Saturday, 20 January 2018

Secure messaging for public health

EDIT: That thing where you think you've published a blog post before running out to Thanksgiving dinner, then find it in your drafts.

So the other day I spotted this tweet about the adoption of secure messaging in public health pootling past on my timeline (you may want to glance at the blog post linked to in the parent tweet).
and being me stepped in to suggest yes it probably would be that hard. If not much, much harder

There was a bit of a debate, some people suggested that NHS IT projects were only ever difficult and expensive because outsourcing companies ripped off the public sector. I'm not going to defend any of those outfits, but their greed isn't the only reason that such projects are costly. Besides "In House" these days could mean actually properly in house as the NHS seems to be getting serious about digital.

There were some constructive contributions such as

Looking into what open source software is out there is always a good idea, as is looking at the research behind the algorithms. As an example the protocol behind the Signal messaging app is available under the GPL. So with appropriate due diligence for ensuring that it is secure, you are using a genuine untampered with version etc it would provide a good starting point. Of course other protocols are available.

So isn't it that easy?

No. For two main reasons. Firstly security. Strangely for all the reasons successive Home Secretaries have been wrong about the "dangers" of end-to-end security the NHS may well consider it a genuine issue. Audit trails, patients rights to personal data, the bus stop problem, safeguarding, and a million other reasons means that private end-to-end encrypted communications between two health professionals could be an issue.

While the protocol you have chosen may have ways to deal with this, an audit server as a compulsory participant in every conversation for example, you then have a lot of traffic that has to be securely stored. As this is being kept for logging and monitoring any metadata products have to both be referenced by participants and subjects[1] while also being secured to keep anyone from using inference attacks[2], and so on. Good cryptography is bloomin' hard and the more participants you involve the harder it gets.

And secondly?

If you didn't know before then the rapid spread of WannaCry through parts of the NHS technical estate highlighted quite how fragmented and antiquated that estate is. In fact I would go so far as to say that for the purposes of discussing a project like this there is no "The NHS" even if we, for the purposes of discussion, stick to England the enormity of the number of organisational units is frankly overwhelming. Who needs to be included? Trusts,CCGs, special health authorities, GPs, pharmacists, optometrists, dentists, private sector service suppliers, local authorities, universities? While you can accurately accuse me of hyperbole in having the list that long it doesn't matter.

Even if you just wanted to have this service for Acute Trusts the number and type of devices that would need to be supported is going to be the source of most of the development, testing and roll-out costs. Unlike an informational website where you can make a choice to have it look less polished in older browsers so long as it gets the point across, nobody will sign off "this will be less secure on X, Y, and Z". Although to be fair it is far more likely "It just won't work on X, Y, and Z" as they won't support the features required.

Even if you could put together a dedicated team, formed of literally the best people for the job and magicaly ensure they were uninterrupted and as efficient as humanly possible. Even if not a single minute or pound was wasted. The design phase would take longer than most onlookers would set asside to have the whole thing live.

Hopefully I'll find some time soon to do a post about the other side of the coin, all the exciting things that could be done with a good, well provisioned, secure messaging platform for public health.
Please do challenge my assumptions and/or conclusions in the comments or on twitter.

[1]This sort of thing is going to become increasingly important as we all get more rights to our personal data
[2]There is no point in using high security methods to protect the text of the conversation about cancer treatment protocols to protect someone's privacy if you use lower standards on the information "oncologist X and oncologist Y talked about patient N"

No comments: