Other security threats to clinical information

In addition to the threats to the confidentiality of clinical information, its integrity and availability may also be at risk in computer systems, and often in ways which are not immediately obvious.

• Software bugs and hardware failures occasionally corrupt messages. While mail, fax and telephone systems also fail, their failure modes are more evident than those of computer messaging systems. It is possible, for example, that a software bug could alter the numbers in a laboratory report without changing it so grossly that it would be rejected.

  There are regular press stories of mislaid cervical smear results and of pregnancies terminated in the mistaken belief that the foetus had Down's syndrome. We do not know how many of these involve computer as opposed to manual errors, but experience in other sectors suggests that in the absence of strong integrity controls about one message in 10,000 would be wrong. To a GP, this might mean a wrong test result every few years and a dangerous treatment once in a career. With poorly designed software, the figure could be substantially higher.

• Higher error rates could result from the spreading practice of sending lab results as unstructured electronic mail (email) messages that are sometimes interpreted automatically. A scenario from [Mar95] is plausible: a laboratory technician adds a comment before a numeric result, but the GP's system assumes that the first value it encounters is the result and files this in the patient record, leading to incorrect treatment.

• Viruses have already destroyed clinical information, and a virus could conceivably be written to make malicious alterations to records.

• A malicious attacker might also manipulate messages. Sending email which appears to come from someone else is easy, and with some more effort it is possible to intercept mail between two users and modify it.

• However the majority of malicious attacks will be carried out by insiders [OTA93], with motives such as erasing a record of malpractice [Ald95], supplying an addiction, or committing straightforward theft or fraud. Prescription fraud already happens with manual systems, and in the absence of improved controls it can be expected to continue.

• Attacks on system integrity could be made more likely by an erosion of confidentiality. If clinical records became widely available and were used for purposes such as hiring and credit decisions (as in the USA [Woo95]), then there would be strong motives to alter them.

• An erosion of public trust would also degrade the quality of input, as some patients would suppress sensitive facts. Public concern in America has now reached such a level that a national newspaper has warned its readers to be careful about disclosing sensitive health information [USA95].

• We might see similar effects if some system components have or acquire purposes other than healthcare. For example, if a health card came to be used as an identity card [DPR95], then both criminals and civil libertarians might try to break its security, and patients would assume that the police had access regardless of any assurances from government.

For all these reasons, the confidentiality and integrity properties of clinical systems should not be considered in isolation from each other.