NHS hears warnings on information security

The audience at last week's Infosecurity Europe show held its collective breath when David Smith, the deputy commissioner for the Information Commissioner's Office (ICO), took the podium. The ICO recently increased its penalties 100-fold to £500,000 for those organisations reporting a serious loss of data – and health service organisations appear to be among those most likely to be hit. Smith told the event, held in London on 27 April 2010, that NHS bodies are responsible for one third of around 30 serious data breaches reported to his office every month, although the overall figure has declined slightly in the last few months. The picture is not as grim as it seems, as Smith said that not all private sector organisations declare their problems. "We're still seeing loss of personal data on unencrypted laptops in both (private and public) sectors," he said, adding that, despite the increase in penalties, the ICO is not try to catch people out, but is trying to help organisations which are trying to get it right. But, he told his audience, the scale of data losses has significantly increased over the years. "We've gone from losing a few medical files on a few sheets of paper at a time, to losing millions of files on a single disk or USB stick," he said. "Today, people are willing to share more; a culture of reducing costs and sharing has emerged," Smith added. "Data breaches are still happening, and are often due to insider wrongdoing, or theft and loss of data on portable devices. There are too many organisations ticking the boxes, without investing in real measures to keep up staff training and awareness. Contractors and processes must be checked." So what should NHS IT professionals do if the worst happens? Smith said that, when and if a breach does occur, those affected should be notified as well as his office. "We don't want to know about every breach that happens, just the large-scale breaches where there is potential harm to individuals," he says, adding that, in most cases, the ICO will record the incident but not action it. Summary justice Reacting to Smith's comments, Justin Anderson, chief executive of NHS supplier Flexeye Technology, warned that the situation with data breaches could get worse if the Summary Care Records programme continues in its present form. SCRs, he said, are potential security risks. He believes that any system that has to copy large amounts of information to a central database is outdated and costly, as well as difficult to introduce, since it poses significant security risks to the information it contains. Anderson, whose approach to IT security is based on a governance, risk and compliance strategy, said that a better approach to controlling access to SCRs would be to use a rules-based system that authenticates and authorises access to 'views' of specific pieces of information. "The problem is that most requests for patient information are specific," he said. "For example, the A&E department wants access to essential details such as name, date of birth, allergies and current medication, but doesn't need to know that the patient had measles when they were three years old. "It's also similar to the way the web is constructed. It would be hard to imagine a world where Google copied all of the information on the web into a huge central data warehouse, so that people could search for specific pieces of information. It's simply not necessary today," he added. Anderson said that Flexeye's IT security business model has changed to make it more attractive to public sector agencies such at the NHS, by reducing the front-end licence fees and moving to support plus maintenance contracts. "This reduces the capex and increases the opex, allowing NHS trusts to pay for their IT security on a concurrent basis, rather than from capital expenditure," he said. Heads not in the cloud Anderson added that he does not see much potential for cloud computing in the NHS, mainly because the need to maintain security on patient data, which he believes is difficult to ensure in a cloud environment. This sentiment was echoed by Hugh Njemanze, co-founder and chief technology officer of US based security management company ArcSight. He said that the current trend towards the cloud and sharing of data is not welcomed by his healthcare clients. "Each appliance for our clients operates as an island. Sure, we'd like to use the data from the appliance to share threat information between our clients, but that's not something they will go for," he said. "Some of our clients are in the government sector, and there's no co-operation from them when it comes to data sharing." The IT security industry veteran also had some interesting views on the apparent stampede among IT departments move their data into the cloud, largely due to economic imperatives. The cloud, he says, has clear economic advantages, but just like the difference between buying or renting a home there are disadvantages as well. "We're not moving (our customers) into the cloud with our security offerings at the moment, but we are watching what is happening in the market. We're erring on the side of caution," he said.