London-wide Encryption

Thursday 16 May 2002

The Board Room, Moorfields Eye Hospital, City Road, London, EC1V 2CD


Peter Gill, Assistant Director of IT, Ealing, Hammersmith and Hounslow Health Authority

Peter explained that his interest in use of encryption within the NHS started when he became responsible for providing internet access and email to clinicians in GP practices and hospital settings. Once the clinician has the email tool the advice from people like Peter and the Royal Colleges is against use of the new email tools for communication concerning patients. Email is by its nature insecure – you cannot be certain that it is authentic, has not been altered or unlawfully disclosed. The way to make it secure is to use an encryption tool. The NHS Information Authority appeared to have no urgency in providing a strategic context for encryption.

It is like giving someone a car and telling him or her they cannot drive it. In the absence of national leadership Peters’ local health community started an email encryption pilot. As this developed it became defined as one of a series of national trials of use of such tools.

What is encryption? This is a way of 'scrambling' a message before sending it and then 'unscrambling' it when it is received at the other end. Just like the one of those codes games that children play (e.g. a=b and b=c etc...).

The significance of Public Key Infrastructure (PKI); this is a particular mode of encryption in which participants share a public key while an individual private key is held securely. Both sender and receiver share a way of working, a model of trust. The trust model requires a common set of policies and procedures to be followed by all, with careful vetting and training for all that join. The model is deployed as a 'Certificate Authority' and is available as a package to prospective users. They have to present personal ID (e.g. passport), in addition professional registration and employment contracts are checked. Then the new user sign an acceptance of the policies and procedures to be followed. They are then given a private key which is stored on the PC and access to the shared public keys.

How does PKI encryption work? The user may use encryption from within the email package of their desktop. One analogy is of a multiply boxed and padlocked trunk - one box within another etc... The content of the email message is within the smallest box. There are three layers of security for the message: the senders’ (created using the senders’ private key), another is the shared layer (use of the public keys) and finally the recipient’s padlocked layer (based on the recipient’s private key). The sender can access the public key of the receiver and use it to encode the message - but cannot decode with the recipient’s key.

Progress with the West London pilot; 50 subscribers are signed up including 6 consultants and 18 GPs at present involving 1 hospital and 2 Practices – small scale at the moment but clinical data is being communicated. RSA Keon is the technology Supplier. There is now a package for groups of 50 NHS users available from the West London Certificate Authority.

Extending this to a London-wide encryption service? There are 2 other pilots in the capital, one based in the Merton and Sutton health community and one in Camden Borough services. There is outline agreement to work together and to extend a common Certificate Authority across London. The NHS Information Authority supports this development but much work has to be done to make this happen

The discussion that followed was summarised as:

Q: Why was the NHS Information Authority (IA) unable to provide strategic leadership?

A: The IA until Sir John Paterson’s arrival had appeared reluctant to lead on large complex and developmental projects such as encryption of personal email. It is perhaps significant that the IA has been active on system to system or organisational boundary to boundary encryption - the Pathology result message from laboratory to GP. This has a deployment model, which is better understood involving fewer parties, and is largely automated.

Q: Encryption at the boundary of the organisation or within an organisation as well?

A: The logic of encryption of email can be seen as moving attention for security from the boundary to the internal network and individual workstation. Should all email be encrypted? At present email encryption is intended for communication between rather than within organisations and system to system encryption can be seen to start at the boundary of the organisation. It was suggested that the greatest threat might be from Government rather than malicious individuals or groups. With this in mind and the powers available to the State, the predication of a need for encryption in the form discussed may be misplaced.

Q: Encryption and authentication / non repudiation in terms of access to widely shared access to Electronic Records?

A: The key to establishing who is using Electronic Records when it is widely available may be to link the user to the session so that an audit trail of viewing and editing is created. Perhaps all users will have a single identity / authentication device similar to that used in this encryption tool and maybe this will incorporate a body recognition device, a biometric (e.g. iris or thumb print).

Q: Is encryption worth the effort?

A: Finally, any security effort has to be balanced with appropriate to gravity of threat, cost and scale of benefit. So far there have been millions of transactions taking place over NHSnet and no law suits yet. Is encryption of personal email worth the effort.