Data Sharing Review

[Peter Fairbrother]

Michael Simpson wrote:
> On 7/17/08, Ian Batten <igb@batten.eu.org> wrote:
>>> Once patients got used to putting thier finger into a reader (for
>>> instance) prior to consultations with GPs, pharmacists, nursing staff,
>>> SHOs (or whatever they are called these days) in hospital then it
>>> would become routine very quickly.
>>>
>> Yes, because clearly getting people used to using a biometric identifier
>> every time they contact the state is a desirable outcome.  I presume you
>> support using fingerprints for school meals, on similar (``it would become
>> routine very quickly'') grounds?
>>
> 
> no.
> But using fingerprints/iris scans to safeguard their data is a
> *slightly* different matter.
> In some spheres of addicitons it is being used to increase patient safety
> <www.methameasure.co.uk>
> This is in use across many pharmacies in Glasgow and has stopped
> people from getting the wrong dose of what can be a pretty lethal
> drug.

It's probably more use to prevent junkies getting more meth than they're 
prescribed. Which they will then sell or give away.

> Not everything is a slippery slope to 1984.

....
> 
>>>
>>> It would also give them reassurance that they had control over their
>>> information which is something that nobody has any assurance of at
>>> present.
>>>
>> How?  Just because I need to use my fingerprint to access a system tells me
>> nothing about who else has access to it.  It just provides a false sense of
>> security.  It's like those fingerprint reader laptops: all I need to do is
>> open the drive bay with the handy plastic lugs, remove the hard drive with
>> the handy pull-off connector (SATA, now, so fewer pins to bend) and I've got
>> all the data.
>>
> 
> really.
> good luck trying to decrypt the data on my laptop's harddrive without
> access to a working quantum computer (probably)
> fingerprint hash is passphrase for large key hence without it (except
> for specific emergent situation) no data

How do you do that? Getting a consistent and cryptographically secure 
(eg 128-bit entropy) hash from a fingerprint isn't easy.

If it's a small-entropy hash, as seems likely, acting as a passphrase - 
the hash/long key conversion is still stored somewhere on the drive.

Besides, getting someone's fingerprints isn't exactly hard. They are 
probably on or in the laptop somewhere ...


> GP as data controller (they act as gatekeepers for all other bits of
> NHS after all)
> 
>>>
>>> PKI with some sort of key escrow accessible by specific medics (senior
>>> A&E docs) would enable this to happen
>>>
>> Except the senior A&E docs would delegate their authority to junior staff,
>> who would delegate it to the receptionists.
> 
> How, by giving them their finger or eye. I believe that there are
> fingerprint devices with pulse oximeters built in to stop this.
> Make it a clinical governance issue and tell them that each time they
> do delegate  it they will lose a discretionary point.

And either the consultants etc will spend all their time giving the 
secretaries authorisation, or treatment will be delayed waiting for them 
to arrive.

>> ian
>>
> 
> The mistakes that are being made right now due to still being on paper
> records and a total lack of joined up thinking between primary and
> secondary care need to be stopped by designing systems to take over
> the whole process. My point is that the patients need to be in control
> of where their data is used or i for one will absolutely refuse to
> have any of my personal data placed anywhere near the system.
> 
> <preaching to the choir>
> 
> Cryptography is the ideal solution where there are trust issues, we
> are in a unique position of being able to design systems that are
> secure and trustworthy from the outset, learning from previous
> failures. We should grasp the nettle with both hands.
> 
> </preaching to the choir>

Your systems?

Not my choir.

-- Peter Fairbrother
> 
> regards
> mike
> 
>