A new prescription for data security
4 February 2018
Already a major talking point because of chronic short staffing and underfunding, the NHS has been in the news for losing data with some regularity. But is the situation really that dire? And should NHS Digital be spending the £4.2billion it has (for ramping up tech until 2020) on shoring up its cyber security defences now?
The cyber security threat to the NHS is manifold. To start with, the system is not national. Each NHS Trust is run as a separate entity, with its own budget and full remit to employ whatever information systems it wants to. There is no cohesion with other NHS trusts.
As a result of this, big four-core legacy systems have had newer layers bolted on with a range of interfaces – software being just one of them. And then they have been hooked up to other networks that other NHS Trusts run – similar systems, but with significant differences. So, while things trundle along reasonable well most of the time, adding machines to its core both simplifies and complicates the matters.
“It is like herding cats,” says Michael Boyd, Managing Director of Mountfield Consulting Ltd. “Each of the hospitals can configure what the heck they like, and that’s what they have done!” Another way of looking at how the NHS works is by comparing Trusts to a McDonald’s outlet. The level of service is standardised across the estate, but different franchises run each of the outlets. And because of this, their targets are completely separate from each other, and how they decide to achieve them are down to the local Trust and board.
Because of this disparate set of rules, functions and scattered power structures – not to mention pressure to use fewer resources to provide care to more people – cyber security has been an afterthought, until recently.
“The NHS is part of the critical national infrastructure and so there are heavy regulatory and legislative burdens on it to keep information safe,” says Andi Scott, NHS and Healthcare Cyber Assurance analyst at PwC. “It is a ripe target because it carries a lot of patient information – the Care Quality Commission put out a report last year to say NHS Trusts should look at cyber security with the same rigour as financial governance.”
The CareCERT agenda had three go-to points that could help the NHS become stronger cybersecurity-wise. These are:
• A national cyber security incident management function
• Issuing national-level threat advisories, for immediate broadcast to organisations across the health and care sector
• Publishing good-practice guidance on cyber security for the health and care system
“Data is being weaponised,” says Raj Samani, Chief scientist at McAfee. “We see hospital networks being hacked into, and threats are coming in from all directions.
“Cyber should be more of a leadership- and assurance-based activity than compliance. With compliance, the questionnaire has just one question about cyber security. Usually, it is: ‘Do you have a cyber security policy?’ If the answer is yes, they are compliant.”
The cyber security conundrum and agency staff
The NHS traditionally has very good track record on confidentiality. However, can the right person get the right data at the right time? Of the healthcare analysts we spoke to, many talked about how commonplace it was for a computer’s passwords to be taped onto the underside of the mouse connected to it, or even on a Post-It note on the screen itself.
“Hospital staff don’t set out to make their systems as leaky as possible – the taped passwords are so there is less interruption to patient care and to let agency staff get access to records and schedules quickly,” continues Boyd. “If someone really wanted to set out to steal information, they could certainly put away a lot in an eight-hour shift.”
It is obviously difficult to make any situation 100 per cent secure. Agency staff and locums are vetted to the highest level and those on rosters are usually familiar with the NHS Trust in question. The email that NHS staff use is highly secure, and all phishing-style emails are deleted by the powerful firewall. But healthcare professionals aren’t always well briefed when it comes to cyber security best practice, such as in the recent case where a test email sent by an IT worker to 840,000 staff resulted in so many hitting “reply all” that it caused the system to crash…
Locums and temporary staff will tend to have stipulations in their contracts that ensure any data they use is strictly confined to the practice in which they are operating, says Zak Suleman, Healthcare Security Specialist at Smoothwall. “With temporary members of staff, they are clearly more exposed to more organisations than a permanent worker, so it is imperative that data being taken offline is discouraged and only used within the four walls of the surgery or healthcare office.
“Another issue here is when temporary staff or locum doctors use the information locally, whether it be in digital format or a hard copy,” Suleman continues. “For instance, an email could be sent accidentally to someone outside of the healthcare organisation, fall into the wrong hands and be used for myriad malicious reasons. As well as this, there is little evidence to suggest reading copy offline is beneficial and only increases the risk of this information being leaked and stolen. Both of these are clearly caused by human error – but we are fallible, of course, and the best that can be done is to minimise these risks by hospital Trusts ensuring they have the correct procedures in place.”
The good old USB thumb drive is still the go-to device for transferring large amounts of data.
Overworked NHS employees who put data on a drive and take it home to work on put not just the Trust at risk, but also their home computer – without knowing it. With most disk drives disabled on NHS computers, the only option is to go ahead and disable USB drives on computers too.
There are 360 big hospital trusts in England. Each hospital has an average of between 6,000 and 7,000 members of staff, at least 50 per cent of whom have access to tech. The number of PCs is staggering, and to fix them all would cost a huge amount of money and resources.
“Building healthcare security is all about having a layered approach that needs to move with the times of the threats,” says Suleman. “Aside from ensuring spanning encryption, firewalls, web filtering and ongoing threat monitoring, NHS Trusts must also keep their operating systems up to date. Yet with so many accessible devices (of which the average NHS Trust might have over 2,500) this is a tough, but necessary, job.
“Healthcare systems, in general, have been quite slow in adapting to security threats – having the most robust defence systems in place to safeguard patient data should now be a top priority.”
GDPR and NHS, an unholy communion
However, there is a bigger problem looming for the NHS in the form of the General Data Protection Rule (GDPR), which comes into effect in May 2018. Currently, if staff (permanent and agency) are to have access to data, they receive information governance training and sign a document saying they understand the repercussions of a data breach, in accordance with the 1998 Data Protection Act. The legislation specifically mentions how data relating to physical and mental health and ethnicity needs to be stored. It also gives the legal definition of sensitive data and information about cyber security requirements when it comes to healthcare.
The problem the NHS now has is that GDPR is very specific about consent. Informed and explicit consent is required for the use of data, rather than implied consent. So Trusts have to make sure that patients are aware of where their data is stored, and how it is being used and transferred. NHS Trusts have been fined regularly, but until now these fines have been relatively modest. The highest ever was Brighton and Sussex University Hospital’s NHS Trust, which was asked to pay £325,000 but also offered an early pay discount.
Says Scott: “Up until now, as a public service, every Trust is expected to report breaches to the Information Commissioner’s Office, but there has been no legal requirement to do so. When GDPR is enforced, the potential for fines also changes. The maximum that the Information Commissioner’s Office could fine is £500,000, whereas under GDPR it is 2 per cent of global annual turnover and up to 4 per cent of global turnover, so the ICO will have larger fining abilities.
“With public sector undertakings, the ICO takes a measured view of breaches – what was the breach, what circumstances led to it, was it just that they were unlucky? All these questions play a role in determining the outcome of the investigation. With GDPR, these issues will still be very important.
“The main difference from now to then will be that the burden of proof or distress will be a lot lower. The victim until now had to show significant distress or loss to get compensation. Under GDPR they only have to say, ‘I am sad that you lost my data’ to be able to make a claim, and if enough people say that, the NHS Trust could well have a class action suit on its hands. This is simply not possible under the 1998 Data Protection Act, which currently forms the basis of cybersecurity compliance in health care.”
A tougher, stricter GDPR regime
The 72-hour notification period for reporting cyber breaches and attacks isn’t really going to help burgeoning healthcare trusts either. When we asked if NHS Trusts has enough money, manpower and resources to enforce GDPR, Scott said that NHS Digital indicated it has £4.2billion to spend on cyber security, implementing new legislation and securing patient records by 2020. “As long as a reasonable proportion of it is directed to GDPR, it will go a long way. This is also an issue for the supply change, and the NHS also has to look at the supply chain partners and make sure they know who the weakest links are and help them and bolster their own systems.
“We have been speaking to the Trusts to do some benchmarking to see what their GDPR readiness is. Our main questions are: are you aware of GDPR, and if yes, do you have a plan? We have not had a ‘no’ yet, that’s the good news.”
Apart from the case of GDPR giving Trust chief executives sleepless nights, it is also a problem that the power base is so distributed. “Getting something as basic as water to patients who cannot feed themselves often doesn’t work out. Can you imagine how difficult it will be for anything else that is not centrally managed to go through?” Boyd concludes.
This article was published in our Business Reporter Online: Cyber Security.