Saturday 20 January 2018

Secure messaging for public health

EDIT: That thing where you think you've published a blog post before running out to Thanksgiving dinner, then find it in your drafts.

So the other day I spotted this tweet about the adoption of secure messaging in public health pootling past on my timeline (you may want to glance at the blog post linked to in the parent tweet).
and being me stepped in to suggest yes it probably would be that hard. If not much, much harder

There was a bit of a debate, some people suggested that NHS IT projects were only ever difficult and expensive because outsourcing companies ripped off the public sector. I'm not going to defend any of those outfits, but their greed isn't the only reason that such projects are costly. Besides "In House" these days could mean actually properly in house as the NHS seems to be getting serious about digital.

There were some constructive contributions such as

Looking into what open source software is out there is always a good idea, as is looking at the research behind the algorithms. As an example the protocol behind the Signal messaging app is available under the GPL. So with appropriate due diligence for ensuring that it is secure, you are using a genuine untampered with version etc it would provide a good starting point. Of course other protocols are available.

So isn't it that easy?

No. For two main reasons. Firstly security. Strangely for all the reasons successive Home Secretaries have been wrong about the "dangers" of end-to-end security the NHS may well consider it a genuine issue. Audit trails, patients rights to personal data, the bus stop problem, safeguarding, and a million other reasons means that private end-to-end encrypted communications between two health professionals could be an issue.

While the protocol you have chosen may have ways to deal with this, an audit server as a compulsory participant in every conversation for example, you then have a lot of traffic that has to be securely stored. As this is being kept for logging and monitoring any metadata products have to both be referenced by participants and subjects[1] while also being secured to keep anyone from using inference attacks[2], and so on. Good cryptography is bloomin' hard and the more participants you involve the harder it gets.

And secondly?

If you didn't know before then the rapid spread of WannaCry through parts of the NHS technical estate highlighted quite how fragmented and antiquated that estate is. In fact I would go so far as to say that for the purposes of discussing a project like this there is no "The NHS" even if we, for the purposes of discussion, stick to England the enormity of the number of organisational units is frankly overwhelming. Who needs to be included? Trusts,CCGs, special health authorities, GPs, pharmacists, optometrists, dentists, private sector service suppliers, local authorities, universities? While you can accurately accuse me of hyperbole in having the list that long it doesn't matter.

Even if you just wanted to have this service for Acute Trusts the number and type of devices that would need to be supported is going to be the source of most of the development, testing and roll-out costs. Unlike an informational website where you can make a choice to have it look less polished in older browsers so long as it gets the point across, nobody will sign off "this will be less secure on X, Y, and Z". Although to be fair it is far more likely "It just won't work on X, Y, and Z" as they won't support the features required.

Even if you could put together a dedicated team, formed of literally the best people for the job and magicaly ensure they were uninterrupted and as efficient as humanly possible. Even if not a single minute or pound was wasted. The design phase would take longer than most onlookers would set asside to have the whole thing live.

Hopefully I'll find some time soon to do a post about the other side of the coin, all the exciting things that could be done with a good, well provisioned, secure messaging platform for public health.
Please do challenge my assumptions and/or conclusions in the comments or on twitter.

[1]This sort of thing is going to become increasingly important as we all get more rights to our personal data
[2]There is no point in using high security methods to protect the text of the conversation about cancer treatment protocols to protect someone's privacy if you use lower standards on the information "oncologist X and oncologist Y talked about patient N"

7 comments:

Andrew Lewis said...
This comment has been removed by a blog administrator.
John Rock said...

Well, this is a true thing that our confidential information is at risk on these platforms. Well, in my opinion, we cannot even trust signals as well as they can also misuse our data. In an essay which I got with top essay help online has discussed it I will also share that in some time, In that essay it is mentioned with facts and figure how this thing affects our private information in future.

Anasmith said...

The nursing profession is a noble profession and nursing students need practical knowledge to do justice with the profession. However, the high frequency of assignments has made it difficult for students to gain practical knowledge. Students are failing in keeping a balance between studies and nursing assignment writing services. It rises frustration and anxiety issues among students

lyrics songs said...

I have liked one thing very much in this blog, it is very well understood and if I talk about pinterest photos then it is a good way to tell about my work, very good photos are available here, it's also typing. I have learned a lot from here, there is a lot of help here.

Qasim Khan said...

As I already know, do my assignment is a challenge for me. I am unable to complete them as soon as I start working on them. It is because of many reasons such as; I am not a fast worker, I do not have enough time to complete the assignments, I lack concentration, and I cannot focus on the topic. In short, I do not have enough skills to complete my assignments.

Nanfor Ibérica said...

This blog is very helpful and informative for this particular topic. I appreciate your effort that has been taken to write this blog for us. MS-201: Implementing a Hybrid and Secure Messaging Platform

Chris Mark said...

This article on "secure messaging for public health" highlights the importance of data privacy and security in the healthcare sector. It is great to see technology being utilized to ensure confidential communication between patients and healthcare providers. As a student in the UK, I have used accounting assignment help uk services and understand the significance of confidentiality. It is reassuring to see similar measures prioritized in the healthcare industry.