MTAS and other NHS websites
Peter Tomlinson
ukcrypto at chiark.greenend.org.uk
Mon, 07 May 2007 10:39:53 +0100
Roland Perry wrote:
> In article <w53ZrCBldtPGFwuD@tigers.demon.co.uk>, Mary Hawking
> <maryhawking@tigers.demon.co.uk> writes
>
> >
> >> And at a different level:
> >>
> >> (3) Turn off the web browser's facility where it lists the
> >> filenames in the absence of an index.html file in that folder -
> >> or maybe have an index.html that requires a [fsvo] trusted person
> >> to edit it when new and approved files are uploaded.
> >>
> >> Of course, this also begs the question of who writes the
> >> procedures, who is "trusted", and what "approved" means.
> >
> > Part of the business plan for that website?
>
> Part of the security policy for the website - or failing that, a
> security policy for the organisations involved (both the NHS and the
> outsourced hoster).
A policy that is detailed, not just broad brush.
Methinks that a lot of people in the public sector who ought to do not
know about detailed security policies and processes. But a local health
centre ought to have them - and not just about its IT.
(A note about data errors: my local health centre has the incorrect
spelling for the name of my street - not an alternative, just wrong:
there is a letter missing from the name. Asked to correct it, they said
they cannot. Will I thus become a non-person when the data gets uploaded
to the big database?)
Peter