Security on a grand scale

[Dave Birch] It’s really difficult to keep big systems secure when they have lots of users. Especially when those users don’t really care about security. And worse when there’s no identity infrastructure. The textbook case study for years to come will be the “troubled” $25 billion-ish National Health Service “Connecting for Health” (CfH) system. It’s travelling a predictably rocky road. NHS staff (which, from a risk analysis perspective, means everyone in the world — the NHS employs over a million people) have complained they have not been properly consulted, system designers have argued it is foolhardy to keep patient records in one central database and security experts have warned that the system might (!) be vulnerable to unauthorised users. Some of the most stringent security measures in the IT industry have been devised to protect confidential information: staff have been issued with smart cards, for example. Of course, they don’t actually use them to log in: they find the person with the highest level of authorisation, put their smart card into the system and then leave the card in until the end of the shift.

Technorati Tags: health, identity, security

Now, I’m not arguing that a technology fan like me thinks that we shouldn’t modernise. And I’m certainly not arguing that we shouldn’t use smart cards. I rather like the French system, as it happens, where a doctor and a patient use both of their smart cards together in order to access health details. The problem is that without vision on the identity side — and I would, of course, argue for the kind of digital identity utility vision — you end up with a kind of Potemkin security: smart cards give the illusion of security but there is no actual security behind the facade.

Clearly, smart cards could make a big difference. I say “could”, because it’s not clear whether they are yet. Look at the experience in Croydon where the Mayday NHS Trust is using the cards already. Theoretically, the CfH smart cards will enable clinicians and administrators to log onto any NHS computer and access relevant information and services. But so far only one national application is available: the Choose and Book electronic appointment service (and it is only being used by 200 of 1,500 employees). In practice, all most staff use their smart cards for is logging on to existing hospital systems. In future the trust hopes to use the cards for the canteen, car parking and access but I should imagine that’s some way off. For one thing, it would mean having contactless or dual-interface cards, which they currently do not, and for another thing it would mean actually monitoring who is using what card, or even if they still have their card. Nearly 400,000 of these cards have been issued, including more than 60,000 with GP access. There are nearly 23,000 NHS “sponsors” (ie, people who can authorise issuing a card to someone). But there are no central records of cards that have been lost or stolen. The solution is, I’d imagine, would to store digital identities on the card and create shorter lifetime virtual identities for use in CfH. So, you might issue nurses with a virtual (and perhaps even pseudonymous) identity that will expire in a month — so if the card gets stolen it’s no use to a thief — whereas higher-level identities would require re-issuing in shorter cycles. Apart from anything else, this approach would begin to decouple the management of the card (and IT issue) from the management of the identity (a “business” issue).

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]