In article <[log in to unmask]>, Adrian Midgley
<[log in to unmask]> writes
>[log in to unmask],Net wrote at 14:28 on 06/12/98
>about "Re: RFA5":
>-----------------------------
>>>RFA 5 should include a requirement that the system will serve up a
>>>plain text file in response to certain specified requests from a
>>>client authenticated via the network.
>>
>>A very reasonable idea on the face of it, but fraught with potential
>>problems if approached in a naiive way.
>
><snip>
>>Good authentication is really the key to the entire business of safe
>>information exchange.
>>
>>The day that all UK clinicians own and keep secret their personal
>>private encryption key, simply as a proper part of being registered in
>>this country may soon be coming. It needs to have arrived before a
>>scheme like this will be safe for the patients and the clinicians
>>using it.
>
>But Paul, why would anyone invest the effort in distributing and
>managing encryption keys when there is no demonstrable need for
>them?
>Until the facility is part of our software specification, there is
>no business case for sorting out the security.
Sorry, disagree.
The security needs to be built into the specifications (including RFA!)
Just look what happened to the NHSnet!
>
>So put in the facility, and at the same time we make it clear to all
>clinicians that actually using it before the NHS gets its encryption
>policy going is fraught.
That *might* work for those of us prepared to be martyrs for a cause. I
don't fancy having to make the choice of protecting a patient's privacy
at the expense of .. what? breach of TOS? pressure from the PCG?
*Much* better get the security/confidentiality issues sorted out *first*
Mary
Mary Hawking Kingsbury Court Surgery Church Street Dunstable LU5 4RS
tel:01582 663218 (surgery)fax:01582 476488 (surgery)
Member of British Healthcare Internet Association
Dunstable and Houghton Regis Locality Commisssioning Pilot
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|