Strong authentication tools like the smart card (as used by NHSnet) or the use of CLI are no more than a small part of the answer here. Their purpose is to authenticate network log-on not the identity of a mail sender. They can help protect access to key which might be used to produce a spoof message but that's about all. (and BTW strong authentication via CLI does not require X.400 and/or an MTA just ISDN and a router and it protects all access not just email - I would argue that all external connections to GP systems should be subject to strong authentication and CLI works well for a small number of fixed external access points - Smart card give great flexibility but at a price).
The simplest protection is to ensure that you don't reply and less you have independent validation that the email address belongs to a legitimate clinician. (I understand that a similar approach is normal practice when a unknown colleague requests info by phone).
However the real solution lies with cryptography:
The request should be digitally signed and you should have independently verified the public key of the purported sender. You can do this by obtaining the key from a trusted source and/or by checking the key signature by some trusted route with the purported owner. Until either the NHS or the professional bodies set up a trusted key service which links an individuals identity to their professional registration and accreditation status and their organisational affiliations you will still have difficulties validating request from complete strangers but the risk are probably less than exist with current postal, fax and telephone mechanisms. (How many of you would validate the return fax number If I send an urgent request for info by fax - producing some black and white hospital letterheads with a spoof fax is 5 mins DTP)
The response to such request should be sent encrypted again using independently verified key material.
While the NHS get its act together some of the existing certification organisations can provide much of what's needed. As you can see from my signature I use PGP. Its is cheap and works seamlessly with MS Outlook. (and I told many other email clients).
-------------------------------------------------------------------------------------------------
Ewan Davis - Personal email address [log in to unmask] Also at [log in to unmask]
PGP key available from ldap://certserver.pgp.com
Work Phone numbers - Voice +44 (1) 527 579414 Fax +44(1)527 833188
Affiliations:
Chairman AAH Meditel (www.meditel.co.uk) supplier of primary care information systems.
Chairman Peak Systems (www.peaksystems.co.uk) supplier of community care information systems
Chairman PharMed (www.PharMed.org.uk) Promoting GP-Pharmacy links
Chairman CSSA Primary Care Group (www.cssa.co.uk) the trade association of GP System suppliers.
-----Original Message-----
From: Mary Hawking [SMTP:[log in to unmask]]
Sent: Tuesday, December 29, 1998 9:09 PM
To: [log in to unmask]
Subject: Re: Hacking e-mail addresses
In article <[log in to unmask]>, Andrew Herd
<[log in to unmask]> writes
>This subject came up a while ago, and I have to say that at the time I
>didn't put much emphasis on it, but I challenged someone to prove to me that
>it could be done the other day and he just laid on a demonstration that I
>couldn't argue with at all.
>
>Anyone here got an opinion about how hard it is to hack x400 addresses? It
>seems to me that this could be a vulnerable area for NHSnet, in the era of
>the electronic patient record. In other words, it seems possible that
>someone could impersonate another account holder for the purposes of
>obtaining clinical or other data.
>
>Opinions?
I thought this was one of the advantages of the NHSnet (no ideas on
other X400 networks). Either you have one of those hard auhentication
cards (changes numbers every minute .. we've got one.. ) or you're on
an MTA - and the NHSnet recognises the *site* strong authentication.
I'm sure that, *given access to the apropriate information* , it would
be possible to obtain information.. as it always was... ;-<
Opinion : we need *encryption* - and agreement on who should be able to
access what information for which patients.....
Mary
Mary Hawking Kingsbury Court Surgery Church Street Dunstable LU5 4RS
tel:01582 663218 (surgery)fax:01582 476488 (surgery)
Member of British Healthcare Internet Association
Dunstable and Houghton Regis Locality Commisssioning Pilot
|