I’m at SHB 2010, which brings security engineers together with psychologists, behavioral economists and others interested in deception, fraud, fear, risk perception and how we make security systems more usable.
Here is the agenda. I will be liveblogging the event in comments below this post. Here are the liveblogs for SHB 2009 and SHB 2008.
Today sees the publication of a report by Professor Trisha Greenhalgh into the Summary Care Record (SCR). There is a summary of the report in the BMJ, which also has two discussion pieces: one by Sir Mark Walport of the Wellcome Trust arguing that the future of medical records is digital, and one by me which agrees but argues that as the SCR is unsafe and unlawful, it should be abandoned.
Two weeks ago I reported here how the coalition government planned to retain the SCR, despite pre-election promises from both its constituent parties to do away with it. These promises followed our Database State report last year which demonstrated that many of the central systems built by the previous government contravened human-rights law. The government’s U-turn provoked considerable anger among doctors. NGOs and backbench MPs, prompting health minister Simon Burns to promise a review.
Professor Greenhalgh’s review, which was in fact completed before the election, finds that the SCR fails to do what it was supposed to. It isn’t used much; it doesn’t fit in with how doctors and nurses actually work; it doesn’t make consultations shorter but longer; and the project was extremely badly managed. In fact, her report should be read by all serious students of software engineering; like the London Ambulance Service report almost twenty years ago, this document sets out in great detail what not to do.
For now, there is some press coverage in the Telegraph, the Mail, E-health Insider and Computerworld UK.
Here is a liveblog of WEIS which is being held today and tomorrow at Harvard. It has 125 attendees: 59% academic, 15% govt/NGO, and 26% industry; the split of backgrounds of 47% CS, 35% econ/management and 18% policy/law. The paper acceptance rate was 24/72: 10 empirical papers, 8 theory and 6 on policy.
The workshop kicked off with a keynote talk from Tracey Vispoli of Chubb Insurance. In early 2000s, insurance industry thought cyber would be big. It isn’t yet, but it is starting to grow rapidly. There is still little actuarial data. But the tndustry can shape behaviour by being in the gap between risk aversion and risk tolerance. Its technical standards can make a difference (as with buildings, highways, …). So far a big factor is the insurance response to notification requirements: notification costs of $50-60 per compromised record mean that a 47m compromise like TJX is a loss you want to insure! So she expects healthy supply and demand model for cyberinsurance in coming years. This will help to shape standards, best practices and culture.
Questions: are there enough data to model? So far no company has enough; ideally we should bring data together from industry to one central shared point. Government has a role as with highways. Standards? Client prequalification is currently a fast-moving target. Insurers’ competitive advantage is understanding the intersection between standards and pricing. Reinsurance? Sure, where a single event could affect multiple policies. Tension between auditability and security in the power industry (NERC) – is there any role for insurance? Maybe, but legal penalties are in general uninsurable. How do we get insurers to come to WEIS? It would help if we had more specificity in our research papers, if we did not just talk about “breaches” but “breaches resulting in X” (the industry is not interested in national security, corporate espionage and other things that do not result in claims). Market evolution? She predicts the industry will follow its usual practice of lowballing a new market until losses mount, then cut back coverage terms. (E.g. employment liability insurance grew rapidly over last 20 years but became unprofitable because of class actions for discrimination etc – so industry cut coverage, but that was OK as it helped shape best employment practice). Data sharing by industry itself? Client confidentiality stops ad-hoc sharing but it would be good to have a properly regulated central depository. Who’s the Ralph Nader of this? Broad reform might come from the FTC; it’s surprising the SEC hasn’t done anything (HIPAA and GLB are too industry-specific). Quantifiability of best practice? Not enough data. How much of biz is cyber? At present it’s 5% of Chubb’s insurance business, but you can expect 8-9% in 2010-11 – rapid growth!
Future sessions will be covered in additional posts…
The coalition Government plans to keep the Summary Care Record, despite pre-election pledges by both the Conservatives and the Liberal Democrats to rip up the system – which is not compliant with the I v Finland judgement of the European Court of Human Rights.
Last year colleagues and I wrote Database State, a report for the Joseph Rowntree Reform Trust, which studied 46 systems that keep information on all of us, or at least a significant minority of us. We concluded that eleven of them were almost certainly illegal under human-rights law, and most of the rest had problems. Our report was well received by both Conservatives and Lib Dems; many of its recommendations were adopted as policy.
Old-timers may recall that back in 1996-7, many of us geeks supported New Labour enthusiastically, as Blair promised not to introduce key escrow. It took him almost a year to renege on that promise; it has taken the coalition less than a month.
Blair’s U-turn on key escrow in 1998 led to the establishment of FIPR, and a two-year fight against what became the RIP Act (where at least we limited escrow to the powers in part 3). What’s the appropriate response now to Cameron and Clegg?
It’s inconceivable that assurances given to farmers, or to soldiers, or to teachers would be tossed aside so casually. Yet half a million of us earn our living in IT in Britain – there’s a lot more of us than of any of them! And many people in other jobs care about privacy, copyright, and other digital issues. So do those of us who care about digital policy have to become more militant? Or do we have to raise money and bribe the ruling parties? Or, now that all three major parties are compromised, should we downgrade our hopes for parliament and operate through the courts and through Europe instead?
In the very first paper I wrote on ATM fraud, Why Cryptosystems Fail, the very first example I gave of a fraud came from the case R v Moon at Hastings Crown Court in February 1992. Mr Moon was a teller at the TSB who noticed that address changes weren’t audited. He found a customer with over £10,000 in her account, changed her address to his, issued a card and pin, and changed the address back. He looted her account and when she complained, she wasn’t believed.
It’s still happening, most recently to a customer of the Abbey. Bank insider issues extra card, steals money, customer blamed – after all, chip and pin is infallible, isn’t it? Expecting banks to keep decent logs might be too much; and I supppose it’s way too much to expect bank fraud staff to read the research literature on their subject.
Steven Murdoch, Saar Drimer, Mike Bond and I have just won the IEEE Security and Privacy Symposium’s Best Practical Paper award for our paper Chip and PIN is Broken. This was an unexpected pleasure, given the very strong competition this year (especially from this paper). We won this award once before, in 2008, for a paper on a similar topic.
Update (2010-05-28): The photo now includes the full team (original version)
Last night’s documentary Erasing David shows how private eyes tracked down a target by making false pretext telephone calls to the NHS. By pretending to be him they found out when he and his wife were due to attend an ante-natal clinic, and ambushed him as he came out.
The NHS has form on this. Back in 1995 the BMA got me to draw up guidelines for dealing with phone calls; they appeared in the BMJ on Jan 13 1996. When staff at the N Yorks Health Authority were trained to follow these guidelines, they found 30 false-pretext calls a week. When the BMA reported this to the Chief Medical Officer and asked him to implement the protocol throughout the NHS, he was furious at our interference in “his” admninistrative procedures. The NYHA was ordered to stop. I told the story in my book.
I have long considered it unacceptable for the NHS to continue to ignore operational security. The new electronic record systems at a number of hospitals give receptionists access not just to appointment details but to clinical data too. So things are significantly worse than in 1996, and new national systems such as the SCR will compound the problem. The next secretary of state needs to get his act together.
A survey by the Consumers’ Association shows that 10% of cardholders write down or share their PIN. This high proportion surely raises serious doubt about whether it’s fair for banks to claim that such people are “grossly negligent” even if the PIN is well disguised (for example, as part of a phone number in an address book with hundreds of other numbers). And if banks don’t want disabled people to share PINs with carers, they ought to come up with an alternative, or be held to account under disability discrimination laws.
Interestingly, Mark Bowerman (PR for the banks) says in this article that customers should not use the same PIN for multiple cards. We heard him on radio saying exactly the opposite a few years ago. Now he tells people to change PINs to something easy to remember (and easier for criminals to guess).
By giving customers contradictory and impractical advice, the banks are placing an unmeetable burden on them.
The banks also frequently give advice that is simply wrong. Look, for example, at this video by Barclays showing how to enter your PIN at a merchant terminal!
I’ve written enough over the years about people who tried and failed to get money back from banks after seeing transactions on their accounts that they did not recognise. Now I’ve had to go through the process myself.
I got a refund from the NatWest after a dodgy debit appeared on the credit card my wife uses. The bank’s dispute resolution mechanism turned out to be unserviceable, but we got the money back promptly when we sued them in the small claims court. The story is, I believe, an instructive one for people interested in bank security or payment systems regulation.
Two weeks ago I posted about the Summary Care Record, a project to centralise medical records in England and Wales under the pretext that central records might be useful in emergency care. At the time, I wrote to the Cabinet Secretary asking whether it was appropriate to use taxpayers’ funds to leaflet millions of homes on a politically sensitive topic during an election campaign; I haven’t yet got a reply.
Doctors’ leaders are now alarmed. Patients are being misinformed, and opt-out is being made difficult.
The information being given to patients is false and misleading. The SCR promotional leaflet says anyone who has access to your records … must be directly involved in caring for you. However, large numbers of officials will have access. And as I already noted, the SCR isn’t as helpful in emergencies as it’s spun. Its purpose is actually different: to provide the basis for a centralised electronic patient record for everyone.
Doctors have noted that in the pilot areas, seven out of ten patients are unaware that an SCR was created for them. The patient information packs don’t contain an opt-out form; you’re supposed to phone the call centre for one. Over two hundred thousand people have downloaded an opt-out letter from www.thebigoptout.org; now the NHS says it wants doctors to ignore this and get everyone who wants to opt out to use this form instead (which GPs can’t order in bulk).The roll-out is rushed and displays typical incompetence: for example, some patients have been sent other patients’ letters. I am sure this story will run and run.
