Data Sharing Review

[Ross Anderson]

> Using a well designed RBAC system based on use of secure Cryptographic

RBAC isn't a magic bullet any more than cryptography is. In fact the
currently deployed DCR systems use it, and it causes severe problems.

For example, receptionists should not be able to see psychiatric case
notes, yet this happens with newly deployed NHS systems. The reason is
that the designers decided (a) that each patient would have a single
record (b) that a member of staff would have access if their role 
enabled them to have access and if they had a legitimate relationship
with the patient.

Now receptionists need to see patient records, or they can't receive 
them; and they have a legitimate relationship if the patient's standing
there in front of them. The bug of course is that there should not be a
single womb-to-tomb record. We figured all this out in the mid-1990s.
However, for theological reacons, the NHS computer folks did not want 
to listen. The 'Single Electronic Patient Record' had appeared on so 
many powerpoint slides, and so many careers had been harnessed to it,
that no-one wanted to know.

Now they talk about a 'sealed envelope' which would in effect create 
the multiple records that are in fact needed. (The BMA policy, which I
wrote in 1995, divided your clinical data into discrete records each 
with a single access control list). However the sealed envelope is too
late, and the LSP budgets don't provide for it, and the spec isn't
ready yet, and in any case you can't do security as an add-on.

So now everyone who has access to your medical record can see just
about everything in it - with consequences for patient safety and 
social policy that are starting to be documented. See for example
www.aims.org.uk (and their most recent press release)

Ross