Pages

Labels

Thursday, May 31, 2012

Portal Security May Be A Bigger Issue Than We Have Recognised. This May Be An Issue For The NEHRS (PCEHR).

The following article appeared a few days ago.

Proposed NHS portal raises questions about data security

May 25, 2012
The new NHS information strategy is to allow patients, health professionals, commissioners and researchers to access their records easily.
The national ‘portal' will allow all NHS patients to be able to have secure online access, where they wish it, to their personal health records by 2015. According to E-Health Insider, this will fit with the central theme of shifting to a sharing of information within and between health and social care providers, and capturing data just once at the point of care.
David Harley, senior research fellow at ESET and former director of the NHS Threat Assessment Centre, looked at the plan and said he felt it read more like an extended mission statement than a real strategy document.
He said: “Even the polysyllabic version seems to me to say, basically, that the security of an individual's data will depend on the data being handled responsibly by medical professionals; and on the sharing of such information by the individual only with appropriate people.
“The security model of the central repository isn't defined, even in the main document. Instead the emphasis is on the need to share the data with the subject of the data, with professionals treating the subject and the agencies who would make use of the anonymised/sanitised data.”
Harley said that the model described doesn't sound like it has been changed significantly from the NHS National Programme for IT (NPfIT) model, as the central agencies under control of the Department of Health are focusing on central security.
“I'd be willing to place a small bet on the implementation continuing to rely on external providers rather than in-house expertise and a lot of responsibility devolved to ‘the local level',” he said.
“The emphasis on better data sharing with the data subject, however desirable in principle, does increase the attack surface – even if the central resource is soundly protected, it seems to me that how local services and data subjects access data is likely to be highly dependent on local conditions. We're already all too aware that security awareness across the many individual units that make up the NHS is highly variable.”
Marc Lee, EMEA sales director at Courion, said: “Giving all NHS patients secure online access to their records by 2015 is hugely ambitious.
Lots more here:
Clearly a very similar portal - conceptually at least - is to be a major component of the proposed NEHRS (PCEHR). The logistics of what the NHS is proposing seem even more daunting that the proposed secondary system that is the NEHRS. Access to primary systems will be even more complex - although we know at a local level some of their major vendors already have operational systems that get pretty close to what is envisaged.
Again we have the issue of just additional functionality beyond look up of information is to be enabled. This will be the major determinant of the level of use I believe.
And in late breaking news we now have news of the Government E-Health Information Portal Site being attacked and defaced by hackers.

Official Australian e-health info page defaced

infEktard by anti-government, anti-monopoly protestors.
  • Liam Tung (CSO Online (Australia))
  • — 30 May, 2012 11:41
An apparent trio of ‘hackers’ operating under the LatinHackTeam banner has claimed the Australian Government’s Department of Health and Ageing eHealth education site as its 13,789th ‘defacement‘ victim.
The group’s latest record on Zone-H, a site that archives website vandalisations, is the department’s eHealth education site, publicleanring.ehealth.gov.au.
The site is a learning portal aimed at preparing consumers and healthcare professionals for the July 2012 launch of eHealth records in Australia.
“infEkt”, “Adminp4nic” and “eCore” apparently do their homework, claiming to have targeted the site because they were “Against government corruption !!”
More here:
Oh dear, oh dear!
David.