Aspects of Data Security
Raj Samani Vice President – Communications, ISSA UK
Rita Arafa IG Deployment Officer, NHS CFH
Agenda

Reported issues

Impact

C.I.A.

What can we do?

Wrap-up including Questions
Reported Issues
The current situation in the media:

Reports in the Health Press and General
media:

There may be a risk of breach of patient data


Oct 2008
Reports of viruses in hospital systems impacting
on patient care


2008 ‘A year of data breaches' - E-Health Insider 28
NHS hit by a different sort of virus – More4 News 9th
Jul 2009
Fears that patient data could be lost


Health data on lost memory stick – More4 News 9th
Jan 2009
Data protection warning as more trusts lose patient
records – Health Service Journal 16th July 09
Impact

When electronic clinical systems are
compromised the following are at
risk:
Clinical Care
 Confidentiality
 Reputation


Data Breaches endanger:
Confidentiality
 Confidence
 Reputation

Clinical Care

Reports of viruses in hospital systems
impacting on patient care:




November 08, Mytob computer virus caused havoc in three
major London hospitals when it spread so quickly that it
overloaded computer networks - 70 patients had to go to other
hospitals while ambulances were diverted to neighbouring
hospitals to ensure that seriously ill patients did not suffer as a
result of the slower manual systems being used
Sheffield, 800 PCs infected after just one computer in an
operating theatre had its anti-virus software switched off.
During March 09 Greater Glasgow and Clyde NHS trust was
struck by a computer virus called Conficker, which froze staff
out of their computers for two days
Building security into key initiatives

LAS Despatch Service, one ambulance arrived to find the
patient dead and taken away by undertakers
Confidentiality

A breach of patient’s data can be a
breach in patient confidentiality
Unauthorised access (internal)
 Unauthorised access (external)


What is the impact?
Reputation

Confidence be quickly lost by both
the Staff using the systems and
Patients.

Electronic records can end up being
incomplete which can further reduce
confidence.
Reputation

Perceived breaches of data security
can seriously damage the reputation
of both Clinical IT systems and the
organisations that use them.

“Everyone must recognise that data
breaches can cause harm, distress and
hassle for the individuals affected, lead
to serious financial losses and seriously
affect the reputation of organisations.”
eHealth Insider 29 Oct 2008
C.I.A. and F.U.D

It is imperative that the following are
protected:
Confidentiality
 Integrity
 Availability


Without introducing:
Fear
 Uncertainty
 Doubt

So what should be done?

ISMS – Information Security
Management System

Establish roles and responsibilities

Management Planning – Identify where
the gaps are by:
 Reviewing,
checking, implementing
 Plan-do-check-act
Why does it need to be
done?
 To
comply with the Data Protection
Act (principle 7)
 For
Public Assurance
 Contractual,
Obligations
 Care
Legal and Regulatory
Record Guarantee
Roles and Responsibilities

Information Asset Owner


Information Asset Administrator





Is accountable
Fosters a culture for protecting and using data
Provides a focal point for managing information risks and incidents
Is concerned with the management of all information assets
Caldicott Guardians





IAAs are operational staff with day to day responsibility for managing
risks to their information assets.
SIRO: Senior Information Risk Owner


The IAOs are responsible for ensuring that information risk is managed
appropriately and for providing assurances to a Board level lead termed
a Senior Information Risk Owner (SIRO)
Is advisory
Is the conscience of the organisation
Provides a focal point for patient confidentiality & information sharing
issues
Is concerned with the management of patient information
Privacy Officers
Process Overview
Suppliers:
• Plan ISMS review &
improvement activities
e.g. annual audit
schedules
• Plan risk corrective
action planning /
reviewing etc.
Organisation IG:
Suppliers:
• Implement ISMS
review & improvement
activities
• Submit results to
Organisation e.g. audit
reports, risk corrective
action plans, areas of
concern, evidence of
BAU activities
• Inform programmes
of impending supplier
reviews
Suppliers:
Suppliers:
• Implement risk
corrective action plans
Organisation IG:
• Cascade risk
corrective action plans
to relevant
programmes
• Monitor risk
corrective action plans
• Review ISMS review &
improvement activities
Organisation IG:
• Review results
• Provide guidance and
influence supplier
improvement activities
e.g. audit schedule
• Ensure there is
evidence of BAU ISMS
activities
Information Assurance
Regulatory Bodies

ICO: Information Commissioner’s Office


CESG:



The Information Assurance (IA) arm of GCHQ and is the
Government's National Technical Authority for IA
responsible for enabling secure and trusted knowledge
sharing, which helps its customers achieve their aims.
http://www.gchq.gov.uk/about_us/cesg.html
CPNI:


Independent authority set up to promote access to
official information and protect personal information
The Government authority which provides protective
security advice to businesses and organisations across
the national infrastructure.
CSIA:

The Central Sponsor for Information Assurance (CSIA) is
a unit within the UK Government's Cabinet Office
providing a central focus for Information Assurance (IA)
activity across the UK.
Some positive quotes:

The Royal College of GPs has put their support behind the
national rollout of the Summary Care Record. They said
concerns over security of records and patient confidentiality
had now been resolved, and declared ‘the need for a shared
record is compelling’.

A team of RAF security experts recently spent three days
attempting to penetrate the wireless networking component
of a managed service covering healthcare for British Forces
in Germany - and failed. The secure networking is part of a
managed service, PAS 2.0, for Guy’s and St Thomas’ NHS
Foundation Trust. eHealth Insider Jan 09

The Royal Marsden Hospital director of ICT Jon Reed said:
"We've been able to create a remote environment that
enables clinicians to have access to the applications they
require but at the same time enforce the highest level of
security for confidential patient records.” Public Sector Case
study silicon.com Aug 08
Any Questions?