next up previous
Next: References Up: No Title Previous: What is the IMG


The debate over security in NHS networking originally arose because of doctors' growing concern that many systems being built or proposed by IMG on behalf of the NHS Executive made large quantities of personal health information available centrally to administrators and other persons who are not clinicians, are not involved directly in the care of individual patients, and do not have the consent of patients to share this information. These systems include but are not limited to Clearing, HES, administrative registers, prescription pricing, and a growing number of disease specific databases.

Part of the Department of Health's response to this concern was the IMG strategy for cryptography. Unfortunately, as set out above, this strategy will not overcome the dangers of centralising personal health information, and it will not protect it from clandestine access by the police, benefit agencies, social work departments and other government bodies. On these grounds alone it is unlikely to win the trust of either professions or the public, both of which are essential if the NHS is to enjoy the benefits that networked clinical systems could bring. It is also unacceptable for a large number of detailed technical and other reasons.

What is needed is an architecture, based on open systems and standards where possible, that reflects the structure of trust in existing practice; which supports digital signatures for safety and encryption for privacy; which supports access controls of the type described in the BMA security policy; which has not been weakened to allow undetected intrusion by police and other government agencies; and takes into account the information technologies actually used or about to be introduced by British healthcare providers.

Ross Anderson
Mon Oct 6 12:47:34 BST 1997