Comments on: Operational security failure http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/ Security Research, Computer Laboratory, University of Cambridge Fri, 05 Dec 2008 08:12:39 +0000 http://wordpress.org/?v=2.6.3 By: Pete Austin http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29417 Pete Austin Fri, 27 Jun 2008 18:04:22 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29417 The original report was on the BMJ's website, part of which is members only, so I thought I'd investigate its security. To register "You will need your BMA membership number or GMC number plus the postcode from your membership record (ie that to which your paper BMJ is sent)." http://resources.bmj.com/bmj/bma-members/access-the-bmj Sound difficult? You can get full names and GMC numbers by entering any surname into the following URL, and I expect many doctors receive the BMJ at their surgeries http://www.gmc-uk.org/register/search/index.asp But personally I'm doing medical research, of a type, so I'd register as a guest. https://registration.bma.org.uk/registerguest The original report was on the BMJ’s website, part of which is members only, so I thought I’d investigate its security.

To register “You will need your BMA membership number or GMC number plus the postcode from your membership record (ie that to which your paper BMJ is sent).”
http://resources.bmj.com/bmj/bma-members/access-the-bmj

Sound difficult? You can get full names and GMC numbers by entering any surname into the following URL, and I expect many doctors receive the BMJ at their surgeries
http://www.gmc-uk.org/register/search/index.asp

But personally I’m doing medical research, of a type, so I’d register as a guest.
https://registration.bma.org.uk/registerguest

]]> By: Pete Austin http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29416 Pete Austin Fri, 27 Jun 2008 16:51:40 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29416 Re: "We greatly appreciate the ease with which GP receptionists assisted us, however it would seem that such help is potentially open to abuse by anyone with a convincing medical story “calling from the hospital”. Such a story easily overcomes natural safeguards; hacking into a Healthspace account would be considerably more difficult." This conclusion in the original BMJ article is sadly misguided. My day job includes technical support and I know how easy it is to get users to tell me their passwords (some even volunteer unprompted) or leave me with a logged-on session. No hacker skills are needed. One possible attack is by an insider, collecting information for the more unscrupulous breed of door-to-door salesmen, who are quite willing to bully the elderly. I'm sure these would pay big bucks for (say) a list of 100 local people with newly diagnosed Alzheimers. And getting this report from a computerised system would be very much easier than making 100 phone calls to receptionists. Re: “We greatly appreciate the ease with which GP receptionists assisted us, however it would seem that such help is potentially open to abuse by anyone with a convincing medical story “calling from the hospital”. Such a story easily overcomes natural safeguards; hacking into a Healthspace account would be considerably more difficult.”

This conclusion in the original BMJ article is sadly misguided. My day job includes technical support and I know how easy it is to get users to tell me their passwords (some even volunteer unprompted) or leave me with a logged-on session. No hacker skills are needed.

One possible attack is by an insider, collecting information for the more unscrupulous breed of door-to-door salesmen, who are quite willing to bully the elderly. I’m sure these would pay big bucks for (say) a list of 100 local people with newly diagnosed Alzheimers. And getting this report from a computerised system would be very much easier than making 100 phone calls to receptionists.

]]> By: Yokel http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29399 Yokel Wed, 25 Jun 2008 10:04:01 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29399 To misquote the chap from Sun, "Privacy is dead, get over it". What is the purpose of the NHS's NPfIT? To make information about patients more freely available. Built into the system from the start was the freedom for any Dept of Health civil servant to examine private data, so several years later why should the inevitable function creep not have granted those permissions to anyone with the guts to ask? Surely in a few more years it will be criminal NOT to have lost a few CDs in the post! To misquote the chap from Sun, “Privacy is dead, get over it”.

What is the purpose of the NHS’s NPfIT? To make information about patients more freely available. Built into the system from the start was the freedom for any Dept of Health civil servant to examine private data, so several years later why should the inevitable function creep not have granted those permissions to anyone with the guts to ask? Surely in a few more years it will be criminal NOT to have lost a few CDs in the post!

]]> By: Clive Robinson http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29341 Clive Robinson Fri, 20 Jun 2008 20:32:00 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29341 @ Dave Berry, "on the other, parents feel they can no longer trust the medical professionals." I'm quite sure it's not just parents who no longer trust the "carring proffesions" it's the children as well. Age Concern has tried to bring the subject of "elder abuse" up on many occasions in the past few years, seamingly without being heard by those in authority. The government just cut the number of inspectors down and implement self inspection scheams, on private care homes etc. Oh and complaints against inspectors reports appear to be almost invariably upheld in the favour of the private organisations... @ Dave Berry,

“on the other, parents feel they can no longer trust the medical professionals.”

I’m quite sure it’s not just parents who no longer trust the “carring proffesions” it’s the children as well.

Age Concern has tried to bring the subject of “elder abuse” up on many occasions in the past few years, seamingly without being heard by those in authority.

The government just cut the number of inspectors down and implement self inspection scheams, on private care homes etc.

Oh and complaints against inspectors reports appear to be almost invariably upheld in the favour of the private organisations…

]]> By: Dave Berry http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29340 Dave Berry Fri, 20 Jun 2008 08:42:48 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29340 The BMJ letter is worrying, if sadly predictable. But the AIMS letter you link to is truly shocking. Perhaps I found it more surprising than the BMJ letter because I know a little more about computer security than I do about social work and patient care. There seems a common thread; how much do people trust those who collect information about them? On the one hand, we see medical receptionists are perhaps too trusting (or perhaps the system is genuinely trustworthy); on the other, parents feel they can no longer trust the medical professionals. The BMJ letter is worrying, if sadly predictable. But the AIMS letter you link to is truly shocking. Perhaps I found it more surprising than the BMJ letter because I know a little more about computer security than I do about social work and patient care.

There seems a common thread; how much do people trust those who collect information about them? On the one hand, we see medical receptionists are perhaps too trusting (or perhaps the system is genuinely trustworthy); on the other, parents feel they can no longer trust the medical professionals.

]]> By: MikeP http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29334 MikeP Thu, 19 Jun 2008 02:07:24 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29334 How many clinics are there? If disclosing personal information of patients on 98% of 30+ calls a week isn't a calamity, I don't know what is. Maybe if one of those patients was somebody important, things might change. How many clinics are there? If disclosing personal information of patients on 98% of 30+ calls a week isn’t a calamity, I don’t know what is. Maybe if one of those patients was somebody important, things might change.

]]> By: David http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29327 David Wed, 18 Jun 2008 13:06:56 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29327 Well, I believe it takes either a calamity or a different approach to get people to take security seriously. You see, approaching the DoH to tell them how you found something that was quite wrong, just gets them on them defensive. You're trying to tell Mr Nicholson that under his stewardship, there's a degree of negligence when it comes to privacy, I'm not surprised you struggled to get any co-operation. Well, I believe it takes either a calamity or a different approach to get people to take security seriously. You see, approaching the DoH to tell them how you found something that was quite wrong, just gets them on them defensive. You’re trying to tell Mr Nicholson that under his stewardship, there’s a degree of negligence when it comes to privacy, I’m not surprised you struggled to get any co-operation.

]]> By: Westfalia http://www.lightbluetouchpaper.org/2008/06/17/operational-security-failure/#comment-29326 Westfalia Wed, 18 Jun 2008 11:25:48 +0000 http://www.lightbluetouchpaper.org/?p=337#comment-29326 thats hard facts - i hope something will change quickly. thats hard facts - i hope something will change quickly.

]]>