I will not cut and past. Long post and all that.
I have to say that this answered almost none of my concerns about the
systems. It is relatively easy to design a system where users are
authenticated and get access to the correct information. Labour
intensive maybe but not conceptually hard.
Briefly I have two concerns
1. The emphasis of Laurie's post (which is very helpful) is about
security of data in transit. Frankly I always had this as low risk.
Hacking into networks is generally not that easy, and whilst it is nice
to know that attention has been paid to this it was not my top priority.
It is not clear how many people will have access to my record on the
spine. Doctors at my surgery? Within my PCT area? SHA area? All doctors?
All nurses? Role based access is all very well but the role must be
appropriate. HO is not a role. HO to the vascular surgical team at the
Great Western Hospital in Swindon is.
2. There are several obvious failings of the smart card systems as
stated in the original post. First is the issuing process. When I was a
junior doctor (which was not that long ago) no hospital was able to
issue passwords until at least a week had passed in the hospital. With a
more cumbersome process this is likely to be no easier. Even if we
assume a national card system the correct allocation of roles is likely
to be slow. Managing for a hospital will be horrendous (it takes our DGH
four weeks a year to deal with parking passes). The implications of
getting it wrong - even for a day - are severe. A culture of password
and card sharing will develop. The ward PC may have a single nurses
smart card entered at the start of the shift and removed at the end. All
the PKI in the world will not solve that problem.
There was a very good analogy to car keys in the original post. Losing
the card will certainly be inconvenient. That there will be an 'onerous
process' to replace it will actively discourage reporting of loss,
certainly until a time that it will be possible or convenient to undergo
the process. I suspect that what to do at 3am on a Saturday morning will
be to use password sharing again.
Of course when your car keys are stolen then it is not only inconvenient
but the thief can drive your car. This interacts with my first point as
access to the whole database will make the card a more attractive
proposition to a thief. It also interacts with the replacement procedure
at a delay in reporting will allow the thief greater access before
revocation of the card.
Audit trails are all very well, but in this circumstance are as much use
as a tachograph on a stolen truck.
Another attack is the 'royal footman' attack. The simplest way to get
authorisation is to get a job. Getting fired may not be a problem for
these people as this was not their main job anyway but merely a means to
an end. Equally it may merely give good opportunity to observer
passwords and lift PKI cards from pockets.
Summary
There are major security issues with this system. They are complex and
not model has been publish. Shouting 'encryption' a lot merely distracts
from the more likely attacks.
--
Gavin Jamie
|