next up previous
Next: The Policy is Up: An Update on the Previous: Introduction

The Gathering Storm

We were not to know it at the time, but the NHS Executive had projects underway to build systems that are in serious conflict with medical ethics as understood by both doctors [31] [32] and patients [17] [36] [59]. If security rules are adopted that enforce this traditional view, then these systems will require significant changes (which we discuss below).

So, with the benefit of hindsight, it is not at all surprising that the response we received from the NHS Executive was limited to nitpicking [47], ad hominem attacks, diversionary tactics (such as the recent report on encryption [77]) and delay.

This surpassed the script of ``Yes Minister''. For example, at a meeting called on the 26th June to present their response to our critique, officials claimed that we would have to wait for the NHS to settle its confidentiality policy --- a document that had been stalled for some 15 years, and the most recent version of which (in August 1994 [14]) had been roundly rejected by clinical professions, patients and the Data Protection Registrar. So the Association went public with its concerns; these were summarised in an article that appeared in July [3].

By then it had become rather clear that the government was determined on a tactical rather than constructive response. Our intelligence sources reported a determination to implement the Code of Connection and deal with objectors by obfuscation, delay and diversion; the strategy was to field the network and present it as a fait accompli. Typical of the tactics used in this period was a letter in September that sought to query the minutes of the 26th June meeting and wished a further meeting in November to discuss them [48]. Also in September, a senior IMG official claimed at a conference that our criticisms had been completely misguided, as the primary purpose of the NHS network was to provide leased lines between hospitals that would cut phone bills!

In spite of these Fabian tactics, the foundations of the government's position were removed one by one. The erroneous initial assumption --- that the main additional threat from networking would come from outsiders --- was repudiated in a report commissioned by NHS managers from the government's own expert body, the CCTA [55]; the four level `classification' of data that formed the intellectual core of their security policy and justified their architecture was next to go [67]; yet officials stuck adamantly to their `Code of Connection'. In vain we pointed out the practical problems that would arise --- Addenbrookes' Hospital, for example, shares its network infrastructure with Cambridge University. These objections were ignored.

More senior officials became involved, and their tactics became steadily more reckless. A very senior medical officer wrote in August that the government would press ahead with its Code of Connection and hoped that the BMA objections could be dealt with later [75]; when we objected to the use of the network for clinical information, he claimed that Item-of-Service claims were not personal health information and that contract minimum data sets were `of course coded' [76]. For the benefit of readers not familiar with NHS systems, a typical Item-of-Service claim is for the supply by a general practitioner of contraceptive care, and that a typical contract minimum data set is for an episode of hospital treatment. I was personally lost for words that one of the government's most eminent doctors could hold unworthy of protection the identities of under-age girls taking the pill or obtaining pregnancy terminations in NHS hospitals.

On the 8th December 1995, the Code of Connection was issued, despite senior officials having given assurances to the BMA on the same day that this would not happen [27]; it was promptly denounced by the Association [28]. The Code, together with supporting documents such as the IS Security Reference Manual [56], continued to use the security assumptions and arguments that had already been discredited by the government's own experts.

We pointed this out and on the 13th December a senior official wrote to the Association:

You have included references to IMG project documents. These are project working papers provided to project members ... you will see that they are classified ``Restricted: Management'' ... please therefore delete the references [67].

No assurances of confidentiality had been sought by the government, or given by the Association, when these documents were originally supplied.

next up previous
Next: The Policy is Up: An Update on the Previous: Introduction

Ross Anderson
Tue Jun 25 08:31:53 BST 1996