Tuesday, 1 July 2008

The NHS just doesn't "do" Information Security

I said this before, and I'll probably say it again a few more times, "The NHS just doesn't "do" Information Security".

The latest in a catalogue of NHS breaches involved a Senior Manager who had his laptop stolen, but the laptop held over 21000 records of Essex patients.

The same old problem with a laptop breach...

1. No Hard Disk Encryption - Password Protection is almost no protection, it's very easy to bypass Windows passwords, pretty much anyone who can type into Google can manage to achieve it.
2. Poor Information Management. We have a vast amount of Sensitive Data which has been allowed to be "copied" from a central IT system to a laptop.
Should the Manager have access to that much information? Should he be allowed to export that much information from the host system? Probably not. Who else can access and take a copy of this data? What's to stop someone putting it onto a £6 flash drive?

I have friends who work in the NHS, they tell me the NHS has no culture or awareness towards protecting the vast amount of personal and lets face it, highly sensitive information which the NHS holds and processes. I'm not saying keeping people alive is less important than investing in information security, but that's the problem, a lack of investment (money) and that's why there will continue to be serious data breaches involving the NHS . But consider this, soon the NHS will be storing our DNA profiles on their systems as well...

I'll finish on a positive note with this data breach, as I'm being far too negative lately, good for the NHS for disclosing and letting the people who are affected know in a decent time frame, well they had plenty of practice - right?

2 comments:

Dave Whitelegg CISSP said...

I have made several Radio interviews and been used in Newspaper articles in relation to this subject. Here is a repost of my response to public questions/statements on Essex Gazette Newspaper site.

I'm a huge fan of TrueCrypt, and it's free and great for the home user, but in larger organisational environments you need to have better control and management when dealing with the encryption of 1,000s of laptops. Commercial hard disk encryption application offers are the way to go, I'm completely nonbiased which is why I deliberately didn't mention any of the companies which provide such software.

Laptop encryption should be a normal standard in any large organisation which uses laptops and deals with sensitive information.

My second point which did not make it to this article is around how the data is controlled and managed, should this individual be allowed to access so many records? And if so, should he be allowed to remove (copy) them from the central system to a mobile device? I suspect there is little access control management on the central system holding the information. My view is the "Data Controller" is the one who is far more responsible than the employee who should have known better.

Why is this breach important? First of all 20,000+ digital records of people's House Addresses, Email Addresses and Phone Numbers does have a "black market" value to the bad guys, they would normally auction the data off to spammers, the information tends to get sold over and over, and sometimes ends up back in the hands of legit companies which do mail shots and cold calling. There is some value is using the data to build up an "identity theft", especially if the data of birth and national insurance number is part of record. BTW Identity Theft is the UK fastest growing crime, so it shouldn't be over looked when considering data breaches.

OK, it hard to put a figure on the worth of this data on the black market, but off hand I would expect to least several hundred pounds at the first selling point.

But the real problem with this breach is it is a breach of personal trust, losing information about people's medical status and medical history is a serious breach of individual privacy.

At the end of the day, Information Security in the NHS is not the priority for the organisation and it probably never will be. The NHS priority is to save lives, and then meet government targets. It is fair to say the NHS are struggling to provide decent security for their employees, drugs and their physical assets, which in regards to the latter are regularly disappearing. It will be interesting to see if there are any fines or actions, I doubt if there will be anything major, which means there is no real "business" deterrent for the organisation to make sure it doesn't happen again.

Finally on a positive note, good for the NHS for disclosing the breach and letting the individuals who are affected know in a decent time frame, many companies are rubbish at that, but suppose the NHS has had plenty of practice - right?

Home Security Guy said...

The NHS is so cash strapped, its no wonder there is no investment in IT security.