securing distributed partial medical records?

[signup at bealoid.co.uk]

Quoting Roger Hayter <roger at hayter.org>:

> In message <4A6C28C6.1040707 at gmail.com>, Adrian Midgley  
> <amidgley at gmail.com> writes
>> Ross Anderson wrote:
>>> Quoting signup at bealoid.co.uk:
>>
>>> The techie would be far better trained, and have a far better
>>> understanding of "file locking, version control, access and
>>> write levels / permissions". The gynaecologist didn't have
>>> such training: she had incentives, from a direct duty of care
>>> to her patients, through to the survival of her business.
>>>
>>> Ross
>>>
>>
>> This is my feeling about the threat model.
>> I'd also add that the temptation for perfectly honest people to
>> perfectly honestly believe that what they are doing with access to
>> centrally held data is perfectly honest and wholly beneficial and that
>> nobody need be told about it, act on that perfectly honestly held belief
>> and later receive a horrible surprise when a different view surfaces
>> along with a long history of perfectly hoenst misunderstanding is
>> reduced if the xrays are on the xray server, the lab results on the lab
>> server, the GP notes on the GP server, and each server keeps a record of
>> who asks for things, and tells its custodian.

i) Each person in the chain may well think "this isn't so bad, it's  
not everything, it's just an xray, it's not all the history"

ii) It would tend not to be "xrays on the xray server" but everything  
from Thistown Hospital on Thistown servers, and everything on  
Thatplace hospital on Thatplace servers.  Lab results, xrays, MRIs,  
etc etc get split up by hospital, not type of service.  Going to  
different hospitals, or outside your LHA / SHA area can cause  
problems.  I dread to think what happens if people need to go outside  
country.

> Quite agree.  If the choice is between a thoroughly competent  
> engineer and technical team working under political direction and my  
> GP I would much rather have the latter looking after my data, for  
> reasons which have been much rehearsed on this list.  And I believe  
> 99% of GPs are much more knowledgeable about health data security  
> and confidentiality, and its implications, than most "experts".

But that isn't what happens now - the GPs employ practice managers and  
outsource the computer stuff.  So you've got the worst of both worlds  
- people with sometimes scarily low levels of technical clue in charge  
of data, getting support from a whole bunch of techies who may not  
have best current practice in confidentiality.  And the GPs who you  
want to be in charge sometimes have nothing (absolutely nothing) to do  
with confidentiality.

BUT: I have no hard data to back up my views.  I'd be interested to  
see how many technicians (of whatever level) are accused of leaking  
personal data versus receptionists, admin staff, etc in GP surgeries.   
I'd also be interested to see how many Caldicott guardians are GPs vs  
practice managers.

As for the policeman example given earlier: All that officer had to do  
was go back another day and talk to another member of staff.  Social  
engineering will always be a risk.