What is it about smart cards and health? Health ought to be one of the places where getting someone’s identity right — and being able to authenticate them quickly and efficiently — is a driver. In the U.K., indeed, smart cards are being used for access to NHS records, although with the Department of Health’s recent security problems it might be better to just put everyone’s health records on the web and be done with it. Anyway, according to Connecting for Health, staff will have smartcards and passwords, designed to restrict access to full data to those clinicians who need it, while administrative staff would only be able to see basic patient information. Sadly, in practice, this means that staff find the highest level card they can and leave it logged in all day so that anyone can look up anything, although whether the records they are looking at are real or not is another issue. Someone told me recently that Connecting for Health has been “descoped” so that medical staff can’t get access to patient records any more, so perhaps security problems will go away. Or at least they will go away until home access via the website Health Space, which will be phased in from later this summer, starts up. This will give people passwords to look at their personal records from home. Connecting for Health say the site will be “highly secure, and will have far more protection than websites such as those which offer online banking”. I will send a prize to the first person to receive a health phishing e-mail: “Hello, this is the Department for Health, we’re just testing our security, please log in to your health record here…”.
Why would anyone want to look at anyone else’s health records anyway? Oh wait… Marlene Stallard was in the fight for her life with ovarian cancer when Stephanie MacDonald — high-school sweetheart of Marlene’s husband James Stallard — accessed her private medical records and passed the information on to James. This sort of thing is against the law in Canada, and she was caught and fined $10,000. MacDonald gained access to test results, biopsy findings and X-rays belonging to Marlene 17 times between August 2005 and May 2006. (She used the information to try to “prompt James into a more permanent relationship”.) So how did she get the data? Did she employ Russian master hackers? Create false identity papers? Break in to the hospital in the middle of the night? No, of course not. She was a clerk at the Dr. McPhalen Professional Corporation, and therefore had legitimate access to medical records. As an aside, note that the NHS employs something like a million people in U.K. which, in security terms, is everyone.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]