Ross Brewer discusses reasons behind the NHS’s unenviable data protection record and looks at the task of turning the situation around.
The Information Commissioner, Christopher Graham’s recent assessment of NHS data security has revealed an urgent need for culture change as health organisations continue to breach the Data Protection Act. More than 250 laptops, many of them unencrypted, have gone missing from the Department of Health in the last ten years. This includes notable incidents such as NHS North Central London losing a laptop containing the medical records of over 8 million people. Furthermore, the NHS appears to be disproportionately responsible for many of the data breaches that have occurred in recent years.
In June 2010 the Information Commissioner’s Office published a list of all the UK data breaches reported since 2007 – the NHS was responsible for 305 out of 1,007, almost one in three. More recently Graham stated that while “the policies and procedures may already be in place…..the fact is that they are not being followed on the ground.”
Stemming the data loss
To rectify this problem the NHS will need to overcome a number of challenges including finding the right technology to ensure data is stored correctly, monitored, and that staff follow best practice guidelines. The NHS is particularly susceptible to data breach for a number of reasons. For one thing it is an enormous organisation with a disparate structure charged with protecting a vast repository of sensitive data. In addition, both staff and patients will often find themselves transferred around different facilities. This means that data needs to be accessible in multiple locations too.
Portable devices are often used to solve this problem but countless cases of lost laptops have demonstrated the risk they present. There have been reports of additional issues being caused by staff members using personal devices to store sensitive information. This last point highlights one of the biggest threats to security – employees.
For any organisation that employs as many people as the NHS it is essential to find an effective way to limit the insider threat. Recent research from OnePoll* revealed that 37 percent of people have shared privileged company information with their friends and family, while 21 percent of laptop/desktop-owning respondents stated that they have transferred company data to their personal computer, even though more than half of these devices – 58 percent – were shared with, or could at least be accessed by, other people.
While human error is one of the more likely causes of data breach there are more sinister threats online that need to be taken into consideration. As an integral part of the UK national infrastructure, the NHS is also a viable target for sophisticated attacks launched by foreign governments. Recent breaches of targets like the IMF and the Pentagon are both suspected to have been perpetrated by nation states as was the Stuxnet worm attack in 2010. While capable of causing immense disruption these attacks are equally adept at simply monitoring in the background and collecting data.
Getting at the cause of data loss
There have been numerous voices in the media claiming that cloud based solutions are the answer to the data security problems facing the NHS. For example, Clive Longbottom, founder of analyst firm Quocirca, suggests that the cloud could be used to centralise data into a single facility that could only be accessed via “relatively dumb devices”. However, many of the problems experienced by the NHS seem to stem from a lack of visibility when it comes to internal systems. This problem would appear to be common within organisations in the UK. Baroness Neville Jones, special representative to business on cyber security, noted earlier this year that many threats are missed because organisations are unaware of what the normal functioning of their networks looks like “because they don’t actually know enough about their own systems”.
Unfortunately, like many organisations, the NHS is wasting the very resource that can help develop a better understanding of its networks. IT systems produce millions of logs each day, which, when collected and analysed, can provide all the information required to develop a forensic insight into every level of activity. However, even more modestly sized organisations can struggle with the volume of logs that are created and increasingly disparate nature of IT systems.
As a result monitoring and reviewing this information to see what’s been going on can take days or even weeks – long after any security policies have been broken, and sensitive data lost. To simplify and speed up this process, the NHS needs to embrace solutions that automatically monitor and secure all activity logs while also reporting and alerting on activity that warrants attention in real-time. Unwanted activity can clarified by IT staff during the implementation process and could include numerous breaches of data protection policy including incidents of unencrypted data being transferred to a portable device or data not being deleted in accordance with regulatory obligations.
By enhancing visibility of how data is being used, the NHS will have significantly improved ability to ensure that policy and procedure is followed by its staff. In addition, monitoring data logs in this way makes it much harder for sophisticated attacks like the Stuxnet worm to take root. In order for them to do so hackers would need to breach both their target and the logging system simultaneously, a significant challenge. This kind of monitoring is increasingly required by the industry guidelines and regulations observed across both the public and private sector. CESG, the UK Government’s National Technical Authority for Information Assurance, introduced the Good Practice Guide 13 Protective Monitoring framework that stipulates that public sector organisations must continually monitor their IT systems in order to spot unwanted or unusual activity and prescribes how this can be done in the most efficient and effective manner.
Included in the recommendations is the need to monitor all computer-related activity in real-time and the generation of alerts should unwanted activity occur. Continued criticism from ICO would seem to suggest that CESG’s guide is not being adhered to with sufficient diligence at present.
Using Protective Monitoring technology to develop a better understanding of systems, and thus more effective data protection procedures, is essential if the NHS wants to clear up its reputation as one of the UK’s least reliable guardians of sensitive data. Learning more about systems in this way provides a host of additional benefits too, including the ability to identify inefficiencies within the IT estate. The NHS is responsible for holding data on some of the UK’s most vulnerable citizens, while improving IT systems is obviously not as vital as providing first rate medical services it should be a priority nonetheless.
Ross Brewer is vice president and managing director, international markets, LogRhythm.
* Survey of 3000 UK workers, April 2011, OnePoll