Data Sharing Review

Michael Simpson ukcrypto at chiark.greenend.org.uk
Thu, 17 Jul 2008 14:48:41 +0100 

On 7/17/08, Ian Batten <igb@batten.eu.org> wrote:
>
> On 17 Jul 08, at 1154, Michael Simpson wrote:
> > What i meant was:
> > Using a well designed RBAC system based on use of secure Cryptographic
> > algorithms where the initial design has been informed by individuals
> > or companies with a track record of being able to implement secure
> > systems would be the solution to the huge trust problem that is
> > creating electronic able-to-be-shared patient records.
> >
>
> Define `secure'.  Secure so that only the right people can see and modify
> the information?  Define `right people'.  Define `the information'.   Are
> there exceptions to who the `right people' are?  Define those.
>
absolutely

> The only people with a track record of implementing secure systems on a
> large scale are the military and intelligence services.  Personally I'd be
> happier about a medical IT system being operated by CESG than I would by the
> NHS itself, but I suspect a lot of people might not agree with me.
>

having done 13yrs in the NHS in Scotland i might be tempted to agree

> > This system
> > should be open to peer-review and tested (and attacked) repeatedly
> > (for ever) in order to insure that the implementation has not
> > compromised the security of the underlying "published and thought to
> > be secure so far" crypto protocol used.
> >
>
> Really?  You mean someone gets a free pass to break into a doctor's house,
> put a knife to their young child's throat and ask her father to hand over
> the information?  To phone up your office when you're on holiday, tell then
> I need one of your patient's records, and to call me back on 123 4567?  Or
> are you assuming that information threats play by the Queensbury rules?
>
where did you get the info for that assumption?

in the same way that bank robbers can do the same. rare cases of
extreme circumstances should not lead to systems not being attempted

> No one is going to attack a health records system with a subtle differential
> cryptanalytic attack on the S Boxes.  No one's even going to engage in
> subtle side-channel attacks on crypto hardware.  They're going to social
> engineer well-meaning medical staff (if they're after information for mild
> reasons) or they are going to terrorise medical staff (if they're after
> something for harder reasons).
>
and if there is no sort of protection then the bar is set so low they
can have a total field

i get the impression that you don't want an EPR
:-)

> >
> > I like using systems that work and have been shown to be secure so
> > far.
> >
>
> Such as?  Not crypto algorithms, but _systems_ that work?  On the scale of
> the medical records of a medium-sized developed country?  I've worked in IT
> for more than twenty years and I can't think of a single example of a
> non-military system for confidential data that hasn't leaked like a sieve.

like cracking mainframes with modems and 4number pins.
newer attack surfaces all the time.

> Not one of those, so far as I know, was attacked at the protocol level.  If
> you put the CD and the key in the same envelope, the algorithm doesn't
> matter.
>

again i agree with the blame levelled at bad design and poor
implementation and just plain good ol' stupidity
however if the mil can do it why not leverage their experience?

> > I also am an optimist
> >
>
> Then don't work in security.  It's about pessimism: what happens if people
> _don't_ follow the rules?
>
yeah i know that, i like fuzzers and perl (though with pear i am
moving more towards php)
you don't have to be a negative individual to be effective at
generating attack trees.
and everyone can get lackadaisical
cf Dan Coker's user as root box getting compromised because of the
vmsplice issue

>
> > and would like to think that it is possible
> > to achieve the nirvana like state of having shared records with proper
> > authentication, authorisation, and
> non-repudiation/accountability.
> > From my repeated reading of Bruce Schneier's work this would seem to
> > suggest some sort of use of cryptography.
> >
>
> I can quote a list of people who don't believe in Bruce Schneier's book on
> crypto (a copy of which is by my left hand).  Amongst them are Bruce
> Schneier.
>

that's a whole lot of mental effort on my part down the swanny
happy days!

> ian

i reckon that no matter what is said gov will go for a centralised
data resource for our medical records and i don't trust them.
what do you suggest would be the better option for securing those if
in fact "don't do it" is no longer an option?

best wishes

mike