08.02.17
Taking the lead on data security
Source: RTM Jan/Feb 17
NHS Digital’s head of security, Dan Taylor, discusses the importance of data security being on the leadership agenda.
There’s no doubt that cyber security has gained prominence over the last couple of years. In health its prominence is probably more recent, amplified by the publication of Dame Fiona Caldicott’s review on data security, opt-out and consent. When I first took the role as head of security at NHS Digital, I felt the NHS considered that data security should be left to the ICT department or the information governance manager. It was ‘about technology,’ a specialism.
Times have changed. The NHS is moving quickly to realise the fight to protect our critical information assets and systems starts on the frontline with our people, then our processes, backed up by technology. I’ll say this upfront: cyber-attacks have and will affect patient care. It is no longer just about our email or our IT but the digital transformation, which means delivery of care is underpinned by working software. That said, the benefits of digital information lead to huge patient benefits and drive much-needed efficiencies. We shouldn’t be fearful of cyber-attack, but be prepared, forward-thinking and, most of all, be leaders.
Therefore, are you ready to lead?
At NHS Digital we are delivering a range of services that enable the NHS to improve data security. Our approach is to support good local decisions, enabling organisations to take our advice and learning and apply it locally in a way that suits local need. At the same time, the NHS must ensure it has good cyber hygiene. Think of this as washing your hands before going onto a ward to prevent infection, where cyber hygiene prevents digital viruses such as ransomware.
Increase in ransomware enquiries
Talking of which, ransomware (where data is ‘digitally locked’ and a ransom is asked for to give you the key to unlock) is the number one area for enquiries currently. In the UK, health has never paid a ransom; instead organisations have restored systems from back-ups after clearing the infection, but as we have seen recently this can still lead to days of cancellations to patient facing services.
The majority of enquiries regarding ransomware are often received just after an attack hits the news, focusing on what specific variant it is often and why we’re not launching a CareCERT alert dealing with remediation on this variant. From my perspective, I can’t help but think this is like asking what colour the burglar’s swag bag is after a break-in. He’s left with the candelabra and the pearl necklace, but it’s OK because we’ve told the neighbours he carries a distinctive yellow bag.
I know, it’s stretching an analogy to breaking point, but if this was a burglary we’d want to know if the door was locked, whether the door had a known vulnerability or whether we’d closed the windows. Yes, ransomware is on the increase, but it’s just another threat, another piece of malware. I mentioned earlier about hand-washers on hospital wards: you wouldn’t have five different washers for five different strains of bacteria, so why focus on just one kind of threat? Being cyber prepared means being secure against a variety of attack types.
So what should we do?
Firstly, data security (I do generally dislike the term cyber) needs to be on the leadership agenda. Maintaining public trust in the use of patient data is key to realising the benefits digital transformation can bring.
More sobering, with the introduction of General Data Protection Regulation (GDPR) there is a financial angle: one estimate recently calculated Tesco could have been fined up to £1.94bn because of the breaches at Tesco Bank, which is no small amount. Being aware of data security at a leadership level and monitoring preparedness is an absolute.
As a leader it is paramount to understand that security starts on the frontline. We need to ask if our colleagues have the relevant basic training in cyber security. Do they understand their personal responsibility to keep data safe? Do they have specialist training to ensure their particular role maintains security?
Never forget to drive good processes too. Do we have appropriate patching regimes for applications and systems to ensure vulnerabilities are closed? Do we have good movers, leavers and changes processes to make sure access to systems is monitored and maintained? Do we have a process in place to remediate known cyber threats?
Finally, lock your front door and set the alarms. Invest not only in technology but people too – invest in their development. Well-maintained firewalls and password policy go a long way to bolting the doors shut, but good intrusion detection ensures you know what is happening before it does.
Having people who understand what they’re seeing ensures you react in the right way. People, Process and Technology. Working together to protect from all threats.
However, my absolute piece of advice is don’t panic!
Leading on data security doesn’t mean you have to be able to set your firewall permissions or run a training session for 50 staff. It means taking responsibility, understanding the threat is real, having the right plan and taking trusted advice. If we can get more people in the NHS to do this we will become best of class. The more we share and learn, the stronger the whole sector becomes.
The first step is understanding that data security is important. This is the first step to building maturity and NHS Digital is there to help, so please contact us to be involved or to offer feedback. In the meantime, if you do one thing today, start that journey by asking your organisation what it is doing to be cyber prepared.