Operational security failure

A shocking article appeared yesterday on the BMJ website. It recounts how auditors called 45 GP surgeries asking for personal information about 51 patients. In only one case were they asked to verify their identity; the attack succeeded against the other 50 patients.

This is an old problem. In 1996, when I was advising the BMA on clinical system safety and privacy, we trained the staff at one health authority to detect false-pretext phone calls, and they found 30 a week. We reported this to the Department of Health, hoping they’d introduce some operational security measures nationwide; instead the Department got furious at us for treading on their turf and ordered the HA to stop cooperating (the story’s told in my book). More recently I confronted the NHS chief executive, David Nicholson, and patient tsar Harry Cayton, with the issue at a conference early last year; they claimed there wasn’t a problem nowadays now that people have all these computers.

What will it take to get the Department of Health to care about patient privacy? Lack of confidentiality already costs lives, albeit indirectly. Will it require a really high-profile fatality?

8 thoughts on “Operational security failure

  1. Well, I believe it takes either a calamity or a different approach to get people to take security seriously. You see, approaching the DoH to tell them how you found something that was quite wrong, just gets them on them defensive. You’re trying to tell Mr Nicholson that under his stewardship, there’s a degree of negligence when it comes to privacy, I’m not surprised you struggled to get any co-operation.

  2. How many clinics are there? If disclosing personal information of patients on 98% of 30+ calls a week isn’t a calamity, I don’t know what is. Maybe if one of those patients was somebody important, things might change.

  3. The BMJ letter is worrying, if sadly predictable. But the AIMS letter you link to is truly shocking. Perhaps I found it more surprising than the BMJ letter because I know a little more about computer security than I do about social work and patient care.

    There seems a common thread; how much do people trust those who collect information about them? On the one hand, we see medical receptionists are perhaps too trusting (or perhaps the system is genuinely trustworthy); on the other, parents feel they can no longer trust the medical professionals.

  4. @ Dave Berry,

    “on the other, parents feel they can no longer trust the medical professionals.”

    I’m quite sure it’s not just parents who no longer trust the “carring proffesions” it’s the children as well.

    Age Concern has tried to bring the subject of “elder abuse” up on many occasions in the past few years, seamingly without being heard by those in authority.

    The government just cut the number of inspectors down and implement self inspection scheams, on private care homes etc.

    Oh and complaints against inspectors reports appear to be almost invariably upheld in the favour of the private organisations…

  5. To misquote the chap from Sun, “Privacy is dead, get over it”.

    What is the purpose of the NHS’s NPfIT? To make information about patients more freely available. Built into the system from the start was the freedom for any Dept of Health civil servant to examine private data, so several years later why should the inevitable function creep not have granted those permissions to anyone with the guts to ask? Surely in a few more years it will be criminal NOT to have lost a few CDs in the post!

  6. Re: “We greatly appreciate the ease with which GP receptionists assisted us, however it would seem that such help is potentially open to abuse by anyone with a convincing medical story “calling from the hospital”. Such a story easily overcomes natural safeguards; hacking into a Healthspace account would be considerably more difficult.”

    This conclusion in the original BMJ article is sadly misguided. My day job includes technical support and I know how easy it is to get users to tell me their passwords (some even volunteer unprompted) or leave me with a logged-on session. No hacker skills are needed.

    One possible attack is by an insider, collecting information for the more unscrupulous breed of door-to-door salesmen, who are quite willing to bully the elderly. I’m sure these would pay big bucks for (say) a list of 100 local people with newly diagnosed Alzheimers. And getting this report from a computerised system would be very much easier than making 100 phone calls to receptionists.

  7. The original report was on the BMJ’s website, part of which is members only, so I thought I’d investigate its security.

    To register “You will need your BMA membership number or GMC number plus the postcode from your membership record (ie that to which your paper BMJ is sent).”
    http://resources.bmj.com/bmj/bma-members/access-the-bmj

    Sound difficult? You can get full names and GMC numbers by entering any surname into the following URL, and I expect many doctors receive the BMJ at their surgeries
    http://www.gmc-uk.org/register/search/index.asp

    But personally I’m doing medical research, of a type, so I’d register as a guest.
    https://registration.bma.org.uk/registerguest

Leave a Reply

Your email address will not be published. Required fields are marked *