(Fwd) R.I.P. and NHSNet

[Ross Anderson]

> Each EDI message (initially at least) will contain multiple EDI transfers -
> potentially hundreds - for incorporation into individual EPRs.

Alan

Back in the days we were tearing into Red Herring, I warned that doing
the security from the hospital's EDIFACT translator to the practice's
was a bad idea for a number of reasons. For example, the hospital's
signature on the batch is an institutional signature on 100 odd path
lab reports at a time, not an individual pathologist's signature - so
how do you know who's responsible? And how do you verify a signature
unless everything's kept? This is just mad given the different time 
periods for which different stuff has to be retained. You only need a
single patient to demand destruction of a record for data protection
reasons once she registers with another practice, and you losr
protection on the lot.

RIP now gives another compelling reason why medical system security
must be end-to-end and not built into the infrastructure. Of course, I
expect the real reason they wanted the crypto to go in a black box in
the hospital computer room was so that the medical profession would
lose control of it to IMG ...

Ross