> Surely there are ways round this ?(not a fax machine expert me
> and it shows)
You can set the answerback number on your fax machine to whatever
you want. This was used in a famous fraud about ten years ago in
which a villain rented an office in Switzerland, bid successfully
to supply a shipload of aluminium scrap to a smelter in India, and
got a letter of credit payable against shipping documents and an
inspection certificate.
The former are easy enough to generate; the latter had to come
from a particular bureau in Rotterdam. The villain simply sent a
fax from his office in Switzerland across the street to the bank
but with the Rotterdam company's answerback set on his fax machine.
The bank paid; the villain vanished; and the banks in India and
Switzerland ended up suing each other in the High Court in London
over who was negligent.
And, of course, even if you have a procedure of faxing back to
confirm (as at least one bank has nowadays), a bad man can always
tap the phone from the bank branch and give a false confirmation
(this too has been done, in a famous gold swindle). Hence the
growing enthusiasm of banks for encryption and authentication.
My hope is that in two or three years' time, every online healthcare
practitioner will have a public signature key with which she can sign
requests for personal health information, and a public encryption key
with which you can encrypt what you send back to her. Then phone and
fax requests will be a thing of the past.
> What about a laptop, linked occasionally to clinical database by modem
> (or network card), but never directly linked to internet while
> connected to clinical system.
That seems fine to me. I expect that there are plenty members of this
list who have a PC at home, and dial up both the practice system and a
local ISP (though not at the same time). If you only have one network
connection, and take reasonable care about things like viruses, then it
seems perfectly prudent to me against the sort of attacks we are seeing
at present.
> But is it acceptable, and on whose criteria?
A very common problem in security management is that measures designed
for risk reduction rapidly become a matter of due diligence. This
casues them to persist even when both the system and the threat model
have changed and they are no longer relevant.
The lack of agreement between the IMG and the BMA on what constitutes
prudent practice may have the effect of preventing this fossilisation
- at least for the time being.
Ross
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|