« Alert for ID card security
US-VISIT exit system not in place, nor likely to be in the foreseeable future »

ContactPoint: ‘culture of violation’

July 17th, 2007

Whitehall officials strongly defend the security of the large centralised database that is being built as part of the Care Records Service of the National Programme for IT [NPfIT]. NHS Connecting for Health, which runs a major part of the NPfIT, points out that nobody can access it without leaving a trace in the audit trail. But who is going to police the audit trail in a busy NHS. And what if nobody polices it even if they’re supposed to?

This is what we have been saying all along.

Perhaps disciplinary action can be taken against misuses of the database, but by then it may be too late to protect the confidentiality of personal data. If the security at a local GP practice is breached, it will not affect huge numbers of files. But a national database will contain millions of records.

Precisely. And everyone who works on building this system knows this. You need to remove your data from your GPs computer as a matter of urgency. Lets say (for sake of argument) that the spine upload will be made from the latest backup set; if you delete now, long before the update, you will be left out of the upload.

This is one of the lessons of the lapse of security at the Department of Veterans Affairs. It is one of the few healthcare organisations in the world that has very large centralised and regional databases of medical records. So an apparent minor lapse of security can have major implications.

The disappearance of one external hard drive – the sort one can buy in PC World for about £100 – contained 1.3 million sensitive medical records.

In England a loss on this scale could not happen with a breach of security at a GP practice. But the NPfIT’s Care Records Service is due to store 50 million patient records.

Just like ‘Frances Stonor Saunders’ said, “These databases, which can easily fit on a storage device the size of your hand…”. All it takes is for one leak to happen for the whole system to be compromised. Now imagine trying to cobble together a database of all the NHS patients in the UK by compromising each GPs office one at a time. It would be hugely expensive, take years, and you would probably get caught. Thankfully the government is making it easy for criminals to get the job done; they are putting it all in one place for you!

The Department of Veterans Affairs had a general policy of ecrypting patient data so that if it were to go missing it could not easily be read. But the controls were not applied properly.

Even if they were encrypted, all that means is that a disc removed without taking the decrypting keys would be useless. A clever person would take the drive and make sure she had the decrypting keys too. It also doesn’t stop people copying entries on a ‘to order’ basis, something particularly sinister when you think about what ContactPoint holds: DATA ON CHILDREN.

Could the same happen in England?

Could? Lapses, leaks, abuse and thefts have have already happened in the UK. Use the Google!

a) In the NHS, password sharing is endemic and doctors do not always have the time to log on and off computers to protect the integrity of the system.

And there you have it password sharing is ‘ENDEMIC‘ : “characteristic of or prevalent in a particular field, area, or environment”. That means that it is in the nature of the NHS environment to share passwords. WHen they get a hold of ContactPoint access, they will not suddenly change their behavior.

b) If national systems are made too secure doctors and nurses will not use them.

Makes sense; in order for something to be useful, you have to be able to use it without having to think about it.

c) It’s unclear whether the Department of Health will provide enough funds to ensure that money and staff are available to police rigorously the audit trails of the Care Records Service, if a such a national system works.

Exactly. There are not enough people to watch the 330,000 people who will be making millions of accesses per week on ContactPoiint. Trying to find instances of abuse will be like looking for a needle in a haystack, and when we talk of ‘instances of abuse’ we mean paedophiles getting a hold of a child in the worst case scenario.

Perhaps these matters should have discussed openly and honestly before the NPfIT was announced in early 2002

Perhaps the whole idea should be scrapped? And by whole idea I mean the NIR, ContactPoint and the NHS Spine.

Computer Weekly

Related posts:

  1. NHS staff view celebrity records An NHS primary care trust has warned of a new risk to the confidentiality of medical records stored under the National......
  2. More BBQ Biometric Propaganda: Terminal 5 […] Fingerprints T5 will have shops, cafes and bars like any other airport, and some of those are already fitted out......
  3. Dame Shirley Reads BLOGDIAL A lurker sent me this: Its almost like she’s quoting from Blogdial. Heh… Peer ‘ready to defy ID card law’ The......
  4. We call it ‘Vindication’ On the cover of every newspaper in the UK is this news, which should come as no surprise to anyone: Revenue......
  5. Is Organic Food better for you? The only test you need The Guardian, once again, has a pro-corporate, pro-pharmaceutical propaganda piece in its toilet paper. It goes like this: Organic food ‘no......
  6. The Queen’s Speech, or Why BLOGDIAL is and has been so very great Take a look at this: After massive public rejection of the surveillance state, and country wide vandalism of the millions of......
  7. Crony Capitalists deploy glove puppet schizophrenic luddite The crony capitalist copyright monopoly has rolled out its latest delusional computer illiterate schizophrenic luddite, Jeremy Hunt, to try and cripple......

This entry was posted on Tuesday, July 17th, 2007 at 10:21 am and is filed under Insanity, Post Tipping Point, The Facts, Told You So.

Leave a Reply

You must be logged in to post a comment.