(here is the response from the ministry to my research: letter and reaction to the press).
On march 30, 2010, the ministry of health (VWS) sent me a letter. This was a response to the letter I sent to the minister on February 25, 2010, and to an interview about the research in the newspaper NRC handelsblad. Besides the letter, the ministry issued a response to the press, in part calling the work "unfounded". From their response, however, it is clear that the ministry has not been able to rebuke the analysis itself. In fact, the designers of the EPD (Nictiz) called the work "thorough."
The ministry's only argument for calling the work unfounded lies in the fact that they do not agree with the underlying assumption that parts of the system can be hacked.
I took the possibility an intrusion of the central "national switching point" (LSP), or in one of the information systems attached to the EPD, as the starting point for my analysis. This is a valid assumption: given that most if not all systems can be hacked, the system should have sufficient defenses to contain the damage should such an event take place. I conclude that this is not currently the case, due to shortcomings in the architectural design of the EPD. Here is a summary of the main findings.
Most people would agree that almost any system can be hacked. However, the ministry apparently does not agree. The main criticism of the analysis is that that extensive testing and auditing of the system takes place, as "additional measures" when introducing the system. Note that information about these tests and audits is not public.
I do not agree with the assessment of the ministry that tests and audits can ensure that the systems which make up the EPD cannot be hacked. If a component of the EPD is hacked, misuse of the system is currently possible due to the way that the system is designed. This should not be possible, and is simply a bad architectural design.
The damage that may result from misuse of the EPD can be very large - for the individuals whose privacy is breached, but possibly also for society as a whole.
The EPD should have proper defenses in case a succesful attack takes place on any of its components. This is called 'defense in depth'. The current design does not implement such defenses, and in general it has too few preventive measures in place to protect privacy-sensitive information effectively.
Problems are bound to occur. The past has shown that it is extremely difficult to prevent succesful attacks from taking place. This certainly applies to the EPD: the EPD is a very large system, consisting of many different systems run by different organizations and in whose development, maintenance, and usage many people are involved. Furthermore, the EPD will be very attractive to attackers because of the nature and value of the information stored in the EPD. (professional) attackers may have lots of experience, funding, and sufficient time on their hands to stage a well-prepared attack. Naivity is irresponsible in this case. Note that I do think the system can be improved; possible improvements are indicated in the paper.
The ministry's main argument is that audits and 'hacker tests' indicate that the system is secure and that, therefore, hacker-proof. Of course, in reality, no audit or hacker test can guarantee a system's security.
Perhaps the most worrisome aspect of the ministry's response is that the ministry claims the issues were already known, and that a conscious decision was made not to implement the proposed measures. This means that the government purposefully weakened security of the system. The reported architectural weaknesses can have a very serious impact on the privacy of Dutch patients.
To me it seems that, when you design and implement a system as important as a National EPD, carrying information as privacy-sensitive as medical data, you want to make it as secure as possible. The improvements that I propose are at an architectural level, so they have an impact on the system as a whole. This is the reason to make my findings public now, before the system is introduced. After wide-scale introduction of the system it will be hard if not impossible to make the (fundamental) changes required.
Ignoring known, well-founded security engineering principles when designing a large-scale system that contains very privacy-sensitive information is not a very good idea. These principles are founded in the lessons learned from designing and implementing past systems and, most importantly, from their failures. And these systems were generally not even as large, complex, and diverse as the EPD will be.
The ministry's response is certainly not a sign that the ministry takes the privacy of citizens very seriously.
A summary of the main findings can be found here. More information can be found here: http://www.science.uva.nl/~noordend/epd/index-start.html. All findings still hold.
Back to the main EPD page.