Most recently, I got an enquiry from Kevin Townsend, who came across a press release announcing that a company called TPP was working on an Android app to allow users of its SystmOne system to access and update patient records when they're at home or out and about in the community, using 3G or Wi-Fi. Administratively, of course, there are many advantages to both the health care professional and to the patient in centralization of (and easy access to) records. But leaving aside libertarian concerns about increased opportunities for 1984-style government, there's an obvious need for rigorous management of privacy and security in such centralization. As described there, it sounds as if TPP's approach is totally reliant on a single-factor username/static password pair.
"Access to the app would be through the user's usual username and password, meaning no one could use the app unless they were already a SystmOne user."
Let's assume that SystmOne passwording is managed rigorously (I'm not in a position to evaluate it first-hand), with enforcement of sound password selection, [n]-strikes-and-out restriction of login attempts, password aging and so on. Who selects the device? Not, it seems, the provider, but the customer. It seems all too unlikely that resource-starved health care organizations will prioritize security over cost (not that paying more guarantees better security, of course) in the initial choice of device, let alone in configuration (local PIN/password, central access within the organization). And that's before we think about the security problems that are already all too obvious on Android:
- apps that are only audited for malicious intent after problems are reported by customers
- apps that can be sourced from unregulated repositories
- a consequent plethora of malware that already includes keyloggers.
- a platform that is fragmented across a range of major and minor OS versions, hardware and patching practice.
U.K. health care is required (by law, as well as policy) to conform to high standards of privacy and data protection, though you might not think it from the continuing stream of stories about NHS Trusts losing patient-identifiable data on unencrypted media. It would be nice to think that conformance would map better to safer platforms and multifactor authentication, but technical appreciation doesn't always keep up with abstract legality in the public sector.
I was quoted regarding some of these issues in an Infosecurity Magazine article here, but I wasn't aware until I saw that article that NHS Connecting for Health (the organization for which I had been most recently working when I left the NHS in 2006) had issued ‘good practice guidance' on the use of tablets within the Health Service, stressing that ”tablets are less secure than traditional devices, and should not be deployed ‘out of the box'.”
Direct information relating to NHS IT is often only available to sites registered to the NHS network. (In my day, it was called NHSnet, subsequently replaced by N3). However, I found an article by Shanna Crispin on the E-Health Insider website that gave me a little more information. While many of the comments to the article reflect the poor image the NHS has in the U.K. – first the NHS, then an anti-virus company: why do I keep aligning myself with such unpopular working sectors? – the advice reported here seems to me to sit quite comfortably in the sensible/uncontentious range.
I suppose you could probably debate the contention that tablets are “inherently less secure” than traditional IT equipment with reference to individual devices, given how often NHS sites lose portable devices from phones (which may have enough functionality to access such systems) and laptops to thumb drives, but it's certainly worth asking how many sites will prioritize configuring devices to take into account the risk of loss or theft, secure connections and remote storage in keeping with data protection legislation, and the use of strong encryption, remote wiping and device tracking.