NHS: No Hope Security?
Will the ICO’s clampdown on NHS data breaches solve the on-going problem of security or does there need to be a bigger, better solution? Jennifer Scott investigates.
The National Health Service (NHS) is renowned for its poor record when it comes to security breaches. Unencrypted laptops and USB sticks end up in the strangest of places, not through pure stupidity, but due to a lack of understanding of security and no one seemingly taking charge of putting security policies in place.
The Information Commissioner's Office (ICO) regularly deals with such cases including the recent breach which saw a laptop with 8.6 million medical records go walkabout and even it seems to have lost its temper when it comes to this particular matter.
Last year, deputy commissioner David smith claimed the NHS was responsible for a third of all reported data breaches in the UK.
But last week, the head of the ICO, information commissioner Christopher Graham, announced a further crack down to try and force the NHS to solve the "systematic problem" of data breaches and overall security.
"The policies and procedures may already be in place but the fact is that they are not being followed on the ground," he said. "Health workers wouldn't dream of discussing patient information openly with friends and yet they continue to put information on unencrypted memory sticks or fax it to the wrong number."
He added: "The sector needs to bring about a culture change so that staff give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and then become second nature."
Make a difference?
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Standing up and admitting the NHS is such a problem, as well as vowing to crack down on the system, has won Graham wide-spread praise from the security industry. But will a more forceful ICO be the answer to all its security issues?
Rik Ferguson, director of security research at Trend Micro, pointed out there had already been a mandatory roll-out of endpoint encryption across the NHS but unencrypted devices were still being picked up at bus stops and car parks.
He claimed it was "tough to say" if Graham's plans will hold much weight as it depends on the motivation to stay secure.
"If it is the accomplishment of rolling out a comprehensive and successful data protection programme, encompassing data security policies, encryption, data-leakage prevention, network and endpoint protection and, importantly, training then the teeth of the ICO should provide very little encouragement," he said.
"However if it's more driven by the avoidance of financial penalty and bad PR then, of course, it will help."
Clive Longbottom, founder of analyst firm Quocirca, said the ICO attempting to show its teeth would make no difference whatsoever.
"A fine to the NHS is just charging the taxpayer," he told IT Pro. "Therefore, there is no real emphasis on driving such change."
He suggested "true accountability" for either individuals or systems integrators was key to driving the change, as people or companies would be much keener to ensure everything was secure if they themselves were responsible.
Cloud solution?
While in Silicon Valley las week, IT Pro's Tom Brewster discovered a company called ZScaler had signed a cloud-based contract with the NHS.
Details of the deal were sparse, but it did indicate a new direction for the NHS and the possibility cloud could be the answer to its security woes. But could cloud technologies, not just for security but overall in the NHS, help keep such sensitive data safer and ensure a smoother running of one of the largest employers in the world?
Longbottom definitely feels many of the answers lie in the cloud.
"Cloud can be used to centralise the data into a single facility, with access being through relatively dumb devices," he said. "Sure, this is then predicated on always being connected, but this should be more and more a case for NHS workers."
Ferguson concurred. However, he also highlighted new security problems that could rise from such a solution.
"Centralising data and providing access on the basis of need-to-know and least-privilege is certainly a means of avoiding data loss associated with the loss or theft of physical devices, especially if we make the data accessible but not exportable," he said.
The problem is, as with any public sector cloud offering, it means very secret but lucrative data will all remain in one place and appeal to the eye of cyber criminals.
"Concentrations of data also represent attractive targets for breach and theft," added Ferguson. "Cloud is certainly a very valid answer to many of the data security concerns of the NHS, but that cloud had better be a Secure Cloud."
The ghost of NPfIT
It should be noted though, major reforms of NHS IT have not always gone down well, or indeed gone to plan.
The National Programme for IT (NPfIT) was set to revolutionise the way the health service operated, making all records electronic and allowing medical centres to align.
It ended up being both a political football and a waste of money. Indeed. the last Government was accused of squandering billions on a scheme that was never going to work.
The coalition has confirmed it will scrap the scheme, but some critics believe if so much money has already been spent it would be better to simply get the job fixed.
Best practice?
It would seem the NHS isn't deliberately ignoring the security question, certainly not according to its spokespeople.
"We fully support the information commissioner's call for improvement in local NHS practice in relation to preserving patient confidentiality," a Department of Health spokesperson told IT Pro.
"There is absolutely no excuse for breaches leading to the loss of sensitive and personal data. Encrypting information held on portable devices such as laptops and memory sticks is just as important as avoiding public conversations about patients' details."
But the people, particularly those whose data has been lost along the way, demand actions as well as words.
With the ICO breathing down its neck and the ghost of NPfIT looming, what is the best model the NHS could go for to solve its security issues and help modernise?
Cloud is still top of the list, according to Ferguson and Longbottom.
"A private cloud system for the most personal data, using external public cloud systems where the data being used has little protection need (for example Postcode data, geodemographics, and so on) [would be the best]," said Longbottom.
"If this could also enable shared services through to other areas of health (such as social services), emergency services, the judiciary and so on, then real benefits could be gained."
As he pointed out though, this was the plan of the G-Cloud, and he has concerns the NHS will just end up like most public sector organisations "trying to make the existing broken systems, hated by many, struggle on from one problem to another, with massive cost implications."
Ferguson was more optimistic, however, believing the NHS should get involved with the early stages of G-Cloud implementation.
"The NHS would benefit greatly from playing an active role in the scope and design of the much vaunted G-Cloud, making sure that patient data is stored encrypted, that any servers accessing that data have their individual perimeters secured and that each NHS trust maintains ownership of its own decryption keys, rather than centralising within G-Cloud," he said.
"The security of medical records is important enough that we should be ensuring that only those with the correct authorisation are able to access this information, and even then, only at the requisite level of detail."
G-Cloud to the rescue?
The NHS might be alive and kicking but to take advantage of the G-cloud, that itself would have to be alive and kicking too. The UK managing director of HP recently told IT Pro the G-Cloud project had been "canned" and even the Cabinet Office had little to say on the matter.
However, the ex-deputy director of the G-Cloud, Andy Tait, told sister title Cloud Pro it was alive and well in all but name.
"[If] we go back to the ICT strategy published on 29 March, the G-Cloud wasn't specifically labelled," he said, "but the cloud computing approach was within the six month [plan]."
"It absolutely said about datacentre consolidation, it absolutely said about the app store for Government and cost reductions of 35 per cent within five years. It was not bundled in [the strategy] as the G-Cloud but there is no hang up on the name and the three core components are still there."
Maybe the ICO, the Government and the cloud can all help the NHS become a safer place for our data. It will require a great deal of collaboration and an overhaul of systems in the organisation that we consider both a symbol of national pride and a drain on resources, but we all want it to be a healthier, happier and safer place.
Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.
Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.