Newsgroups: alt.privacy From: ua602@freenet.Victoria.BC.CA (Kelly Bert Manning) Subject: Re: computerization of health information Message-ID: Organization: Camosun College, Victoria, B.C. Date: Sat, 26 Mar 1994 16:05:15 GMT BC's new Privacy Commission issued a press release last week that shot down a new "Pharmacare Network" that was supposed to go into pilot at one pharmacy next month. It would have made the prescription profiles of everyone in the province available at any pharmacy. Very late in the game the designers decided that they were getting so much flack about the potential for privacy abuse that they hade to make a token effort to protect it. Their off the wall concept was that people would have a password that they could use to secure access. What made it an off the wall idea is that they wanted people to tell pharmacists (and anyone else within earshot) their passwords so that the pharmacists could enter it into the PNP terminal. Privacy Commissioner David Flaherty pointed out that a debit card type of keypad would be a more appropriate way of allowing people to enter passwords. I think that he showed a lot of restraint by resisting the temptation to point out that the majority of pharmacies here have many lines of business bescides prescribing, and that many already have debit machines in the same store/supermarket. This isn't an esoteric field where the developers could claim ignornance of the existence of better solutions. A password that has been given to another person is useless for all practical purposes. Even debit cad keypads are unsecure if they don't have a privacy shield. The bank I deal with has shields around all the keypads it's staff use, but none on the IBM ATM machines it uses! This creates a high potential for shoulder surfing capture of passwords.