Tuesday, December 06, 2011

It Seems Unlikely DoHA and NEHTA Will Do Better Than Others With Security and Privacy. Their Stubbornness and Haste May Destroy The PCEHR Program.

I was alerted to this pair of articles today:

Man gets £12,500 after girlfriend probes his medical data

Nurse ex-partner's data breach cost him a job
This is a rare event indeed: a data subject has taken successful action for compensation under section 13 of the Data Protection Act. Normally what happens if a data controller has caused damage is that there is an out-of-court settlement with a gagging (sorry "confidentiality") clause so no-one is the wiser.
The claimant brought an action following an unauthorised disclosure of his personal medical data from the Plymouth Hospital NHS Trust, in or about December 2007. The partner of the data subject had unlawfully accessed his medical records in the course of her employment as a nurse and thereby committed a breach of the Act. This and the handling of his resultant complaint caused a four-and-a-half year exacerbation of a pre-existing paranoid personality disorder and prevented him also from accepting an offer of employment.
More here:
Second we have:

IT pros can't resist peeking at privileged information

Posted on 05 December 2011.
IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place.
Lieberman Software’s recent password survey found that IT professionals just cannot resist peeking at information that is supposedly barred to them. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.
  • 42 percent of those surveyed said that in their organisations' IT staff are sharing passwords or access to systems or applications
  • 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
  • 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Philip Lieberman, President and Chief Executive Officer of Lieberman Software said: “Our survey shows that senior management at some of the largest organisations are still not taking the management of privileged access to their most sensitive information seriously.”
More here:
Really the lessons from this are very clear. It is people, not systems, on which the proper respect for private, confidential information is based and, sadly, a good number of people simply don’t understand their responsibilities.
Absent a sudden change in human nature - which would have to be remarkably unlikely - we are going to have to rely on proper identification and authentication technologies to, at least after the event, find the serious serial offenders! It is only a real risk of being caught that will change behaviour - hence I don’t rob banks often!
As far as the PCEHR is concerned there is a central requirement to have the National Authentication System for Health (NASH) implemented and operational as much of NEHTA’s approach is fundamentally dependent on it being live and available. Without it the risk of being caught is dramatically reduced.
However, on page 1-5 of the NEHTA Blueprint - Version 2.0 (September 30, 2011) we read.
“NEHTA will deliver a Token Management System (for NASH) to manage the issuance, cancellation, modification, replacement, and operational support of the ~500,000 tokens/smartcards to be deployed between 2012 and 2017.”
So we won’t have token based identity authentication for providers  for up to 5 years after the PCEHR is meant to be implemented and never to authenticate consumers.
We see above how bad it can be without proper authentication systems - but the Government just steams ahead. I leave it as an exercise for the reader to assess their level of sanity and competence!
David.

9 comments:

  1. I don't see how that conclusion follows from the statement which precedes it. If NEHTA *does* deliver a token management system for NASH to manage half a million tokens/Smartcards from 2012, why does that mean there will be no token-based identity for providers for five years after 2012? Am I missing something here?

    ReplyDelete
  2. Yes.

    Until it is actually delivered it does not exist. The PCEHR is meant to begin in 2012. So what happens in the say next 3 years of partial implementation etc.

    They should have NASH and PCEHR working as the system is delivered to whoever plans to use it. That does not seem to be the plan as far as I can tell.

    David.

    ReplyDelete
  3. The poisoned chalice that is NASH has apparently been passed to yet another bureaucrat, after the sacking of the person who held the hot potato since last year. How many managers has NASH chewed up in the last five years? Good luck to the new guy. Hope the fireproof suit fits.

    ReplyDelete
  4. Right. NASH is absolutely at the centre of almost everything that NEHTA and DoHA are trying to do. The contract for building and delivering NASH by June 2012 was awarded to IBM on about 1 March this year. By March next year they should even have a specification to work to (ref NEHTA Specification Roadmap). That leaves 3 months to build the system and distribute Smartcards to 600,000(?) health providers. Hmmm. Should be interesting. July 2014 maybe? Meanwhile there will presumably be frantic attempts to fly with some lash up of temporary certificates etc. Remember though, that the minister hasn't said that anyone would actually HAVE a PCEHR on 1 July 2012, only that folks could REGISTER then.

    ReplyDelete
  5. KH is one person cottoning on to the spin then......

    there is a whole lot of difference between registering for something and actually having something that you can use.

    ReplyDelete
  6. As the NSW Auditor-General said today about the NSW $386 million finance, human resources and payroll systems project at the NSW Department of Education and Training which is over budget:

    "I am concerned that another large government IT project is failing to deliver, is over budget and behind schedule," NSW Auditor--General Peter Achterstraat said.

    It seems to me Nicola Roxon should be concerned, very concerned, because her little foray with NEHTA and the PCEHR is far and away heading to be the largest IT flop in Australia - ever.

    ReplyDelete
  7. Medicare already provides most of what NASH should be delivering. They have smartcards and location certificates. If Medicare can do it surely NEHTA can.

    ReplyDelete
  8. Only one question then. Why, after 5 years have they not done it?

    David.

    ReplyDelete
  9. Given that we have Medicare certificates and smartcards/tokens already and working usage of the same why on earth are we throwing it all away for a Nehta pipe dream. Probably because they want to use over complex web services that demand certificate usage flags that the Medicare ones do not have.

    It seems that taking the mountain to Mohammed is the name of the game. It's so silly, but at least they are consistent, everything they so is silly...

    Why are we putting up with this bunch of drongos? Can someone please explain why the plug is still in place?

    ReplyDelete