Next: Protection priorities
Up: Threats and Vulnerabilities
Previous: Threats to clinical
In addition to the threats to the confidentiality of clinical information, its
integrity and availability may also be at risk in computer systems, and often
in ways which are not immediately obvious.
- Software bugs and hardware failures occasionally corrupt messages. While
mail, fax and telephone systems also fail, their failure modes are more evident
than those of computer messaging systems. It is possible, for example, that a
software bug could alter the numbers in a laboratory report without changing it
so grossly that it would be rejected.
There are regular press stories of mislaid cervical smear results and of
pregnancies terminated in the mistaken belief that the foetus had Down's
syndrome. We do not know how many of these involve computer as opposed to
manual errors, but experience in other sectors suggests that in the absence of
strong integrity controls about one message in 10,000 would be wrong. To a GP,
this might mean a wrong test result every few years and a dangerous treatment
once in a career. With poorly designed software, the figure could be
substantially higher.
- Higher error rates could result from the spreading practice of sending
lab results as unstructured electronic mail (email) messages that are sometimes
interpreted automatically. A scenario from [Mar95] is plausible: a laboratory
technician adds a comment before a numeric result, but the GP's system assumes
that the first value it encounters is the result and files this in the patient
record, leading to incorrect treatment.
- Viruses have already destroyed clinical information, and a virus could
conceivably be written to make malicious alterations to records.
- A malicious attacker might also manipulate messages. Sending email which
appears to come from someone else is easy, and with some more effort it is
possible to intercept mail between two users and modify it.
- However the majority of malicious attacks will be carried out by
insiders [OTA93], with motives such as erasing a record of malpractice [Ald95],
supplying an addiction, or committing straightforward theft or fraud.
Prescription fraud already happens with manual systems, and in the absence of
improved controls it can be expected to continue.
- Attacks on system integrity could be made more likely by an erosion of
confidentiality. If clinical records became widely available and were used for
purposes such as hiring and credit decisions (as in the USA [Woo95]), then
there would be strong motives to alter them.
- An erosion of public trust would also degrade the quality of input, as
some patients would suppress sensitive facts. Public concern in America has now
reached such a level that a national newspaper has warned its readers to be
careful about disclosing sensitive health information [USA95].
- We might see similar effects if some system components have or acquire
purposes other than healthcare. For example, if a health card came to be used
as an identity card [DPR95], then both criminals and civil libertarians might
try to break its security, and patients would assume that the police had access
regardless of any assurances from government.
For all these reasons, the confidentiality and integrity properties of clinical
systems should not be considered in isolation from each other.
Next: Protection priorities
Up: Threats and Vulnerabilities
Previous: Threats to clinical
Ross Anderson
Fri Jan 12 10:49:45 GMT 1996