What would the people in your office do if a couple of people looking the part turned up at your office door saying that they were there to do a fire inspection?  Or said they were more or less any other branch of officialdom flashing ID and saying they needed to do an inspection?

Here is a salutory warning:

“Let’s say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we’ll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you’ll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.

We walk into the facility and make sure that all the chatter is coming loudly into to the walkie-talkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down.

I show the person at the front desk my badge. They’ll say “Hi, how’s it going?” I’ll say “Good, I’m here to do a fire inspection.” They say “Great” and assign someone to us, like a teller. It’s generally someone who’s nice. I’ll start talking with them, flirting with them, or whatever it takes. We’ll start walking around.

While I’m talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say “Can you come back here? I need to keep you guys together.” We say “Sure, sorry.” But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he’s a fireman and thinks “Let’s just let him do what he needs to do.”

At that point, my partner’s job is to start stealing everything he can steal and start putting it in his bag. And he also has to get under the desks of any employee he can find and start installing these little keyboard loggers. I stay with the person who is escorting me and my whole job now is keeping them entertained. I keep walking around rooms, giving them advice on keeping their facility fire safe, even though I really have no idea what I’m talking about. I make stuff up and probably give the worst advice ever. I’ll pull out cords and say “This looks a little bit dangerous.” I’ll comment on space heaters. I’m completely winging it.”

You can see how it might happen.  Read on here …..

Earlier today I chaired a fascinating seminar for patient groups and professional organisations which discussed healthcare acquired infections (HCAIs) and, in particular, what needs to be done to better prevent such infections in community (rather than hospital) settings.

As the meeting continued, I was struck by the surprising number of parallels that exist between what needs to be done to cut the risk of such infections and what needs to be done to improve information security.

For example, there were those a few years ago who thought the situation with HCAIs in hospital was so bad that nothing effective could be done.  They have been proved wrong by the success of the initiatives taken over the last five or six years to reduce dramatically the incidence of MRSA and C Difficile in hospitals (80% and 60% reductions respectively). Likewise there are those who throw up their hands in horror about the current tide of cyber security problems and seem to believe that our systems will always be irredeemably compromised.  Hopefully, they will also be proved wrong in a few years time.

The response to HCAIs was in the past seen as better and stronger technical solutions (i.e. ever more powerful antibiotics) and, whilst such solutions remain necessary for those who are infected, the sharp reductions have been achieved by other means – largely through achieving major changes in behaviour amongst staff and patients (i.e. better and more effective hand-washing, greater emphasis on cleanliness etc).  This is mirrored by the increasing recognition that social engineering and behavioural change is an enormously important component of better cyber security and information assurance.

Similarly, without being too Cameron-esque about it, we all have to be in this together. Everyone has to play their part.  Thus, patients and their visitors need to understand the importance of washing their hands with alcohol gel and remembering to do it.  In the same way, individual computer users need to adopt precautions to prevent their systems being compromised.  At the same time, product manufacturers must play their part in making their products less vulnerable to infection (e.g. catheter or commode design can be used to make HCAIs less likely, just as computer software and hardware can have security built in).

Likewise, you cannot help but notice that meetings, whether about HCAIs or addressing cyber security, always conclude that more public education is needed and that the message needs to start at primary school ….

Well, I thought they were interesting parallels ….

The Second Reading debate on the Government’s Health and Social Care Bill has been going on for about thirteen hours with more to come tomorrow.  This was my contribution earlier tonight:

“9.26 pm

Lord Harris of Haringey: My Lords, at this two-thirds point in this debate, I make no apology for focusing my remarks on Part 5 of the Bill, and the quality of the voice for patients that it offers. This Bill is likely to damage irreparably the National Health Service, creating a service that is less accountable and more fragmented; that is increasingly provided by for-profit organisations; and where the relationship of trust between doctors and their patients is undermined. Under such circumstances, an effective structure is essential to support patients in navigating their way through the new arrangements, to ensure that their needs and concerns—both individually and collectively—are not neglected in the brave new world of private suppliers feeding on the remnants of public provision. It is essential to guarantee that, with the democratic deficit that will now open up in health provision in this country, the impact of the changes is catalogued and drawn to the attention of those charged with regulating the new system, of Parliament and ultimately of the public who are paying for it.

I declare a former interest as someone who—for 12 years—was director of the Association of Community Health Councils, then the statutory body representing the interests of the public and the users of the NHS. The Government are now bringing forward another round of proposals to fill the void left by Community Health Councils when they were abolished in 2003. They were succeeded by patient and public involvement forums, which lasted four years before they were replaced by local involvement networks. Again, with a life of four years, LINks are to go, to be replaced by HealthWatch. The sequence of change in consumer organisations is a poor recommendation of the previous Government. I am shocked to see that the current Government are moving forward in a similar vein.

Of course, the Government’s objectives are laudable: “No decision about me without me” is as resonant as previous rhetoric about putting the patient at the heart of the NHS or the mantras about patient empowerment 10 to 15 years ago. Some of your Lordships will even remember John Major’s Patient’s Charter—that daughter of the Citizen’s Charter and that cousin of the Cones Hotline. How does the high-sounding rhetoric match up to the reality of this Bill? How far are patients going to be involved in decisions about managing their own care and treatment? It is simply not clear whether these are adequately safeguarded in the Bill. A duty to promote involvement or a duty to promote choice is not a sufficient guarantee. Who will hold clinical commissioning groups or the NHS Commissioning Board to account for the extent to which they have promoted that involvement or choice? Where will patients go for redress if they find that their family doctor will not refer them for treatment or investigation but insists on managing that treatment or conducting that investigation within the practice, thereby keeping the resource that would otherwise go with that patient? What will be the process for ensuring that key commissioning decisions are in line with the preferences of those affected by them and that those decisions reflect the expertise that patients have in their own conditions and the experience that patients collectively have of their local services?

Presumably we will be told that this is where HealthWatch will come in, but what will HealthWatch mean in practice? The first problem is that it is unclear how local healthwatch groups will be constituted. If individuals are simply going to be self-selected, their views, though valuable, will not necessarily be representative of all service users, and there is a risk that because of that they will not be treated by commissioning groups as having legitimacy. Members of local healthwatch groups need to have their own local accountability and must have the resources to engage with the wider community to be able to assess and represent their views.

Resources will also be necessary to enable local healthwatch groups to provide advice, support and advocacy. This will be an important and potentially substantial role in the brave new world of the NHS that this Bill creates: a world where patients will no longer be clear whether their GPs are acting in their interests or to bolster their practice’s coffers; a world where decisions about what is to be commissioned will be taken with no clear system of public accountability; and a world where for-profit providers will increasingly squeeze out those that are not-for-profit and where profitable treatments will be cherry-picked.

A strong system of patient advocacy and support will be needed, but will it be provided? This will depend on the decisions of hundreds of local councils. The money provided by the Department of Health will not be ring-fenced, and there will be no mandating of local authorities about the nature and quality of HealthWatch services that should be supported. All this is in the name of localism, that same localism that has seen the budgets of LINks drop dramatically this year, in some instances by more than 50 per cent, despite, as the Minister told a number of us last night, the Department of Health saying that it has increased the resources available. The resources went up, but the resources available for local healthwatch went down. It is a localism that means that the Minister can offer us no assurances that those advocacy services that he promises us will be adequate. In future spending rounds who will argue with the Treasury for the moneys for HealthWatch? Will it be the Department of Health, which will have no say in whether the services expected are being delivered, or DCLG, which will have no interest in those services, or will the current commitment be allowed to wither on the vine as no department fights its corner?

Is it even appropriate that local healthwatch groups should be resourced via local authorities which themselves will have responsibilities for social care provision? Is there not a potential or perceived conflict of interest here? How comfortable will a local healthwatch group be in criticising its paymasters about the quality of that provision?

Finally, there is the relationship with national HealthWatch. A national structure is essential for the views and concerns of local healthwatch groups to be captured and articulated at national level, but that national structure must grow from and be a creature of the local groups, not sit above them as a mere sub-committee of a regulator, moreover a regulator to which requests for action and even criticism may need to be directed by that structure.

The new NHS will need a strong and independent user voice. The Government keep citing the proposals on HealthWatch as evidence not only that such a voice will exist but that the patient will indeed be central to the myriad new structures that they are proposing.

Yet the danger is that what we are being offered is no more than a fig-leaf whose own legitimacy will be flimsy, a fig-leaf whose resources will be plundered as local government itself faces a future with rapidly dwindling money, a fig-leaf whose independence is compromised by its relationship with a paymaster whose provision it is supposed to be monitoring, and, above all, a fig-leaf protecting the nakedness and insufficiency of the protestations that no decisions about the patient will be taken without him or her. My Lords, it is just not good enough.”

I gather that the Total Politics Blog Awards are now in progress.  I want to make it quite clear that I will not be in the least bit affronted should you chose to vote for this blog by clicking here.

High-level legal guru, Stewart Room, gave an excellent presentation at last week’s East-West Institute Global Cyber Security Summit.  In it he called for a “general obligation for security”, saying:

“I believe that holders of sensitive data, the controllers of important networks, systems and infrastructures – and their supply chains – should face a clear legal requirement to keep these assets safe and secure. As well as describing the obligation, this general security law should describe the consequences of failure.”

He pointed out that:

“It is naive to think that all relevant actors will do what is necessary to protect these assets without a clear steer from the law. Ignorance, laziness, apathy, short sightedness and greed are all powerful counterweights to enlightened self interest.”

He also highlighted the dangers of simply addressing the problem through the prism of the protection of personal data only.  Intellectual property is currently being leeched from corporate data systems all over the world – an issue repeatedly referred to at the Summit.  Likewise the vulnerability of national infrastructure systems – including power grids and water supplies – is also now increasingly apparent.

He warned that:

“In the UK and most of the rest of Europe the law for security is effectively left to reside in the domain of privacy and data protection law. This is a grave mistake. …  it gives the mistaken impression that the law only sees security as being important in the context of the handling of personal data. Of course, we all know that the substance of security extends much further that this. The impact of this problem is worsened by the fact that far too many people and organisations do not take data protection law seriously. Thus, the law is not properly driving behaviours.”

And there may be unintended consequences:

“This gives effective ownership of the field to people who are the least competent to manage it. I am talking about a small cadre of data protection regulators and bureaucrats, who are so slanted toward privacy that they may unwittingly encumber us with anti-security policies, which could jeopardise the health of cyberspace, our economies and our societies.”

He concluded byasking “what will a general obligation for security look like?”:

“Aside from removing the issue from the privacy and data protection domain and describing the nature of the obligation to secure assets and the penalties that may flow in breach, a general obligation for security will capture:

1. Critical definitions. We need to agree the parameters and make sure that we are all talking the same language.

2. The traditional “cyber crime” subject matter, dealing with the criminalisation and prosecution of unacceptable behaviours of hackers, botnets and others whom attack information and information systems. The interests of law enforcement should be properly served.

3. The role of the private sector cyber security industry, so that innovation in IT solutions can continue. We are totally reliant upon the private sector for security solutions, so we must give it our full support.

4. Intelligence sharing between the public and private sectors and across geographical boundaries.

5. The need for identification measures for people and machines operating in cyberspace. Privacy should not provide a cloak for criminals and anti-social behaviour.

6. The right for people and organisations under cyberattack to take offensive action in their defence. This is probably the most controversial point. But we need to ask ourselves whether it is morally right to tie the hands of those under attack. And we need to be sure that we do not open Pandora’s box.”

Whilst ideally this needs a solution in international law, a good start would be made by legal changes in this country to establish a better and more robust framework, whilst British Ministers argue for European-wide changes via Brussels and press the case through the G8 and G20 fora.

There was a palpable sense of urgency about the need for change at last week’s summit.  I hope it was felt by Francis Maude MP, who is apparently now the Minister in charge of cyber-security, and that he takes it back to his Government colleagues.

I have to admit that I am not a regular listener to BBC Radio 4′s ‘Moneybox’ consumer advice programme. However, I happened to be listening to the first part of today’s programme and heard the presenter, Paul Lewis (whom I knew years ago when he was Deputy Director of the National Council for One Parent Families and we were both involved in the National Fuel Poverty Forum), explain to listeners that as a result of the Chancellor’s decision to raise VAT to 20% the public was now paying a fifth of the shop price as tax on non-exempt items.
At the risk of sounding like an old f*rt, I have to point out that he was, of course, wrong.
(For the arithmetically challenged, the correct answer is a sixth – if the base price of an item is £100, VAT of 20% brings the shop price to £120, so £20 or one sixth of the purchase price goes in tax.)
No doubt, the Chancellor might have liked to clobber those on low incomes even harder, but the fact is that he didn’t.
Presumably, Jeremy Hunt (not the biggest fan of the BBC given the famous ‘Today’ spoonerism) will see this as yet another example of BBC political bias.
I fear, however, that the most likely explanation is incompetence. The programme’s script-writers cannot do simple maths.
But it is a bit worrying for a programme that is supposed to provide its listeners with financial advice.

The Guardian reports this morning that the Department of Health have put fast food companies McDonalds and KFC and processed food and drink manufacturers such as PepsiCo, Kelloggs, Unilever, Mars and Diageo at the heart of writing government policy on obesity, alcohol and diet-related disease.
So who has Andrew Lansley put in charge of the asylum?

At about 11.45 last night – after eight and a half hours of debate – the Government successfully fended off a move initiated by the Labour front bench to refer the Public Bodies Bill to a Select Committee. The Government won by 188 votes to 151 – a comfortable majority of 37.
The reasons behind the Labour proposal were the ‘Henry the Eighth’ powers in the Bill, which allow Ministers to abolish, merge or change the functions of public bodies (even those established by Statute) simply by publishing a Statutory Instrument and with virtually no further Parliamentary consideration. The Bill lists hundreds of organisations potentially affected, including a large number of consumer protection and regulatory bodies in virtually every area of public life – notably those that deal with health and environmental matters.
There are two key messages from the vote.
First, the Government won despite a number of LibDems voting with the Opposition or abstaining and despite Labour’s proposal getting a substantial level of support from the Cross-benches. And this is before the Government ranks are further swelled by an extra 45 to 50 new Tory or LibDem Peers expected to be announced at the beginning of next month.
The second message is that, although the proposal to refer the Bill to a Select Committee was clearly viewed by the Government as a delaying tactic, defeating the idea may perversely mean that the Bill will now take longer to pass through Parliament. This is because the Select Committee would have provided a time-limited opportunity to consider the criteria for including public bodies in the different Schedules of the Bill. Instead, what is now likely to happen is that amendments will be tabled in respect of each of the bodies, as this will be the only way of considering their inclusion in the Bill. This could take months.

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……

I have already explained that I really don’t mind.

However, just in case you really really want to cast your vote for this blog in the Total Politics annual beauty parade, this is what you have to do:

The rules are:
1. You must vote for your ten favourite blogs and rank them from 1 (your favourite) to 10 (your tenth favourite).
2. Your votes must be ranked from 1 to 10. Any votes which do not have rankings will not be counted.
3. You MUST include at least FIVE blogs in your list, but please list ten if you can. If you include fewer than five, your vote will not count.
4. Email your vote to toptenblogs@totalpolitics.com
5. Only vote once.
6. Only blogs based in the UK, run by UK residents or based on UK politics are eligible. No blog will be excluded from voting.
7. Anonymous votes left in the comments will not count. You must give a name.
8. All votes must be received by midnight on 31 July 2010. Any votes received after that date will not count.

So I’m not asking you to do it, but I really won’t mind if you do……