If what this Times commentator describes is true, somebody should go to jail. The rest of us should take note. As we may have mentioned one or two thousand times before, security technology and security procedures mean absolutely nothing if there is not an organisational commitment to the security of information.

That senior officers of Norwich Union and Avivia would protect their own data following news of the leak without informing their customers is quite simply disgusting. I personally will remember this when making my own banking decisions, especially as all concerned remain in post, for some unfathomable reason.

“A security breach affecting an unknown number of Canadian citizens came to light last week in the Canadian province of Newfoundland and Labrador when a consultant for the Provincial Public Health Laboratory took a laptop containing patient health information home. The consultant was contacted by a person who identified himself as a representative of a computer security company and who claimed that he was able to access to data on the laptop through the consultant’s home Internet connection.”

…”The exposed information includes names, Medical Care Plan numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.”

In a related news story…. “Trust is fundamental to the effective management of security and privacy in the public realm. Surprised? “Results from a ground-breaking pan-European study show that when it comes to security and identity in electronic public services, trust is a critical issue for European eGovernment. Given recent negative press stories about the security risks associated with personal data on social networking sites such as Facebook, and recent events in the UK where the personal details of some 25 million citizens appear to have been lost, this paper comes as a timely reminder about the need to manage trust and security effectively.” …”The cc:eGov study has identified exceptional good practice in Europe, for example in Estonia where an integrated ID card provides access to public and private services. However, the Estonian Government is rigorous and thorough in its protection of citizens’ data, to the extent where sustained cyber attacks on their systems earlier this year did not result in a breach of security. The trust of citizens was therefore reinforced.”

Maybe we all need something to take our minds off the debacle at HMRC, so here’s a bit more about wireless networking devices in hospitals.

Last week we published a post about medical clinical assistants, mobile devices for use by hospital professionals. We profiled one that is coming to market soon. We received two comments which I’m dragging out of the comments box and putting in a post of their own, as I think they deserve a bit more exposure:

Responses to “Information Security and Healthcare”
David French Says:
November 7th, 2007 at 8:22 pm e
… I suspect that the subject of healthcare privacy needs a shake up from top to bottom. A few questions …

* Is it clear what the customer (that’s us, not the health managers) wants?
* What ‘need’ do these ‘wants’ reflect?
* Do the legislation and ethical requirements reflect this underlying need?
* Is there suitable compliance and enforcement of the legislation and ethical requirements?
* Should we get anaesthetists and paediatric cancer specialists before worrying about privacy and security?

When we have a good answer to those, we may be able to evaluate the technical questions about encrypting data at point of entry; securing information over wifi; ensuring that laptops and tablet devices are not attractive to thieves of information, identity or property (because they certainly will be available to all of those). …

Louise Ferguson Says:
November 19th, 2007 at 7:45 pm e
A tablet device is too large and heavy for any kind of pocket (and hospital staff don’t have anything other than pockets), so tends to get treated much as a paper file would: left around on top of drug or record trolleys, unattended in corridors, on patient beds, or just plugged into a base unit for recharging in an often unattended clerk’s area of the ward. At one hospital I was told they had for years had a serious problem with theft of equipment, drugs and so on, reportedly by local junkies, and I understand the same problem exists elsewhere. Ward drug trolleys had to be chained to immovable objects, so tablet devices might suffer similar problems.

If devices are shared, there is no device owner so nobody really takes responsibility for the device (security, recharging and so on). And until costs really come down, I don’t see such devices becoming personal (each ward would require dozens). (Of course many doctors already use their own PDAs, which do fit comfortably in the pocket and are very much personal devices. They don’t get talked about as they are often not hospital equipment or part of a procurement strategy.)

I think hacking and malware come a little way down the list of problems, which tend to be pretty mundane. For example, it’s actually difficult getting a reliable wi-fi connection throughout a hospital ward (partly owing to the built environment in healthcare I guess). If a single set of paper notes is missing, things can be rejigged while they are located, but if you can’t access any patient records at all for several hours across an entire ward (and I’ve seen that happen), the problem is a little more serious.

Picking up a tablet PC from the clerk’s desk and popping into the toilets with it would, in my view, not be a problem in the average hospital ward. Data is stored remotely, but password-sharing is widespread and indeed passwords may be available in the clerk’s area. Many people do not always logout anyway, so as long as the machine has not already auto logged out already, you’re in.

It has to be said that data privacy never seems to have been much of a concern in the paper era: files lie around everywhere for anyone to pick up and read, white boards display sometimes quite personal info to any ward visitor, and telephone conversations about patients take place in the hearing of any passer by. But the difference is in the volume of data to be had for so little effort.

I don’t see any online systems doing away with the traditional informal records that every patient has - handwritten notes tucked into the nurse’s pocket, prepared at shift handover. Or on the SHO’s PDA. Wireless tablet devices promise data input and data availability at the bedside, but I don’t see tablets being used for any serious volume of input. Which may mean people are going to continue writing things down in paper files…

Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

I think we tend to pay lip service to the idea that many information assurance issues are rooted in human behaviour. I wonder if we really tend to look at this proposition carefully. We might be reluctant because of the daunting scope of human-caused problems, or we might be reluctant because we understand how difficult it really is to change human behaviour.

“Two-thirds of IT managers don’t stop company employees from downloading music online, and only 1 in 5 block them from social networking Web sites. While a study found managers are worried about lost productivity and security issues, they also are concerned that blocking access to sites might hurt staff morale. The study, funded by antivirus software maker McAfee, also found that about 20% of workers let their friends and family use company computers, about 50% connect their own gadgets to their workstations and about 60% store personal content on company PCs.”

Mobile computing and wireless communications firm Motion Computing is collaborating with US computer chip manufacturer Intel to create a new tablet PC specifically for the healthcare sector called the mobile clinical assistant. It is now on the market.

“The Motion C5, the first mobile clinical assistant (MCA) that integrates technology from Intel® Health, combines durable design elements with key data capture technologies to simplify workflows, increase productivity and improve overall quality of care. Designed based on input from thousands of clinicians, the C5 brings reliable, automated patient data management directly to the point of care. Get a handle on patient care with the C5. It’s highly portable. It’s lightweight. And, it’s ready to work for you. A convergence of technologies allows you to do everything you normally do during your shift such as perform clinical documentation, administer medication and take pictures using a single device. With Intel® Centrino® mobile technology and integrated high-speed wireless connectivity, the Motion C5 integrates key functions that clinicians require to be productive during the course of the day.”

Now back in October of last year, when this was being tested, an interview with the company’s senior executives produced these quotes (notice the priority):

The new mobile clinical assistant will run using Motion’s existing tablet PC products and is being designed to advance the effectiveness of nurses, physicians and other clinicians. Toal told EHI that there were many questions about the ergonomics of the project that were being addressed and the product itself will probably not be released until mid-2007.

“The key thing that we are learning from staff about our plans to launch a mobile clinical assistant is not worry about the IT itself, but to ensure that we concentrate on the care-giving. The tablet needs to be a clinical aid, capable of improving the quality of care and the amount of time spent on delivering that care

“We have also had to address issues where staff here thought the technology we were using wasn’t mature enough and we have had to implement new technology such as RFID [Radio Frequency Identification Devices] and wireless transmissions in order to keep the product as effective as possible.”

However, Toal feels confident that tablet PCs will become the new norm for mobile medicine in the near future despite fears about durability and safety.

“There will always be barriers, but we are working hard to overcome these. Battery life and security issues are topics which will inevitably be part and parcel of the debate surrounding mobile technology, but I do believe that clinicians will soon be able to carry mini-tablets on them to every patient they see and be capable of producing the best patient care possible. ”

Let’s see. Wireless transmission of sensitive information–yeah, we’ll get to that right after we take care of those pesky ergonomic and battery life issues. And preventing hacking and malware to ensure that the information is accurate? Hmm. Let’s put that on the list of things to do after we make sure it doesn’t add to the weight of the tablet device.

Via Kable, I learn that “A group of MPs has recommended that a senior official be appointed to lead a coordinated approach to tackle identity fraud. The All Party Identity Fraud Group published a report on 6 October 2007 calling on the government to appoint an identity fraud tsar. It says this would ensure a joined up approach to tackling the problem by creating a single point of contact across government, the police and private sector. In the last two years there have been three ministers with responsibility for identity fraud, and the group believes this has undermined efforts to create a coordinated approach to the threat. The report sees the secure sharing of data between the government and the private sector as a key way to tackle identity fraud, and suggests that a central shared database could be set up to allow financial institutions to verify identities and quickly establish cases of deceased fraud.”

Okay–government involved: check. Single government point of contact–er, check? (Kind of a big government…). Private industry involved: Check.

Er, excuse me? If you don’t involve the citizen you will not resolve the issue.

More prosaic than new robots, less dramatic than Galileo funding (eppur’ si muove), the DfES may compel an answer to the eternal schoolchild’s plaint, ‘Please sir, I want some more.’ Children who don’t want their fingerprints scanned may yet find a school dinner waiting for them.

What alternatives to full compliance are available to citizens who don’t want to be included in databases? The government compels private companies to offer opt-out mechanisms for commercial databases, and strongly prefers that such databases be opt-in only. Does this not suggest that the government understands that participation should not be compelled?

Just asking.

Portsmouth’s Queen Alexandra Hospital, the Whittington Hospital NHS Trust and Notts Police have all recently adopted single sign-on systems. Has this become an accepted methodology for users?

I’m referring to the format, hopefully not the effect.

* The US Department of Homeland Security, which sets the benchmark for IT security practice in America, suffered more than 840 IT security lapses in 2005 and 2006, despite spending $332m on IT security this year.

* Unisys has dismissed reports in the Washington Post that it was to blame for data breaches at the US Department for Homeland Security last year. Unisys said, “The allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols.”

* Attackers have set their sights on two Microsoft flaws — an unpatched DirectX Media vulnerability and the XML Core Services flaw the software maker patched last week in its MS07-042 security update. Antivirus company Symantec has issued alerts for both exploits in emails to customers of its DeepSight threat management service. The security company said it had raised its ThreatCon to level 2 in response to the threats.

* Hackers managed to steal information from the US Department of Transportation and several firms by using fake job listings for employees, reports Reuters. It is believed information was stolen from around 1,000 corporate PCs. The FBI is now investigating the reported breaches.

* Newham Borough Council has delayed a major desktop roll-out after hitting a barrier in its 10-year strategic relationship with Microsoft and Hewlett-Packard. The council has put back the deployment of Windows Vista in its new 1,500-desktop corporate head office by 12 months, because of a lack of Vista-certified applications from its third-party suppliers. As a result, Newham will incur the cost of deploying XP in the new office, only to have to upgrade the machines to Vista at a later date. The council will now roll out Windows XP in March 2008 instead of Vista as originally planned.

* Reliance on ID systems can take you to some strange places (via Ideal Government): “Supermarket staff refused to sell alcohol to a white-haired 72-year-old man - because he would not confirm he was over 21.”

* (Via Light Blue Touchpaper): “When it rains, it pours. Following the fuss over the Storm worm impersonating Tor, today Wired and The Register are covering the story of a Dan Egerstad, who intercepted embassy email account passwords by setting up 5 Tor exit nodes, then published the results online. People have been sniffing passwords on Tor before, and one even published a live feed. However, the sensitivity of embassies as targets and initial mystery over how the passwords were snooped, helped drum up media interest.”

* (Via Bruce Schneier) “Copper cable has been known as the easily tapped physical transmission medium for years. Conscientious network and security managers either provided tight physical security for cabling or used fiber as an alternative. Many network managers considered fiber relatively safe due to the perceived challenges associated with tapping into an optical cable run. However, fiber is no safer than copper. For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run. The tap consists of bending the fiber to the point that it leaks light.”