next up previous
Next: Trust Structure Up: No Title Previous: Executive Summary

Threat Model

When considering the implications of networking clinical systems together, IMG originally assumed that the main additional threat would be external `hackers' [53, 54, 55, 56, 57, 58, 59].

The BMA first pointed out in [6] that this was mistaken, and that the great majority of incidents would probably be due to abuse of authorised access by insiders. Further BMA documents discuss the issue in more detail [8, 9, 10]. The view that most attacks will be internal rather than external was confirmed in a study commissioned by IMG from the CCTA which reckoned that only 6% of attacks would be due to outsiders [58]. It has recently been further confirmed by MI5, whose UNIRAS unit now handles the reporting of computer security incidents in civil government; the head of UNIRAS stated that only 2% of attacks on UK government systems in 1994/5 were due to outsiders [33].

The head of IMG has since conceded that insiders pose the main threat, and that the former threat model no longer reflects government thinking [73]. This change of view needs to be incorporated into the cryptography strategy, which currently maintains that `current concerns about NWN security are centred on two main threats: the possibility of unauthorised individuals logging on to the network (and) the possibility of eavesdropping on network traffic' (p 10).

There is a serious engineering issue here. One of the most important tasks in systems engineering is to maintain synchrony between the many documents involved in a typical information systems project -- such as the user requirements document, the hazard analysis, the performance benchmarks, the technical specification, the source code, the manuals and the operators' training material. When this vital synchrony is lost -- as, for example, when modifications are made to a system without this being reflected in the specification and manuals -- then problems can be expected to occur.

After IMG accepted that their initial threat model was wrong, the BMA asked them to issue an amended set of policy documents, starting with the `NWN Threats and Vulnerabilities' [54], then leading on to a top level information systems security policy to replace [53], a data security policy to replace [55], and so on through [56, 57, 58] to the reference manual [59].

However, IMG refused to update their documents. This is unacceptably poor systems engineering practice; it has led to the adoption of a cryptography policy founded on assumptions that officials claim to have abandoned. Under the circumstances, the writers of this policy cannot be held wholly to blame for the erroneous direction of their document.

Methodological confusion can also be seen in the NWCS pilot, which appears to have been substantially completed before a risk analysis was attempted, and it was discovered that the CRAMM methodology used for this could not cope with encryption [62]. A risk analysis should precede the detailed technical specification of a system, let alone its implementation.

The real hazards to the safety and privacy of clinical information are discussed in [9]. They are the risk that clinical messages may become corrupted, whether accidentally or maliciously, and the lack of adequate access control mechanisms in heterogeneous distributed systems. This analysis leads naturally to the BMA's security policy [8] which describes the requirements for cryptography: to protect the safety of clinical messages (using digital signatures), and to protect their privacy (using encryption to support access control). A secondary objective is to assure the medical-legal reliability of electronic health records.

The prevention of eavesdropping by third parties is of minor importance. If it were the primary objective, then the expenditure of over ten million pounds could not be justified, as there is so far no known NHS case of wiretapping leading either to a financial loss or a privacy compromise. (There are however a number of cases where information has been corrupted or misrouted.)

These considerations have been at the forefront of debate since the BMA policy was published in January 1996. Yet the IMG strategy ignores them, and repeats the view that concern focuses on outsiders (as in the statement on unauthorised logon and eavesdropping quoted above).

After this inconsistency was pointed out to officials in May, a second document claimed that their `work has not assumed any particular threat model' ([86], p 2). This is hard to reconcile with the statement quoted above; with the statement on p 24 of the strategy that encryption guidance `would have to be written in the context of the current Data Networking Security Policy, Guidelines and Codes of Connection'; and the statement on p 42 that `care must be taken to ensure that (cryptography) does not interfere with or run across the desired access control systems'. It is also contrary to good cryptographic engineering practice: the design of cipher systems should take into consideration the environment in which they operate and the kinds of attack that may be expected ([18], chapter 8).

The requirement that encryption should support access control was conceded by the IMG at the June meeting. We will return later to the technical aspects of linking encryption with access control.

There appears to be further confusion about whether cryptography should protect traffic on local as well as wide area networks. On p 8 it is said that eavesdropping and tampering on LANs should be dealt with using different controls, but p 42 claims that encryption `can be used to address security needs which exist outside the NWN, including the encryption of data transmitted over other networks such as local LANs'.

In addition, the discussion of the threat model fluctuates somewhat over pages 10-12. On page 10 we learn that after `strong authentication' is in place, `Addressing the remaining eavesdropping threat is the subject of the present study'. On the next page the threat model includes `repudiation of a message sent earlier by the sender (for example, the potential disowning of a negligent pathology result)'. Yet by p 12 the conclusion has been reached that `confidentiality is seen to be the widest requirement. This justifies the requested approach which was of focusing first on the encryption solution and then examining ways by which the encryption solution could be extended'. Whether the request for this approach was made by IMG or by GCHQ is not stated. We shall return to the importance of the order of encryption and signature, and its implications for policy, in section 6.

Lack of clarity about threats and protection goals extends to the NWCS pilot. The ethical objection to NWCS is that it creates a large centralised database, outside clinical control, that contains highly sensitive information (such as treatments for HIV and terminations of pregnancy), that identifies patients fully, and that contains information on most of the population. The US experience suggests that once such a database has been created, there will be inexorable pressures for legitimised access by all kinds of interests, starting with researchers and proceeding via policemen and social security fraud investigators to insurance companies and credit reference agencies. The encryption of data enroute to such a facility is irrelevant to these concerns.

Furthermore, where a system has a star topology (as with the NWCS where many healthcare providers feed data to one contractor), there is no need for elaborate public key management schemes; and where the Secretary of State owns all the data anyway, there is no visible purpose served by key escrow (which we will discuss more fully in the next section).

next up previous
Next: Trust Structure Up: No Title Previous: Executive Summary

Ross Anderson
Mon Oct 6 12:47:34 BST 1997