From: gtoal@an-teallach.com (Graham Toal)
Date: Fri, 26 Nov 93 10:23:55 PST
To: cypherpunks@toad.com
Subject: Health Security
Message-ID: <10699@an-teallach.com>
MIME-Version: 1.0
Content-Type: text/plain


In article <9311261629.AA05385@gold.chem.hawaii.edu> you write:
>> I realize that this is of marginal crypto import, but I need as much info
>> as possible on Hospital Information Systems and security.  Especially
>> on CICS and AIX systems.  Do any cryptographic protocols exist yet to
>> protect huge interactive medical databases?

>What specifically are you asking about?  Are you talking about encrypted
>password protection or encryption of part or all of the databases?

The company I work for does a lot of work with HISS systems.  We've
been told to develop a system to display selected data from a HISS
on PCs for use by hospital staff.  (Possibly off the premises).

We asked about security and encryption, and were told we could leave
all the patient data in clear but to encrypt the file containing the
names and the correspondence between those names and patient data.

I don't think this is sufficient - I'm sure anyone getting the data
could work out who it was about from all sorts of internal detail -
but that's all the UK Health Service at least expects.  We will, of
course, be putting in a *considerable* deal more security than they
mandate as minimum, because if patient data were to get out via one
of our products, it would be no use saying 'but the NHS said that was
all we needed to do' - not only would we be morally negligent, but it
would do our company's public image no good at all.

G
-- 
Personal mail to gtoal@gtoal.com (I read it in the evenings)
Business mail to gtoal@an-teallach.com (Be careful with the spelling!)
Faxes to An Teallach Limited: +44 31 662 4678  Voice: +44 31 668 1550 x212