(Fwd) R.I.P. and NHSNet

Dr Alan Hassey alan.hassey at btinternet.com
Mon, 31 Jul 2000 23:51:00 +0100 

Ross
We (NHS Encryption Programme Board) took on board all the messages you sent
me/us in the preparation of PMEP (path messaging enabler project - yup good
NHS name) - and while accepting much of what you said, the EPB wanted to
stick with point to point encryption for path meassages because;

1. We wanted to send a signal loud & clear to the NHS & the clinical
professions that encryption of clinical messaging was not only feasible but
essential - and we needed to do it NOW (or at least soon)
2. The technology demonstraters for point to point EDIFACT encryption &
origin authentication had worked
3. We were very worried about the technology overheads in practices & path
labs. The level of technical skill in 10,000 UK practices was generally felt
to be low - therefore we must keep it all simple. Many path labs were in
much the same boat - most still running on 16 bit machines.
4. As for 3 - the PKI infrastructure needed to be easy to manage & roll-out
had to be glitch-free. Path labs particularly had concerns about managing
many keys.
5. We need(ed) to succeed. The NHS does not have a track record of
successful IT project management. Therefore - take a little step in the
right direction & take everybody with you. Failure is not acceptable
professionally.
6. Build on 5 above - next steps are towards database encryption, individual
keys & a managed PKI

===
Dr Alan Hassey (mailto:alan.hassey@btinternet.com)
RCGP Health Informatics Group
Joint Computing Group (GPC - RCGP)


Alan

Back in the days we were tearing into Red Herring, I warned that doing
the security from the hospital's EDIFACT translator to the practice's
was a bad idea for a number of reasons. For example, the hospital's
signature on the batch is an institutional signature on 100 odd path
lab reports at a time, not an individual pathologist's signature - so
how do you know who's responsible? And how do you verify a signature
unless everything's kept? This is just mad given the different time
periods for which different stuff has to be retained. You only need a
single patient to demand destruction of a record for data protection
reasons once she registers with another practice, and you losr
protection on the lot.

RIP now gives another compelling reason why medical system security
must be end-to-end and not built into the infrastructure. Of course, I
expect the real reason they wanted the crypto to go in a black box in
the hospital computer room was so that the medical profession would
lose control of it to IMG ...

Ross