R v.Lambert House of Lords and RIP reverse-burden-of-proof

[Ross Anderson]

Adrian:

> it seems to me that firstly the purpose of the NHS PKI requires that
> it is actually at least a national PKI, to include gov and patients,
> and that in fact the number of organisations or even patients I
> correspond with is quite manageable by the sort of bipolar crypto
> streams you use.

This is yet another case where the issues seem at first sight to be
technical security matters, but on a deeper examination come down to
economics.

At the technical level, bipolar crypto will do for the declared
purpose - communicating with path labs. So would plaintext email: the
main threat to patient confidentiality is not that Milburn will tap
the NHS network (which would be expensive) or tap email at your ISP
(see discussions passim on Carnivore) but that he will just compel
bulk disclosure from the lab. So a better way of protecting patients
would be to use the practice number rather than putting the patient's
plaintext name and date of birth on the sample. If the path lab system
complains, it's not beyond the wit of people on this list to develop a
program that encrypts names and dates of birth into ciphertexts that
also look like names and dates of birth.

Speaking as a patient, however, I think it's at least as important for
you to persuade more GPs to do as you do - have a web site, hosted on
a private ISP rather than NHSnet, and a facility to send email to the
practice. I note that you use plaintext email. I am fairly relaxed
about that; I am more irritated by the fact that most practices with
web sites use them for one-way communication only.

If I were a GP, I'd go even further down your road. I'd provide
web-based forms for ordering repeat prescriptions, making
appointments, getting test results, and even supporting interactive
care - e.g., where heart patients do INR tests at home weekly and
report results. I'd try to build interactive systems for patients on
weight reduction and exercise programmes to check in body mass, weekly
exercise attainments, resting ventricular rate, and so on - and
provide them with suitable encouragement or chastisement. 

In short, I'd run it like a practice in California. I'd try to get
real improvements in outcomes through more efficient health promotion,
and I'd certainly save the time of front desk staff - and avoid some
unnecessary appointments. I'd engineer all sorts of other hacks; for
example, if I ran a surgery from 6-8 once a week for commuters, that
would be web bookable only (to encourage the unwaged to use the
daytime sessions). I would also hope for marketing gains; with a more
modern image I'd have a hope of getting more patients on my NHS list,
and more private work.  If all else failed, by getting a more
techo-savvy patient base I'd have proportionately more young healthy
people on my list and so more income for the same amount of effort.

Why don't most British GPs do this? Why is innovation is so moribund?
Is it a side-effect of the generally low morale?

Every other business in Britain, above the level of a corner shop, now
communicates electronically with its customers. All too many GPs use
the `need for encryption' as one of a number of excuses not to. Having
been the person who alerted the medical profession to IT security
issues, I feel somewhat frustrated at seeing the issues turned into 
yet another mechanism for demand suppression and patient avoidance.

The problem is that British GPs seem to want it both ways. You want
systems provided for free by Milburn, but when you (inevitably) get a
network with (at least the potential for) central surveillance and (at
best) escrowed encryption, you don't want that either. But the man
with the chequebook gets his way in the end.

The lesson of GP computing, over the six or seven years I've observed
it, is that systems paid for by doctors work, while those paid for by
civil servants don't. Thus the civil servants subvert your systems -
and where you go wrong is in allowing the promise of relatively small
NHS subsidies for computer systems and network capacity to capture
your requirements process. The solution is for you to buy the systems
_you_ need, using money that comes out of _your_ bank accounts, and
instruct your negotiators that under no circumstances will you
tolerate any more subsidies. Accept pay rises _only_ if they are added
directly to your capitation fees in the main GP contract. Otherwise,
as you hint, it's time to start a grown-up debate about how we should
organise healthcare in Britain after the collapse of the NHS.

Ross