next up previous
Next: The Gathering Storm Up: An Update on the Previous: An Update on the

Introduction

In late 1994 and early 1995, the British Medical Association (BMA) repeatedly asked officials of the UK National Health Service (NHS) about encryption of data on a new data network that was being planned. The assurances received were less than convincing. They included the claim that there was no encryption expertise in Britain, and the even more bizarre claim that encryption could not be introduced until the network was in place, as the network itself would be needed to distribute the keys [65] [66] (it was later learned that encryption proposals had been spiked at the request of the intelligence community). I was therefore contacted and asked to speak to the BMA's Information Technology Committee (as it now is) on the 8th March.

On looking at the documents that the government had supplied to the BMA on security in the proposed network [50] [51] [52] [53] [54], it was clear that something was wrong. The government assumed that the main additional threat from connecting clinical computer systems together would come from outside 'hackers' --- a view common enough in the popular press but not held by people with experience of the field.

The likelihood that data will be abused depends on its value and on the number of people who have access. Connecting systems together increases both these risk factors at the same time. An example is given by personal financial information, which in many countries is no longer private: as any bank teller can access any account at most banks, an illegal data broker needs only a small number of sources to cover most of the population's finances [44] [64]. The prospect of medical records suffering a similar fate is alarming, and the controls proposed by the government would have been unable to prevent this.

The NHS argument was that for `security' reasons, all clinical data would have to be carried on their private network that was being set up by a contractor, BT. Organisations wishing to connect to it (and all significant healthcare providers would be forced to) would have to sign a `Code of Connection' promising not to connect their systems to any other network [54]. But however convenient the Code for BT's business at a time of rapidly growing competition and falling costs for data network services, it would provide no protection against the majority of attackers who would, we believed, come from inside the system rather than from outside.

Our concerns were first communicated to the government in detail in a letter from the BMA on the 21st March 1995. This questioned the assumptions that the NHS network could be kept separate from the Internet and that encryption was infeasible; it also pointed out inconsistencies in the NHS security policy. It received a testy response. Thus, on the 31st May, the BMA Council supported a resolution from the IT working party that the problems with the threat model, security policy and architecture would ``need to be addressed as a matter of urgency by the NHS Executive or use of the NHS Wide Network would be boycotted for the transmission of identifiable patient data by doctors concerned about confidentiality''.

So we prepared a detailed critique [4] of the NHS threat model, security policy and architecture and presented it to senior officials on the 8th June 1995. At that time, we fully accepted the bona fides of the NHS Executive and aimed to help them revise their security policy and architecture documents to be acceptable. In the world of security, it is common practice that one party advances a design and another tries to find holes in it. Such third party evaluation is a standard industry practice, and is mandatory in many government systems in Britain, the EU [39] and elsewhere.



next up previous
Next: The Gathering Storm Up: An Update on the Previous: An Update on the



Ross Anderson
Tue Jun 25 08:31:53 BST 1996