Tuesday 29 March 2016

RIP IDA – not good enough for the NHS and not good enough for you

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

This is what the Government Digital Service (GDS) have to say about the security of GOV.UK Verify (RIP). It's secure. And it stops someone pretending to be you. And it fights the growing problem of on-line identity theft.

The splash screen you see if you bravely register for one of GDS's GOV.UK Verify (RIP) accounts

Health and Social Care Information Centre
We are the trusted national provider of high-quality information, data and IT systems for health and social care.
But it's not quite as clear-cut as that. According to Computer Weekly magazine, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC.

Not only that, but "The government’s Verify identity verification platform isn’t secure enough for the NHS, so Liverpool Clinical Commissioning Group and HSCIC are working to add extra levels of security".

NHS Liverpool CCG
National Health Service Liverpool Clinical Commissioning Group (CCG) is responsible for planning and buying most NHS services for the people of Liverpool …
And "Liverpool Clinical Commissioning Group (CCG) is working to make the government's identify authentication platform secure enough for the NHS to use".

Why do Computer Weekly keep banging on about security? Because Rob Shaw of HSCIC told them there is a security problem with GOV.UK Verify (RIP), "we absolutely have to make sure it’s secure enough" and "Verify is not quite there in terms of the level of security we’ll need in terms of the health services" and "we’re likely to take it to the next level in terms of security".

The Cabinet Office helpfully chimed in with "We take our users’ privacy and the security of their data very seriously and the new system is safer and more secure than previous ways of proving who you are online".

Followed by Dave Horsfield of the Liverpool CCG, "the programme is about giving patients access to their records for whatever purpose they want, securely and easily".

Apparently "the NHS is worried that Verify won’t be, or won’t come across as, secure enough for people’s health records ... we’ve got an extra layer in health where people are very worried about security".

In case you haven't been counting, that's ten 12 occurrences of the word "secure" and its cognates. Anyone would think there's a security problem with GOV.UK Verify (RIP). The sheer weight of repetition must have overwhelmed most readers into believing that.

But not Jim Gumbley. This Liverpool business is not an example of a security problem, Jim says. It's an identity-proofing problem. And that 's different.

It's wrong in that case to say that GOV.UK Verify (RIP) isn't secure enough for the NHS. Better to say that it's not good enough at stopping people from pretending to be you. Or that it's lost the fight against the growing problem of on-line identity theft.

Mr Horsfield thinks he may be able to solve the GOV.UK Verify (RIP) problem with a combination of social media and biometrics – the triumph of hope over experience.

Jim's right. As usual. Identity-proofing and security are two different things and shouldn't be confused.

It remains the case that GDS's splash screen is wrong and that GOV.UK Verify (RIP) isn't "good" enough for the NHS. So it isn't good enough for any other "relying party" like HMRC or DWP either. Or for a bank. Or for a criminal court. Or even for a civil court. And it's certainly not good enough for you.

No comments:

Post a Comment