It Seems Unlikely DoHA and NEHTA Will Do Better Than Others With Security and Privacy. Their Stubbornness and Haste May Destroy The PCEHR Program.

I was alerted to this pair of articles today:

Man gets £12,500 after girlfriend probes his medical data

Nurse ex-partner's data breach cost him a job
This is a rare event indeed: a data subject has taken successful action for compensation under section 13 of the Data Protection Act. Normally what happens if a data controller has caused damage is that there is an out-of-court settlement with a gagging (sorry "confidentiality") clause so no-one is the wiser.
The claimant brought an action following an unauthorised disclosure of his personal medical data from the Plymouth Hospital NHS Trust, in or about December 2007. The partner of the data subject had unlawfully accessed his medical records in the course of her employment as a nurse and thereby committed a breach of the Act. This and the handling of his resultant complaint caused a four-and-a-half year exacerbation of a pre-existing paranoid personality disorder and prevented him also from accepting an offer of employment.
More here:
Second we have:

IT pros can't resist peeking at privileged information

Posted on 05 December 2011.
IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place.
Lieberman Software’s recent password survey found that IT professionals just cannot resist peeking at information that is supposedly barred to them. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.
  • 42 percent of those surveyed said that in their organisations' IT staff are sharing passwords or access to systems or applications
  • 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
  • 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Philip Lieberman, President and Chief Executive Officer of Lieberman Software said: “Our survey shows that senior management at some of the largest organisations are still not taking the management of privileged access to their most sensitive information seriously.”
More here:
Really the lessons from this are very clear. It is people, not systems, on which the proper respect for private, confidential information is based and, sadly, a good number of people simply don’t understand their responsibilities.
Absent a sudden change in human nature - which would have to be remarkably unlikely - we are going to have to rely on proper identification and authentication technologies to, at least after the event, find the serious serial offenders! It is only a real risk of being caught that will change behaviour - hence I don’t rob banks often!
As far as the PCEHR is concerned there is a central requirement to have the National Authentication System for Health (NASH) implemented and operational as much of NEHTA’s approach is fundamentally dependent on it being live and available. Without it the risk of being caught is dramatically reduced.
However, on page 1-5 of the NEHTA Blueprint - Version 2.0 (September 30, 2011) we read.
“NEHTA will deliver a Token Management System (for NASH) to manage the issuance, cancellation, modification, replacement, and operational support of the ~500,000 tokens/smartcards to be deployed between 2012 and 2017.”
So we won’t have token based identity authentication for providers  for up to 5 years after the PCEHR is meant to be implemented and never to authenticate consumers.
We see above how bad it can be without proper authentication systems - but the Government just steams ahead. I leave it as an exercise for the reader to assess their level of sanity and competence!
David.

0 comments:

Post a Comment