MTAS and other NHS web sites

[Ian G Batten]

On 1 May 2007, at 08:33, Peter Tomlinson wrote:
> those responsible for the cockup should face major penalties  
> (including those who commissioned a computer system that would be  
> put into operation without full testing for security, function and  
> capacity, in flagrant disregard of govt policy and guidelines -  
> such testing would probably have meant delaying the system's  
> introduction until the next round, but so what?).

There's a whole world of consultants whose business comes almost  
entirely from consulting with government over security, and yet in  
this case a critical government website was both designed and  
operated in a manner which is both procedurally and technically  
flawed.   Clearly, people who know what they're doing like CESG audit  
the consultants, and the consultants in turn employ high quality  
people.  I'm neither Fujitsu Services nor Fujitsu Consulting as was,  
but such FS people who work in the secure government space as I've  
had dealings with have obviously been at the top of their game.

And yet, all that said, we get an amateur-hour incident like MTAS.   
So what went wrong?  I've got a bunch of questions down via my MP  
about the lessons learnt, but neither I nor her expect an answer of  
fine detail.  Was it that the outsource didn't consider security?   
Was it that the security had the wrong threat model?  Was it that  
naive assumptions about ``everyone with legitimate access to some  
data has legitimate access to all data''?  This last is the main  
worry I have about the NHS spine and the Identity Register databases,  
so it's worrying if it's crept into a high-profile government debacle.

ian