NHS data security shambles
And why blowing up Basildon is a good thing
Letters It is not often that we at El Reg find the reality of a situation to be worse than we had guessed. In the case of NHS patient records' security, we think it might be.
This week we heard the NHS IT supremo, Richard Granger, neatly sidestep the issue at the Government Computing conference in London. From the correspondence we've received from you, our beloved readers, we can see why he didn't really want to get into it:
I just saw your article on medical records, and thought I would share something with you... While your medical records may be safe, there is a lot that can be told about you by the prescriptions you request / have filled.
One central London surgery, [Name removed - Ed], has an online form for you to order new prescriptions. Putting aside their ignorance of accessibility issues for now (you have to have flash installed to get from the home page to the prescriptions page), they have bigger problems.
Their prescription form sends all of your prescription request data in the clear to a service owned and operated in the USA. This means that they are not bound by the constraints of the data protection act or any other laws that protect medical or other privileged information.
No SSL encryption anywhere in this chain. When the information hits this server, an e-mail is generated to the surgery. The e-mail address that this mail comes from is email@example.com. I won't give you the recipient name at this point, to protect the guilty.
So we have the following problems:
- Your prescription request, your date of birth, your doctor's name, and your name are sent across the Internet as an HTTP request
- Once this is complete, all of this information is again sent over the Internet, un-encrypted, to an e-mail address
- The company who are providing the form2mail service provide no guarantees that they do not collect this data, and as they are outside the EU, they are not bound by any laws protecting your data. They have not signed a safe-harbour agreement that I can find
What's worse is that this surgery will no longer accept requests for repeat prescriptions by telephone. You have to either go in there, or use this VERY insecure service.
So how safe is your medical data ? Not very I would say!
-- Wayne Pascoe
As a member of the medical profession within Britain i can safely say that there will be no *meaningful* security of patients medical records either electronically or physically. There are no individuals with the necessary understanding of security within the NHS in order to do so. NHS IT standards were heavily criticised by the Wanless report (April 2002) yet the same people who were masterminding the expensive farce are still in charge, despite some mostly cosmetic changes at the top of the tree/trough. Until such time that NHS management (and civil servants!) are made to be in any way *accountable* for *their* decisions then nothing will ever change.
I doubt that any of the staff i/c NHS security will ever have heard of Bruce Schneier or Ross Anderson let alone read their books or papers. As for Kevin Mitnick, well if they knew about him they would change jobs. All joking aside, several of my colleagues and I have approached solicitors to see about methods of blocking the state from putting our medical records onto any form of electronic system connected to the www as we do not wish Korean teenagers to be accessing them.
Until such time that the NHS can operate their systems without ,say, catching every new worm that appears in the wild - often more than once (cf recent episode of Royal Hospital for Sick Children @ Yorkhill in Glasgow being paralysed for >10 hours by MS.Blaster approx 9 months after the rest of the world) then it seems a bit of a tall order to expect them to take any reasonable care of the electronic data that they look after.
It is important also to remember that the majority of facilities are still recording notes in written form and where there is also electronic data entry then these systems run concurrently as the legal system still relies on contemporaneous, written records for court cases as these at least contain a tiny modicum of authentication in terms of handwriting, physical signature, dates and times written in ink, etc.
The awful truth at the root of all the NHS IT problems is that apart from the very visible appointments to the very top of the tree of vibrant , dynamic characters with a proven (good) track record in industry the rest of the IT structure (and NHS management structure) is made up of people who if they were competent enough to work elsewhere would be by now.
Only last week, security issues concerning the NHS were highlighted when you featured a story involving the theft of nine PCs from s hospital in Shrewsbury. Whilst I applaud the NHS for finally updating its quasi-Victorian records systems, it is glaringly obvious that this organisation must stop burying its head in the sand and address concerns regarding the security of patient information.
Studies continue to point to the password as an inadequate form of protection from security breaches. Simply put, the password is the digital equivalent of a combination lock, easily guessed, frequently stolen and cracked without too much effort by hackers using freely available tools. A simple solution is the two- factor authentication approach - something you know and something you have, which can dramatically improve the security of information by requiring proof of identity before being granted access to protected resources.
With the high sensitivity of data held on file by the NHS, Richard Granger's limp explanation for the lack of security measures in place to protect the new IT infrastructure and his unwillingness to take affirmative action becomes ever more apparent. A strong user authentication such as RSA SecurID would provide peace of mind that the personal details and identities of citizens does not fall into the wrong hands.
Tim Pickard RSA Security
Not that you are at all biased there, eh Tim?
Did anyone think our medical records were safe already?? I recently did a small amount of work for a local GP surgery - a very new & modern practice in Milton Keynes. I had a password and access to the system in order to check arrivals at the Reception desk. That's all I needed to do - I had no need, and certainly no right, to access any other records. So I was more than a little shocked to discover that merely having access to the system gave me unfettered viewing of the full details of everyone's medical record in the Practice. Our manager brought it to their attention, but I don't believe anything was done.
Frankly I'm not sure I'd trust the NHS to computerise my *cat's* medical records.
We'd love to hear from anyone inside the NHS who wants to explain what is being done to protect our information - something must be happening, after all. Drop us a line here.
This week also brought news that Lockheed Martin, defense contractors extraordinaire, will be building Javelin missiles in Basildon. Oh dear, we laughed to ourselves. Basildon residents take cover, we joked, before your cars are inadvertently destroyed by friendly fire.
More practical applications for the weapon flooded in:
I think you missed this one a bit. Javelin is one of those fire and forget weapons. You point the system at the target, You put the little pipper on the target, select the target, launch the missile and disappear. This is not a cheap system like an RPG which is Line-of Sight with a range of 400 meters and unguided (really a bazooka).
Javelin is all-weather, day-night, and good out to a few kilometers. The scenario is really more like taking out an armored car (bank pick-ups) at night several blocks away. The missile also locks onto the target so that if there are no objects in the way then the missile maneuvers to hit it. Unfortunately, if the missile warhead were to hit the cargo part of the truck then most of the cash will be a bit blown about.
How do you justify something this expensive? If a $100,000 US missile takes out a $1,000,000 tank (M-1A2, Challenger, Leopard II, T-80, etc) on the first shot then it looks just fine. Using one of these on just any car would be a waste, but that Rolls-Royce would make it a fair deal.
In Veritas, JH Appel
A friend of mine used to live in Basildon and having visited him several times there I can only say that there were times that I wished I had a Javelin handy. The accompanying link shows the effect of a Javelin against a fully fuelled and loaded T-72 - imagine what it could do to a chavved-up Nova whose stereo seems incapable of playing at anything less than 120dB...
Ok, maybe I'm being pedantic but Javelin is the "Son of Stinger", not of Patriot. Patriot is a huge radar and turret system that takes forever to set up. Stinger/Javelin is a shoulder launched missile, like a 21st Century Bazooka.Fire it, then throw away the launcher tube.
Secondly, Basildon is where they will make the control electronics. No missiles, no test firing, no explosives. Just boring old electronics.
Finally, I live and work near Basildon and don't understand why you would want to warn anyone there. The more cars blown up, the cleaner the gene pool will get. <LOL>
Lester says: I think you are being a little pedantic. In my book, if it's made by Lockheed Martin and Raytheon, stand well back. Good point about the gene pool, though.
Not to be too picky, but the javalin and the patriot aren't even remotely similar, one is anti-air with limited TBMD the other is anti-armor.
Yeah, the blue on blue is bad, but if you want to be paranoid, be afraid of our windows based missile cruisers... -- Robert Lindsay
Hi Lester This is going to cause no end of trouble for a large number of my ex-colleagues in arms. The Royal Artillery (the drop-shorts to us infanteers) has been using a ground-to-air missile called Javelin for donkeys years. Now the Yanks come along, 20 years late as usual, and start hawking a ground-to-ground peashooter with the same bloody name.
Lester, 15 years ago I worked on the Javelin, better known them as AAWS-M (Anti-Armor Weapons System-Medium) while at TI. It's amazing to see how long it takes some weapons to get into production. Twenty years ago I worked on a project called Smart Weapons, which made the news during the Iraq War as JSOW. And the stuff I worked on ten years ago? Well, other than the bunker buster (which went from concept to delivery in 21 days), I still can't talk about it.
Name withheld for rather obvious reasons
The spam epidemic is now such that innocent computers are being forced to take days off work, it seems. These lazy hunks of silicon garnered no sympathy from our friends across the pond:
Greetings from Canada Lester,
Humph. Bunch of Wimps. I thought you Brits were made of sterner stuff. You know, stiff upper lip and barn boards for backbones.
Oh wait. I either made that last bit up or it's an Americanism.
When will the sniveling gutless masses get off their lard asses and install a browser without the weaknesses of Internet Explorer.
*I know!! I know!!* When Micro$oft releases SP-5-812-001 for Windows 2094 Pro Edition.
Lovely. We're all walking around with brain implants and the sixth generation Bill Gates clone sends us an update. The idea of a Sasser type worm crawling around in my head isn't appealing.
Regards, Doug Ratcliffe
And finally, a heart-warming letter from a concerned reader. This was prompted by the ongoing fight between mother, son (and anyone who wants to join in) on eBay about that PS2 auction...
I've been doing the internet thing for a long time, and I believe it was somewhere around 1985 when I heard this bit of advice: If a conversation degenerates to the point of critiquing another person's spelling or grammar, then the conversation has lost its value.
That said, I must, with mirth, and some sense of the inherent irony, point out that the clue-seller in this case misspelled "night" as "nite". This is atrocious. I do not believe that even Noah Webster butchered the Queen's English to this extent.
As well, I would gather from the thrust of their profferred "clue" that they have never been a parent, and/or that they are unaware of the laws regarding corporal punishment using belts and paddles in most states. As well, I wonder if it is really advisable, or legal to threaten the life of one's progeny's as the seller suggests (i.e.: "We brought you in, we can take you out.").
I suspect the author of not being a parent, also because I doubt that he put much thought into the true impact of such harsh negative reinforcement as he suggests. As a juvenile enters adolescence, he will be increasingly of the mind to push back the boundaries of his parents authority, and to individuate himself thereby. The best way to help the child is to support his better judgement with love, and his poorer judgement with more love and understanding.
The kid's going to leave his parents soon enough anyway. Why not try to give him the confidence which comes only from the love, support, and understanding of one's family, rather than further alienating him by punishment for actions which are not all that atypical in a developing child of his age.
I think it is good that the seller of the clue found no buyers, as he clearly needs all the clues he can get. If and when he does find himself in the role of parent, I hope he has by then learned better than to promote the cycle of violence with a belt.
(As an aside, I have chosen the masculine pronouns despite the preferred plural - "...to support *their* better judgement..." - because in correct English grammar, such is the correct usage in cases where gender is non-specific, and also because in this case, it is a male child. I suspect it is also a male clue-seller).
P.S. The bit is entertaining throughout, my nitpicking notwithstanding. P.P.S. Now it is for someone else to point out my errors. It is only fitting. ;-)
Well, you all know where to send any corrections...®