On Tuesday 18 May 2004 08:34, Laurie Slater wrote:

A very good post, thanks Laurie.

> I was encouraged to hear that the principles which are
> now being applied to CRS security (industry standard PKI encryption
> using "TLS" to send X.509 certificates) are fit for the purpose of
> allowing clinicians to reliably identify themselves electronically.

Identity.  Whatever that is.
This is the same person it was last time is easy, but who it was the first 
time is more difficult.  And tedious.  And fashionable.

> robust
> audit trails are in place to document not only data entry but also any
> and every access to such data 

That is nice in itself, albeit the sysadmin and his boss can go around them if 
only by reading off a backup.

Q1.  The unanswered question there though is whether the principle that all 
accesses shall be _reported_ to the data subject is going to be applied?
I've written on it before, clearly it is the accesses when the pateint is not 
present that need reporting, and clearly the reports should be aggregated to 
an annual report or one when accesses reach a page.

Thus the citizen will learn of the otherwise unapprehended diligent striving 
of his public servants in the background to support his continued health and 
avoid his taxes being misapplied, and can hardly be expected to feel anything 
but praise and thankfulness.  



> ...  consulting with some 1500 or so clinicians in the
> developmental stages. I was hardly in a position to ask who these
> clinicians were, but wondered how so many could have remained so quiet
> in the recent clamour for information.

Gagged?  Did not wish to be identified?  Did not know they had been consulted?
Have income resting upon some part of it?  Many documents have an appendix 
starting off "with thanks to the following for their assistance...".  It is 
polite, and the cheapest of all possible rewards to the public-spirited.  And 
avoids all doubt as to actual numbers, not that any has arisen.

> He did acknowledge the significant limitations of current systems,
> whereby clinicians are unable to reliably authenticate themselves 

Its _them_ I can't reliably authenticate, not me.  And that is dealt with 
adequately by keeping them out.


> assured me that the process for registering users to use NCRS
> applications (strong authentication through smart cards) would be
> available across the board for any “national application”. 

Surely this is not a duplication of the national ID card the Rt hon David 
Blunkett MP Secretary of State at the Home Office has announced will solve 
all our problems, even those nobody else has noticed?

> The smart card sounds an appropriate way of introducing authentication
> for NHS employees and utilises belt and braces industry standard
> encryptions techniques. 

I'd actually prefer the Texas Industries iButton, if we are talking about form 
factors.  Built into a ring or pendant it would be less losable, and its 
hermetically sealed one point network contact is more durable.  but whatever.

> “TLS”, the next evolutionary standard 
I've been using it for 5 years in the browser I favour...
> will be
> used to encrypt communication channels and is this widely recognised as
> being more secure than SSL. They have instantiated a RootCA enabling
> them to issue an unlimited number of certificates. 
So have I.  It comes free.  The question as ever is "who is it that this root 
certificate relates to" and to be fair, HMG or DoH is more widely known and 
able to make itself so than I am.

>... but the punitive cost will be the administrative load on the
> HR or IT departments of HCOs who will be required to act as Registration
> Authorities and administer the distribution of the cards. 

Then it would be best they are the root authorities, and the load is indeed 
going to be punitive.  Insupportable I'd say, unless things are relaxed to 
teh point where ... what did that certificate mean again?

I prefer the web of trust, decentralised, accretive, as used in PGP.  But not 
very attractive to governments, it appears.

Baltimore Zergo (who were the last firm to be expected to provide the PKI for 
the NHS) are sending up their very last bubbles even now, once hugely valued, 
now junk.


> ... However, for the purpose of identifying the origin of a
> given request, workstations which are used to interface with NCRS will
> need to have software installed which will give them a unique identity.
THis is meat!
Q.  Will this be open sourced, open algorithms, and/or available for operating 
systems other than microsoft Windows?

> This software is known as the Identity Agent, and it provides an
> interface between the smartcard reader and the Identity Server (a NCRS
> component).

Everyone else calls it a PIDS - Person IDentity Service.  There are two Open 
Source and free ones, one made by the European Commission for regional 
healthcare applications, and the other made by the los Alamos National 
Laboratory.  

Q.  Has an existing OSS PIDS been adopted, or has a proprietary one been taken 
on, and if the latter, how has lock in been avoided and cost minimised, and 
FFS, why?  (You see my pessimism coming in though).

>The IA will be generated automatically without user
> intervention when it is installed and is a hashed function of various
> hardware components. This means that significant hardware upgrades may
> require a reauthorisation process for the new IA (yet more maintenance
> considerations).

I don't see the point of that.
is this becuase actually the smart cards are insufficient, or because despite 
having a roaming ID that works for ht ewhole NHS, we are each only to be 
allowed to log on from specific places?
 
> Subset or otherwise, it is clear that there is no mechanism to withhold
> consent for the uploading of data from the medical record. The issue of
> patient consent only becomes valid when data is on the spine (by
> default) at which time their decision to have the data shared, or not
> will be respected. Hmm! I still think this is unacceptable. 

Amusingly baroque.  
The essence is that class of occasions under which the patient has no right in 
law to be told of the accesses, perhaps.  Naturally only a terrorist, 
criminal, child-abuser would wish to not have their notes uploaded to MI5.

And the history of government in this country as in the USA includes no 
instances of anyone abusing information once they got their hands on it, 
therefore the quaint old customs of not telling anyone anything you didn't 
want them to know have no place for the citizen dealing with the government.  
not so the other way round, of course, where it is _important_ that privacy 
is maintained, in the matter of who gave advice on a national service for a 
profession, to name but one instance.


-- 
Adrian Midgley                   (Linux desktop)
GP, Exeter
http://www.defoam.net/