We seem yet again to have fallen into a binary discussion about NHSnet, my
comments and questions were broader than that. But I would like to pick up
on the points raised.
I believe that no one is being asked to "pay through the nose", networking
costs are never about single issues, they should be viewed within a business
process, if a GP can't save money by using networks to solve clinical
business needs they should not be using any of these networks. If however
they can provide the solution to otherwise unattainable advantage then do
it. For example, is anyone using Epact from the PPA. Has it been useful?
And more importantly has it saved them any money. Anyone using the MIRON
Site to access medical information databases.
I know that the gateway wraps attachments as .dat files, you need to change
the extension back to .doc or whatever. At least the attachment gets
through, some ISPs limit the attachment size and strip it if it is over a
certain size, hence MS Outlook can break attachments into 40k chunks to get
round this.
What is a simple firewall? I have yet to find one, and any kind of decent
one will cost 2K plus a few hundred maint per year.
If, and I tend to agree, the threat lies within the NHS how does encryption
help? The message would remain clear on the screen and hence still open to
abuse, encryption protects the message in transit.
John
-----Original Message-----
From: [log in to unmask] On Behalf Of Ewan Davis
Sent: 01 May 1998 19:12
To: [log in to unmask]
Subject: RE: Locality Communications
I find John's comments rather strange. Are we not already being asked to pay
through the nose for security on NHS (the belt braces and spare pair of
trousers approach to authentication to name but one example) and does not
the security already get in the way of the use of the network (the
attachment stripping gateway to Internet mail for example).
The security model applied to NHSNet is inappropriate seeking as it does to
provide security at the perimeter and assume all authorised user can be
trusted.
Adequate security requires simple firewall protection between the network
and end systems and message content needs to be protected via encryption.
This can probably be provided at lower cost than the current inappropriate
security measures and would allow NHSNet to provide the sort of connectivity
with the rest of healthcare community that will make it actually usable.
We can forget white paper targets until NHSnet is repositioned to recognise
the impact that the Internet has had on wide area networking. A review of
the security model is an important part of this.
----------------------------------------------------------------------------
---------------------
Ewan Davis
AAH Meditel - Voice +44 (1) 527 579414 Fax +44(1)527 837287
Email [log in to unmask] also at [log in to unmask]
-----Original Message-----
From: John Coulthard [SMTP:[log in to unmask]]
Sent: 01 May 1998 16:25
To: [log in to unmask]
Subject: RE: Locality Communications
-----Original Message-----
From: [log in to unmask] [mailto:[log in to unmask]] On
Behalf Of Paul Galloway
Sent: 29 April 1998 23:33
To: [log in to unmask]
Subject: Re: Locality Communications
Go on, give us a clue to what you think the answers to your eminently
sensible questions are , then I'll argue my corner
(unless of course we agree!)
:-)
Paul Galloway
Unfortunately we agree.
The network was designed to be "open" from a systems point of view, hence
application providers can do what they want, and I am sure they will, and
charge us! If I wanted to add considerably to the cost of any system I
would try to convince the customer that they needed the latest 128 bit
encryption. The fact that they might not need it is neither here nor there
if they THINK they need it. Security, in sales, is about paranoia not
reality.
My point is that until we identify a threat that might risk patient data,
that is network specific, then we should carry on with the current safe
guards.
I am of course not just talking about NHSnet, the same is true of links to
branch surgeries and for that matter home links to the Internet.
My questions stand, can we find a threat that is real and quantifiable that
we can write a business case against it, or are we going to pay through the
nose for security and encryption that would protect the us against nothing
and get in the way of the necessary interaction with patient data.
Do people remember the Zergo Report, try reading it again, if you have a
copy, they could not find the threat and neither can I.
Regards
John
|