those with no business to know.
The spine will change this. It will not be possible to drop someones records on the floor for all to see, or for them to get lost in the post, or for a bored porter to randomly flick through them in the middle of the night.
But, something new will be possible. Right now, although it pathetically easy to see someones records without authority, it's very hard to see *a particular* persons records. With the spine, once someone leaves a terminal open, a passing nurse may be able to not just look to see the record open on the screen, but may be able to quickly find the record of her boyfriend, for whatever nefarious purpose.
Obviously the spine is aware of this. The security system does not allow even senior NHS staff to browse all records. Generally, a clinician will only have access to those records of people he might need, like the corrent inpatients in the hospital.
However, it is this change from a system with constant but random breaches of security, to one that may have far fewer, but more targeted breaches of security, that should concern us.
The problem is that people are screaming about security without trying to quantify the effects. How much does it really matter if a junior doctor has a laugh over someone random person's embarrassing X-rays?