flying planes, surgery and privacy (external version)
DESCRIPTION
TRANSCRIPT
Flying planes, surgery and privacy Ian Oliver
Tomi Kulmala
Security, Privacy and Continuity Team
9 April 2013
30 October 1935
On 30 October 1935, Army Air Corps test-pilot Major Ployer Peter Hill and Boeing employee Les Tower took the Model 299 on a second evaluation flight; however, the crew forgot to disengage the airplane's "gust lock." Having taken off, the aircraft entered a steep climb, stalled, nosed over and crashed, killing Hill and Tower (other observers survived with injuries).
Solution
• No additional pilot training
• Creation of checks for – Startup
– Taxi (1)
– Take-off
– Climb
– Cruise
– Descent
– Approach
– Landing
– Taxi (2)
– Shutdown
– Exceptional circumstances
• Single Engine Failure
• Icing conditions
• Fire
• Etc...
Application to Privacy Audits
We developed:
• Epics, Use cases for Privacy
• ”Checklists”
• Software Development Process Integration
• Audit Procedures
– Non functional areas: privacy, secuity, performance, buisiness continuity
and the result was...
Application to Privacy Audits
Failure
Application to Privacy Audits
Failure
Maybe an extreme overstatement but: • Complex to apply • Tied to a specific software development processe
• Waterfall vs Agile almost irrelevant • Hard to map to variations
• Time consuming • Required an expert to audit • Required too much formality, documentation and time from the
development teams • Prone to missing details due to overall complexity • Hard to apply incrementally
Why didn’t that work?
• Despite highly trained personel – Cessna Single Engine Failure
• FLY THE AIRCRAFT – Air France AF447
• To much adherence to process – Processes tell everyone the order of what to do – Difficulty in handling exceptions and experts – Aviation Checklists are status checks used to ensure due dilligence in preparation for the
next and future phases of flight. • Checklist replaced responsibility and expertise
– For both the auditor and develoment teams
• Tick-box oriented – Ask questions, Accept answers, TICK! – Limited understanding and context of naswers
• Limited time-scale
– One-off review
Preventing Central Line Infections
• Peter Provonost, John Hopkins University Hospital, UK
Preventing Central Line Infections
• Peter Provonost, John Hopkins University Hospital, UK
1. Wash Hands • Soap with water or alcohol
2. Wear Sterile Clothing • Mask, gloves, gown, hair
covering • Cover patient with sterile drape • Minimise access hole
3. Clean Patient’s Skin • Chlorhexidine
4. Avoid Veins in arm and leg • Greater infection risk
5. Check line for infection • Minimum once per day • Remove when not needed
Preventing Central Line Infections
• Peter Provonost, John Hopkins University Hospital, UK
1. Wash Hands • Soap with water or alcohol
2. Wear Sterile Clothing • Mask, gloves, gown, hair
covering • Cover patient with sterile drape • Minimise access hole
3. Clean Patient’s Skin • Chlorhexidine
4. Avoid Veins in arm and leg • Greater infection risk
5. Check line for infection • Minimum once per day • Remove when not needed
• 10 day infection rate went from 11% to 0% in one month • 2 infections in 2000 patients in 15 months
Preventing Central Line Infections
• Peter Provonost, John Hopkins University Hospital, UK
1. Wash Hands • Soap with water or alcohol
2. Wear Sterile Clothing • Mask, gloves, gown, hair
covering • Cover patient with sterile drape • Minimise access hole
3. Clean Patient’s Skin • Chlorhexidine
4. Avoid Veins in arm and leg • Greater infection risk
5. Check line for infection • Minimum once per day • Remove when not needed
• 10 day infection rate went from 11% to 0% in one month • 2 infections in 2000 patients in 15 months
• Devolved responsibility: ALL given power to stop procedure in case of non-compliance, eg: nurses cross-check doctors
• No impact on process • Tool improvements:
• dedicated packs for central line equipment including sterile clothing, drapes, soaps etc
• Placement of equipment next to each patent (readiness)
Checklists in Surgery
• Atul Gawande et al.
• Simplicity
• Two kinds: – DO-CONFIRM
– READ-DO
• Independent of process – No tick-boxes
– Emphasis on communication
– Emphasis on shared and devolved responsibility
• Devolved responsibility
• Integrates other checklists and procedures
– Eg: anaethesia machine checkout
Surgery and Privacy?
• Most audits have some form of initial self-diagnosis of varying quality – We have/have not PII?
– Here’s are some links to an ”architecture”
– ”Our database schema is MySQL 5”
• Triage
• Diagnosis and Operation Planning
• Operating on the privacy patient – Diagnoses change, different parts operated upon
• Closing the wound, cleaning-up and release to intensive care
• Following-up with the privacy patient – diagnosis,
– Drugs
– prognosis
• What Has Privacy Got To Do With Surgery? – Surgey and Privacy operate in ”long timescale”, agile environments
– ( http://ijosblog.blogspot.fi/2013/03/what-has-surgery-got-to-do-with.html )
Privacy Audit Checklist
Inspired by the WHO Surgical Safety Checklist
Implementation and not a Process
Process Integration
R&D Team Checklist (before review)
R&D Team Checklist (post-review)
Audit Team Checklist (sign-in)
Audit Team Checklist
(time-out)
Audit Team Checklist (sign-out)
Project development & processes (time)
System under audit Review
Lead
Legal Expert
Additional members
Architecture Expert
Reivew Lead IS NEVER reponsible
for running the checklist!
”Su
rgic
al T
eam
”
Process Integration
R&D Team Checklist (before review)
R&D Team Checklist (post-review)
Audit Team Checklist (sign-in)
Audit Team Checklist
(time-out)
Audit Team Checklist (sign-out)
Project development & processes (time)
System Rampdown
Another example is ramping down a system • Customer interaction • Complex interaction of
stakeholders • Complex legal requirements • Complex data handling
requirements • 3rd parties often involved
for data destruction • Etc...
Experiences • It works!
– Takes time to ramp up and customised but much faster than detailed previously
– Accepted by auditors and development teams
• Exposing holes in our externalisation of knowledge
• Exposes holes in our knowledge of what privacy is (and demonstrates our naivety) – On The Naivety of Privacy ( http://ijosblog.blogspot.fi/2013/01/on-naivety-of-privacy.html )
• Customer Checklists are of the READ-DO type with short timescales – Vital Signs
– Pre diagnosis
– Structured follow-up
• Audit Team Checklist is a DO-CONFIRM type with longer time-scales
• Tooling weaknesses – Data extraction, documentation, auditing tools, formal reporting, ontologies, classification systems
– What is ”information”?
• Localisation for particular contexts (by design!)
• Implemention by mentoring, not teaching
• Single person teams – Discipline improvement in this situation.
– Avoid introducing yourself to the team however...
• Quality improvement – Due dilligence, coverage, depth, speed of review
• Confusion can happen with the process-obsessed, tick-box mentality
More Information
• Ian Oliver: [email protected]
• Twitter: @i_j_oliver
• Blog: http://ijosblog.blogspot.fi/