Clinical data networking has the potential to improve patient care in various ways. Electronic referrals could cut hospital administration times; electronic discharge letters could help GPs provide better follow-up treatment; electronic pathology and radiology reports could cut the delays, errors and paperwork associated with paper systems; and telemedicine could give GPs and patients access to a wider range of specialists while cutting travelling cost and inconvenience.
One of the main obstacles to achieving these benefits is concern among both clinical professionals and patients about both the safety and privacy of electronic medical information. Errors in laboratory reports or referral letters could lead to incorrect treatment and cause harm or even death; putting clinical databases on-line could lead to breaches of privacy; and the move from paper to electronic records will introduce new medico-legal complexities when these records have to be relied on in evidence.
Some networks are made physically secure, using techniques such as armoured pressurised cables. However this is very expensive, and gives a relatively low level of assurance. It is usually more economic to protect electronic information on networks using cryptography. This includes two basic techniques:
The NHS Executive's Information Management group (IMG) understood the promise of cryptography and published a strategy on it in April 1996 [85]. Following questions raised by the BMA at a meeting in May [12], some clarifications were issued in [86], and in meetings with the BMA in June and July. There are now three encryption pilots underway, of which two are administratively directed and under IMG control while the third is more attuned to clinical needs. The IMG documents, together with the two pilots under IMG control, provide a coherent picture of a strategy for cryptography in the NHS.
This paper examines the documents and the strategy they purvey in order to assess its acceptability to the clinical professions. A number of problems have become apparent.
The heart of the matter is that the IMG cryptography strategy appears to encourage the NHS to adopt protection mechanisms very similar to those designed by CESG (a department of GCHQ) to protect government electronic mail. This is admitted by Andrew Saunders, the director of CESG and a main board director of GCHQ, in [75].
However, the GCHQ protocol mechanisms have different goals from those of the clinical professions. They attempt to keep a message between two officials secret from third parties, but available to both their superiors (and to the police and intelligence services) by ensuring that each official's departmental security officer has a spare copy of the key used to encrypt it. Furthermore, the key used to `sign' the message is also available to authority. Thus if an embarrassing message is leaked, it is always possible to claim that it was forged -- perhaps by the very security officer whose negligence permitted the leak. We can summarise this functionality as `secrecy with plausible deniability'.
Clinical professionals, on the other hand, require safety and privacy. The origin and content of messages should be indisputable, whether for the purposes of immediate clinical decision making or for litigation many years later. Patient privacy must also be respected; GMC guidelines mean that the patient (or the clinical professional acting as his advocate) must have control over who can read his records [38], and this in turn means supporting access control mechanisms that respect the organisational and professional realities of healthcare. These safety and privacy goals are both incompatible with the GCHQ approach to securing electronic mail.
The GCHQ approved protocol suffers from further problems [14], which it shares with the NHS Executive's strategy insofar as this has been spelt out in detail. For example, both assume that control will be centralised, which is not only in conflict with professional autonomy but highly likely to be impractical in the NHS. Officials have been informed repeatedly by the BMA that the GCHQ approach is unacceptable. Yet despite repeated official denials that escrow and centralisation are the objectives of the NHSE strategy, we are concerned that these very aspects of the GCHQ approach to protection are being implemented in the Teesside pilot.
In our view, there is no realistic prospect that the current strategy could win the trust of patients and professionals, and thus enable the many potential benefits of clinical messaging to be realised.
We will now discuss the above points in detail. In sections 2-9 below, we will discuss the points made in paragraphs 2-9 above. The point in paragraph 1, of the relative importance of encryption and signature, will be discussed in section 6 below as it turns out to be closely related with point 6.