Tuesday, 9 April 2013

CIA or where is the availability and integrity in security talks?

I've spent a little time learning a few skills that are outside the sphere of influence for many security people. This has led to some altered thinking on the value of messages. For some time I have been somewhat of a pariah and definitely a Cassandra. I know, in stating this I am of course biased but the fact of the matter is the true message of security is lost. The reality is that we concentrate on the wrong aspects in many cases. More, we avoid many emotional phrases that would help sell the to the general public. What of course we need to do is to sell a concept based on reality, the reality remains far from that.

Any search on security in relation to health for instance will grant you many pages covering the confidentiality of material that is actually far from confidential on a paper-based system. In fact, many paper-based systems are far more open than the lowest secured Internet connected system. This may seem outlandish claim that the fact of the matter is that between doctors, nurses, nutritionists, hospital administrators, exercise coordinators, cleaners, kitchen staff, and all variety of auditors and reviewers even with paper-based records, hundreds of people can view medical records routinely.

The perceived difficulty in accessing paper-based medical records is the fallacy.

The truth of the matter is that paper-based records are the confidentiality Chimera covering the reality that electronic records are actually more secure when privacy is the key concern.

But this is the rub.

Privacy is not always the key concern. When we talk about security we hear comments on privacy and confidentiality as if these are the be all and end all of security. They are not. This is more so when it comes to health data. In the case of health data what really matters are the other two aspects of security. That is integrity and availability of data. Security is always a trade-off. The more we place into one aspect of security the less we gain in the other areas. This is, for the same economic investment any increase in confidentiality is likely to reduce the integrity and availability of the service.

Security is not only about confidentiality. To understand security we need to understand what we are actually providing. In healthcare what matters most is not protecting records but making them available to the right people. If we want to secure health data we need to reframe the question.

We should not be asking how do we stop people accessing my data, but rather we should ask how do we ensure that my data remains available only to those who need it. This is a move to ensure a system where we know that we need to make data available where it is needed. More than this, we need to make sure the data we are opening access to is correct. That is, the integrity of the data is beyond reproach.

Right now paper records are highly inaccurate. More than this they are difficult for the end-user to correct. If an individual moves house, gets married, has a family, as an accident or any other number of the innumerable incidents occur then those records are not updated.

To take a personal example, I rock climb. I've done many other things that lead me to a potential stint in hospital. In fact of had several. In this process of breaking bones and having bits of metal become part of me I've learnt that I cannot handle opiates. Morphine sent me around the bend and I've only gone through that experience once and never again when I had a foot facing 180° in the wrong direction but it is as simple as codeine. Even the simple headache tablets have a severe adverse effect on me and I do not take them.

The records concerning my ankle reconstruction exist in a hospital 400 km away from where I live. The records concerning my adverse reaction to opiates are even further removed in many cases. How then would medical staff know not to inject me with morphine if I came into an emergency room unconscious?

The reality of the matter is that we need to concentrate on the best outcomes. These are often not the ones that are touted to us emotionally. This is what the aspect of FUD or fear uncertainty and doubt is really about. Security is a risk based approach not an absolute. In seeking to secure any system what we really need to do is look at what we already have and then balance what we can achieve with the cost that will take.

In the case of the healthcare system the argument against electronic records is flawed. Big data has already done more to out your information than any amount of activity from hacker groups such as anonymous could ever hope to achieve. The arguments against insurance companies knowing information about you are even more ludicrous. When you take out an insurance contract and you fail to disclose you have committed fraud. This is not just a statement of fact of law. Material disclosure in insurance policies is a requirement and is illegal essential in enacting that contract.

Whenever you withhold any information from the insurance company they have a right not only to not pay you but also to rescind prior payments with interest. You think you are protecting your privacy in protecting genetic data? The reality is that information from siblings, parents and your environment gives just as rich a source of data as many genetic profiles. Sometimes this information is actually richer in content and discloses more than the public information we feared to be breached and leaked. And the thing is this information is publicly available in many cases. In other cases, insurance companies mine information that is proprietary to their own organization. Insurance companies happily take your money knowing that you have lied about the occasional cigarette.

When you add all the sources of information becoming available including social media, you have little privacy now. The reality is little brother has already eroded privacy beyond repair.

Security is not about absolutes

Security is a balancing act. Before we make emotional statements concerning privacy we need to weigh up the existing scenario. Not only is paper based record keeping inefficient, it does little for confidentiality. But worse, it adds nothing to availability or integrity of data.

Next time you look at an emotive article calling for additional protection that the medical data and electronic health records think about the alternatives. Ask does this improve the integrity and availability of my health records. Ask if the confidentiality of those records is any worse than it was before. If in fact, the confidentiality the records is not decreased and remember paper-based medical records are highly open for scrutiny, then any increase in the integrity and availability of those records is an increase in the security of your medical data.

We can never achieve a perfect result in anything, security is no different. We always need to balance the economic cost of providing a service against the risk faced. Most importantly however we need to remember that we cannot measure security as an absolute but have to compare it against the alternatives. In the case of medical records it is comparing obsolete paper-based systems with online systems. This does not mean that we should take no notice of user privacy. What it does mean is that we have to balance this and understand what the cost and benefits of any proposed system truly are.

1 comment:

Owen Connolly said...

Hi Craig,

Very well put! It's like the famous problem of people thinking that risk management is the elimination of risk as opposed to understanding your risk and deciding on an acceptable level.

The problem we face is that security professionals are, more often than not, seen as a subset of IT rather than a unique discipline and approach. This isn't helped by the current obsession with IT controls fostered by SOx and PCI DSS.

Security should be a pillar of business in the way that finance is. In fact it's very similar, in that it should touch all the same areas and more...

And we both have a particular interest in preventing events that will negatively impact the bottom line.

It is possible to work in security/risk and also be a business enabler. It just requires a bit more work, insight and a desire to make the business succeed.