next up previous
Next: Threat Model Up: No Title Previous: No Title

Executive Summary

Clinical data networking has the potential to improve patient care in various ways. Electronic referrals could cut hospital administration times; electronic discharge letters could help GPs provide better follow-up treatment; electronic pathology and radiology reports could cut the delays, errors and paperwork associated with paper systems; and telemedicine could give GPs and patients access to a wider range of specialists while cutting travelling cost and inconvenience.

One of the main obstacles to achieving these benefits is concern among both clinical professionals and patients about both the safety and privacy of electronic medical information. Errors in laboratory reports or referral letters could lead to incorrect treatment and cause harm or even death; putting clinical databases on-line could lead to breaches of privacy; and the move from paper to electronic records will introduce new medico-legal complexities when these records have to be relied on in evidence.

Some networks are made physically secure, using techniques such as armoured pressurised cables. However this is very expensive, and gives a relatively low level of assurance. It is usually more economic to protect electronic information on networks using cryptography. This includes two basic techniques:

digital signatures
can help assure the safety aspects of electronic messages. They bind a message to its originator and can detect any alteration to the message after it has been signed;

can help assure the privacy of a message by scrambling it under a key or keys whose corresponding decryption keys are only available to the message's authorised recipients.

The NHS Executive's Information Management group (IMG) understood the promise of cryptography and published a strategy on it in April 1996 [85]. Following questions raised by the BMA at a meeting in May [12], some clarifications were issued in [86], and in meetings with the BMA in June and July. There are now three encryption pilots underway, of which two are administratively directed and under IMG control while the third is more attuned to clinical needs. The IMG documents, together with the two pilots under IMG control, provide a coherent picture of a strategy for cryptography in the NHS.

This paper examines the documents and the strategy they purvey in order to assess its acceptability to the clinical professions. A number of problems have become apparent.

  1. The IMG strategy pays insufficient attention to the safety aspects of clinical messaging. Digital signatures are at least as important as encryption and are the subject of European standards activity; but the strategy concentrates on encryption first, with signatures to be added later.
  2. From the privacy viewpoint, the strategy uses an incorrect threat model: that most attacks will come from outsiders rather than insiders. This is based on IMG security policy documents that have now been superseded in the IMG's own thinking.
  3. Whether the protection priority is encryption or signature, a means of managing encryption keys must be provided and its structure determines the trust relationships in the resulting system. It is prudent practice to make electronic trust relationships mirror those in the underlying world of professional practice, and this principle is agreed between the BMA and the Department of Health [60]. Yet the strategy seeks to replace the current collegiate trust in medical practice with a centralised structure: a small number of `trusted third parties' are supposed to manage all the keys in the system. This will impose significant overheads and obstruct normal working practices, as well as being seen as a serious assault on professional independence.
  4. The estimated costs are not credible. In addition to assuming that key management can be centralised cheaply, the strategy ignores the costs of standards development, evaluation, system migration and training. On the other hand, the cost of cryptographic software is set at four times the market price. The proffered explanation, that development and training costs are bundled into the licence fee, appears to assume a monopoly that would undermine the other costing assumptions.
  5. The strategy is equivocal on the subject of key escrow. It initially appeared to be an attempt to have the NHS adopt a GCHQ escrowed encryption protocol [24] (or something similar); when asked at the June meeting for references to suitable protocols, the GCHQ protocol's precursor [45] was cited, and the writer interpreted the strategy document to mean that escrow will be a requirement ([85] p 58). This interpretation was expressly denied [86]. Yet at least one of the pilots under IMG control has the demonstration of escrow as one of its principal goals, and progress on the pilot under clinical control has been held up by an IMG demand that keys be generated centrally.
  6. The strategy of setting up escrowed encryption keys first and then using them to distribute digital signature keys means that a doctor's signature key could be recovered without his knowledge and used to forge apparently valid signatures. This is unacceptable on both safety and medico-legal grounds.
  7. The encryption mechanisms proposed are unnecessarily weak by the standards of current commercial cryptography and are unlikely to inspire public or professional confidence.
  8. The protocol and certification mechanisms that the strategy appears to be recommending to the NHS also suffer from various problems, ranging from year 2000 compliance through difficulties with replacing compromised keys, protecting security labels on data, and conformance with European standards. They also appear to lack the durability required for documents that might be used in evidence many years after being signed.
  9. Finally, the IMG's main cryptography strategy document contains a significant number of fundamental technical errors.

The heart of the matter is that the IMG cryptography strategy appears to encourage the NHS to adopt protection mechanisms very similar to those designed by CESG (a department of GCHQ) to protect government electronic mail. This is admitted by Andrew Saunders, the director of CESG and a main board director of GCHQ, in [75].

However, the GCHQ protocol mechanisms have different goals from those of the clinical professions. They attempt to keep a message between two officials secret from third parties, but available to both their superiors (and to the police and intelligence services) by ensuring that each official's departmental security officer has a spare copy of the key used to encrypt it. Furthermore, the key used to `sign' the message is also available to authority. Thus if an embarrassing message is leaked, it is always possible to claim that it was forged -- perhaps by the very security officer whose negligence permitted the leak. We can summarise this functionality as `secrecy with plausible deniability'.

Clinical professionals, on the other hand, require safety and privacy. The origin and content of messages should be indisputable, whether for the purposes of immediate clinical decision making or for litigation many years later. Patient privacy must also be respected; GMC guidelines mean that the patient (or the clinical professional acting as his advocate) must have control over who can read his records [38], and this in turn means supporting access control mechanisms that respect the organisational and professional realities of healthcare. These safety and privacy goals are both incompatible with the GCHQ approach to securing electronic mail.

The GCHQ approved protocol suffers from further problems [14], which it shares with the NHS Executive's strategy insofar as this has been spelt out in detail. For example, both assume that control will be centralised, which is not only in conflict with professional autonomy but highly likely to be impractical in the NHS. Officials have been informed repeatedly by the BMA that the GCHQ approach is unacceptable. Yet despite repeated official denials that escrow and centralisation are the objectives of the NHSE strategy, we are concerned that these very aspects of the GCHQ approach to protection are being implemented in the Teesside pilot.

In our view, there is no realistic prospect that the current strategy could win the trust of patients and professionals, and thus enable the many potential benefits of clinical messaging to be realised.

We will now discuss the above points in detail. In sections 2-9 below, we will discuss the points made in paragraphs 2-9 above. The point in paragraph 1, of the relative importance of encryption and signature, will be discussed in section 6 below as it turns out to be closely related with point 6.

next up previous
Next: Threat Model Up: No Title Previous: No Title

Ross Anderson
Mon Oct 6 12:47:34 BST 1997