Tuesday, May 22, 2007

Are these people insane? Or just really, really stupid?

A little while ago, Timmy posted about MTAS and included an assessment which points out that, really, security in web systems should be thought about at every stage of implementation; in fact, it should be absolutely integral to the operating of the system. It isn't something that should be bolted on at the last minute if security is paramount; and surely, when you are storing everyone's medical histories, you really should be thinking about security at every, single second.

Which makes this question and answer, highlighted by Dizzy, so absolutely confounding.
Yesterday, Oliver Helad MP asked the Secretary of State for Health, "whether a privacy impact assessment (a) has been produced and (b) is planned for the NHS spine project." In an amazing moment of honesty, Carline Flint said, "No. We do not believe that such an assessment would serve any useful purpose at this stage of the project".

What.

The.

Fuck.

Are these people completely mental? Hello! Any politicians reading these ramblings? Are you completely fucking mental or what? (Answers in the comments, please.)

Oh, and while we are about it, can I remind everyone—again—that NHS Scotland already has a working system that cost a mere £24 million over four years. Being browser-based, it has no need for computer upgrades and no proprietory terminal-based software. So why have NHS England and Wales gone with that totally fucking stupid route solution?

Might I also remind you that your details will automatically be stored on the NHS Spine unless you request, in writing, that your GP withhold your details.

Given that the Spine, should it actually ever work, is obviously going to be a security fucking nightmare, I foresee record profits for the Royal Mail this year...

9 comments:

Mark Wadsworth said...

No references may be made to Caroline Flint MP without also linking to her website so that we can at least revel in her outstanding good looks.

other said...

Over the last few months I have come to the conclusion that "incompetence" as an excuse for political blundering is being fostered by the mainstream media as something inevitable and commonplace. This "incompetence smokescreen" can then be used to hide the true intentions of unpopular (secret) policies.

It's pretty obvious the government wants to find ways of employing as many people it possibly can. Examples like "baby inspectors" and "happy coaches" for schools abound and to me this is just more of the same. Screw it up right at the beginning and then it'll have to be scrapped and restarted again. Lots of luverly jobs at the taxpayers expense.

At least it's keeping those unemployment figures down, eh?

Saltburn subversives said...

Dear Devil, wicked blog.

Apropos of bugger all, you and your readers might be interested in this.

http://www.ejectejecteject.com/

Incidentally, it also gives an interesting explanation as to why marxism doesn't work.

berenike said...

How about a system with browser-based tools, in which THE PATIENT holds all his own records, in such a way that it is impossible (in any practical sense of the word) for them to be read by anyone except those whom the owner has given access, access which can at any point in the implementation process be set to allow read or write or modified write access to any class of people, yet the permission remains virtual until granted by the data owner, (lost the sentence structure there, sorry). Completely safe, completely flexible, cheap, ....

www.cipherme.pl

(The technology was developed by a wee Lothians company, who plugged to the Scots health people, but for whatever reason the latter chose not to go for it)

No, I don't work for this company!

Devil's Kitchen said...

Berenike,

Yes, you've recommended them before and I put the site away hoping to find some time to blog it but didn't.

I shall try to get around to it this time.

However, you can see the government's objection to that, can't you? If you are incapacitated, that doesn't give the A & E Hospital doctor the access to your records that the government claims is one of the big advantages of the Spine.

DK

xoggoth said...

No specific expertise in such systems but I have been in IT for a few decades and the idea that security must be considered at the outset and infuences the direction of everything else is one of those daft ideas non-IT people have.

In coding/implementation terms it can be "bolted on" at any stage you like. What is really essential is that, at some stage in the project, it must receive sufficient attention and for that to happen it must be part of the contractual requirement.

This is where government contracts fall down, the government does not specify correctly or exactly because it is full of second raters. When I worked in defence, government project prices were always inflated, not just because contractors could get away with it but because they had to allow for continual changes. "Quality audits" were usually about some 25 year old telling you you had one more line of code in a function than your standards said. They were idiots.

Tim Almond said...

DK,

Do you have a reference to this not being browser-based? Just out of interest of writing a post and all that...

Devil's Kitchen said...

Tim,

Only from a recent Private Eye special, unfortunately. They are busy replacing terminals, etc. in hospitals.

DK

RightForScotland said...

And when we started the new phase of the project (porting it to VB.NET from ASP) we had on two guys who did nothing but security and think about how to break it. Everyone else wrote code around this (and in ASP.NET that is a piece of piss, just check the session on page load and examine the security string you find there).

It is not rocket science, indeed I could replicate the system the NHSiS has in a little under 3 days.

Berenike, the NHSiS and its medics own your medical data, not you. You can choose if you want it on the system but the doctors decide who sees what. It is like empire building for them and they enjoy the power it brings. If you were to give the patient the control it would be like a seige gun to their mentality.

And thanks again DK for remembering the post.