Data Sharing Review

Ian Batten ukcrypto at chiark.greenend.org.uk
Thu, 17 Jul 2008 15:42:03 +0100 

>
> in the same way that bank robbers can do the same.

And banks have procedures which attempt to mitigate that risk, both to  
staff and the bank.  Sometimes they fail, but banks take staff safety,  
especially key holder safety, very seriously.

> rare cases of
> extreme circumstances should not lead to systems not being attempted

Perhaps not, but the rare circumstances should be considered and risk  
analysed.  You may decide to carry the residual risk, but merely  
shrugging your shoulders as if to say ``Rare?  Hard?  Ignore'' isn't  
enough.

It's your optimism, again.

My risk analysis runs as follows.

I don't have any allergies that I know of, and having reached my mid- 
forties without having a GA I have no idea if I would have a reaction  
to that.  I'm taking no medication, and have never taken anything more  
than obsolescent antibiotics for recurrent bronchitis thirty years ago  
and NSAIs of various sorts for the odd ache and pain.  I have no  
family history of anything well defined.   I had a vasectomy under  
local anaesthesia four or five years ago, and eighteen months ago I  
had 50mg of IV ketamine  and a night in hospital while a full colonel  
reduced my dislocated ankle.    That's my sole sharp-end experience of  
any part of the NHS other than the GP practice I've been registered  
with all my life (the senior partner's brother-in-law delivered me).

So, my medical records can do nothing to help me.  If I'm taken into a  
hospital unconscious, there's nothing in there to affect treatment.  A  
GA will have to assume I might react, because it's an unknown.    
They're going to have to check my blood type, because no-one ever  
has.  It'll be a mystery if that strange signal on my EEG or ECG is  
long-standing or not, because I've never had either.

So, there's a potential downside of my records leaking: address, NHS  
number: ID Theft heaven.  And there's no upside.  So no amount of  
security can make that balance positive for me, so I should 93C3 my  
records under all circumstances.

>
> again i agree with the blame levelled at bad design and poor
> implementation and just plain good ol' stupidity
> however if the mil can do it why not leverage their experience?

Their access control involves rather more barbed wire, dogs, 5.56x45  
and 9x19 than the typical NHS hospital or data centre has available.   
They can insist on clearance for staff.  They can write ``NOFORN'' on  
documents and mean it.   They aren't subject to whole swathes of  
legislation.  They can discipline staff, up to and including  
imprisonment, without recourse to the UK courts.  They have crown  
immunity, de facto or de jure, in many areas.  They have a totally  
defined chain of command.   The staff treat the data like their lives  
depend on it because, in many cases, they actually do.  It's a  
different world.


>
> i reckon that no matter what is said gov will go for a centralised
> data resource for our medical records and i don't trust them.
> what do you suggest would be the better option for securing those if
> in fact "don't do it" is no longer an option?

Here are your records Mr Batten, on this USB stick.  (Seen those Super  
Talent Pico-C ones?  Very neat).  It's not encrypted, but there are  
binaries of our recommended encryption for OSX, Windows, Linux and  
Solaris on the stick too.  If you want the source, it's there too:  
feel free to audit it yourself or pay someone you trust to do it.  Or  
use another encryption package, your choice, provided it is a drop-in  
replacement.  It's up to you, though: if you encrypt it and don't have  
a way to get the keymat to us in event you're not capable of telling  
us, or you simply don't have the stick available, it might affect your  
treatment.  And if _that_ worries you, then we'll look after a replica  
on our spiffy computers and make it available over the network when  
you attend the hospital, under this governance policy.

Personally, see above, I'd shove the stick unencrypted in my wallet:  
it's of no more value than anything else in there.  I'd make a few  
backup copies, though, and those I'd lightly encrypt.  Others, perhaps  
those with, er, chaotic lifestyles, will take the online option.   
Others will encrypt all the copies.

ian