[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Private" Health Network Security Breaches

To: med-privacy@essential.org
Subject: Re: "Private" Health Network Security Breaches
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
Date: Tue, 09 Nov 1999 09:07:43 +0000
cc: Ross.Anderson@cl.cam.ac.uk
In-reply-to: Your message of "Mon, 08 Nov 1999 16:10:37 EST." <746259E58F81D211958C0060943F1F810A1D69@MOHHE-MX1>

> I am trying to track down documented instances of a "private" network,
> carrying personal health information, having experienced a security breach
> where personal information was revealed. 

Britain's health service tried to construct an `NHS network' using the
X.400 service of the main local telco. They have had massive problems,
some of them documented on http://www.cl.cam.ac.uk/users/rja14/#Med.

In the old days, many large organisations built their own networks but
nowadays the trend is towards virtual private networks - use the
Internet but have at each hospital a firewall with the capability to
encrypt data en route to other hospitals in your system. Data going to
and from public sites can go in the clear directly from the firewall.
(You'll find that maybe 40% of hospital traffic is to public sites as
staff look up medical journals etc. This is one of the things that 
kyboshed the NHS network - their central firewall just couldn't cope
with the traffic)

Ross Anderson

References:
- "Private" Health Network Security Breaches
  - From: John Stenabaugh <stenabj@gov.on.ca>

Prev by Date: Re: "Private" Health Network Security Breaches
Next by Date: AAHP on proposed med-privacy rules
Prev by thread: Re: "Private" Health Network Security Breaches
Next by thread: AAHP on proposed med-privacy rules
Index(es):
- Date
- Thread