A common mistake in computer security is to focus on `glamorous' but low probability threats such as the possibility that a foreign intelligence service might use eavesdropping equipment to decode the stray electromagnetic radiation from computer monitors. Although such attacks are possible, they may in practice be disregarded, as a capable motivated opponent would find cheaper and more reliable ways of accessing information (e.g., burglary or bribery).
Another example is the publicity given to occasional hacking attacks on the Internet. It is true that capable attackers can manipulate traffic in various ways and may succeed in logging on to systems by password sniffing and address spoofing techniques. However the incidence of such attacks is low, and competent Internet service providers will provide a firewall to make them hard. A much greater risk is that the computer system will be physically stolen from the surgery; over 10% of general practitioners have experienced computer theft [PK95].
We must therefore draw a distinction between vulnerabilities (things that could go wrong) and threats (things that are likely to go wrong). Note that other writers use these two words with their meanings reversed. However, such disputes are peripheral to our present concerns.
Threats vary in their scope, which we will take to be the number of individuals affected. There are global threats to the privacy, integrity or availability of the personal health information of the whole population, such as the black market in personal health information that already exists; while most threats are local and affect the privacy, integrity or availability of the clinical records kept by a care team. Examples are equipment theft, fire, virus infestations and the disclosure of records to third parties by careless staff.
Local threats can be contained by more or less well understood techniques, such as staff training, offsite backup and regular independent audit; most of the security effort of a general practice or hospital department will be devoted to them. General guidelines have been issued by the Department of Health [NHS95] while the BMA has issued its own guidelines {And96] on action that should be taken to counter the most serious threats of which we are aware at this time.
Meanwhile, at the policy level, our priority is to ensure that local attacks do not develop into global ones, or exacerbate existing global threats, by the ill-considered aggregation of data, or by neglecting the principle of consent. The security policy principles that we wish to be enforced by all communicating clinical systems must prioritise issues such as aggregation and consent.