Security, NHS National Programme for IT

Security matters

Mike Howse, UK Managing Director of data security specialist Protegrity, on ensuring the integrity of the National Spine

March 2007

In 2005, when rollout of the NHS patient records database began, Kingsbury-based GP Dr Paul Thornton warned of the potential abuse of the new system: “The problem is that once the information gets on the NHS spine, there is a very real threat that this information could go all over the place”, he said.

Confidential personal information, centralised for efficiency and collaborative analysis, is a prime target for unintended distribution and, worse, for criminal misuse. As well as ensuring the (appropriate) availability of any information that comes into its possession, an organisation must take care to protect this information against unauthorised use or disclosure and ensure compliance with any security policies by the system’s workforce.

There is an urgent need for implementing system-wide database-access controls in the NHS (see What are access controls? below), coupled with strategically implemented encryption. Centrally managed, this provides the most compelling solution to the problem of holding patient records and information securely.

Data encryption

Encrypting data is an important tool when it comes to keeping patient information safe. IT security professionals must not only take care to establish rigorous security policies but they must consistently promote them and regularly audit their effectiveness.

The technical operations that encrypt clear-text data (see jargon buster) eg a database column, a radiology image file, crucial medication histories or family history data lock the information in a mathematical scramble that is profoundly difficult, if not impossible, to restore to its original state. Once granted entry by an IT security policy that defines authorised use, however, legitimate users of the information, and computer applications identified as germane to NHS objectives can gain access to the data in its original format. The decryption of the scrambled content or application occurs transparently when an encryption key unlocks the seemingly random data tangle and presents the now readable information.

Also, best practice in security administration dictates that there be explicit separation of roles and duties system administrators do not need access to individual patient information. One type of separation is that security managers policies and their encryption solutions distinguish between security administrators and NHS providers.

Those who do not have access under a specific security policy either cannot gain access to the encrypted data at all, or are able to access only the encrypted content. Of equal importance, today's data security management solutions (encompassing data encryption and other forms of data-threat management) audit all access attempts, so that security administrators may report to management on the overall security of the system. This kind of information becomes part of the reporting demanded both by legislation and by patients.

The cost of security breaches has, for years, been based directly on the cost of remediation. However, classic models to determine the appropriate level of security spending were developed before state entities had the responsibility to protect personal, intimate, healthcare information.

The need for cultural change

Even as more healthcare organisations develop increasingly detailed security policies and hire compliance officers, security managers continue to report that the regulations and security policies are not translating into behavioural change. If anything, security managers report sporadic enforcement of security policies and growing confusion related to the ownership of the data-protection problem in healthcare environments. In some organisations, many different departments and teams own some part of the data-security/privacy problem, the result being difficulty in reaching decisions and deploying technology and process change.

It is time to acknowledge that security policies and technology alone, without buy-in by healthcare staff and enforcement by management, will not resolve the needs for regulatory compliance nor for the safety of patient information. Security tools will play their role in securing sensitive data from acquisition by the enterprise through its use, storage and subsequent deletion.

It remains the task of NHS management, however, to make real-world assessments of risks to data, how these risks are best mitigated and how these assessment decisions are enforced throughout the healthcare spine. The real challenge is in establishing a genuine culture of security where staff and management view the security of healthcare data as essential for the success of their organisation and for the health of the communities they serve.

Achieving data security

For NHS managers, particularly those involved in web-based transactions, securing the information resource means network firewalls at the perimeter, defending internal IT processes from outside attack and other malicious behaviour. Some of these firewalls offer rudimentary network protection for data while in transit. More sophisticated web-application types of security actually inspect the data itself to determine if it is what the internal client applications expect to receive. These kinds of data protection are generally understood hospitals and surgeries use network firewalls already; they are moving toward a greater appreciation for the web-application type today.

How about the data inside the firewalled perimeter? Internal staff access files of all types and use applications that call on information in their day-to-day operations. Now and in the future, more staff, and third-party service providers, need access to this information while working remotely. Data encryption is the most reliable means of protecting this data and controlling who gets to use it, while making it available to the appropriate people.

It is central to NHS objectives to know what data and what applications require the greatest protection and control, and very often the amount of data, its value and its location are unknown. Once an organisation knows what to protect and how to comply with applicable regulations, it can implement the steps required to meet the actual requirements of the regulations.

With so many privacy and compliance regulations overlapping in protecting data, and because Spine managers recognise the broad spectrum of legitimate potential users accessing patient data, it would be wise to follow the recommendations below:

Tips for protecting data

Always focus on protecting the data, not just the infrastructure, and not simply adherence to regulation.
Identify common technologies for achieving best-practice information protection. Data encryption, identity management, message archiving and policy management tools come into play for a wide range of NHS privacy requirements.
Use standard language and definitions to convey the need for NHS regulatory compliance. When the same security language is used throughout the organisation, the overall results are more thorough acceptance by staff and partners, and a more global understanding of goals.
Investigate rule sets used by other organisations involved in the handling of large volumes of confidential information. The Payment Card Industry Data Security Standards and Open Web Application Security Project are examples. Sound models for data security, and responsibility matrices for the processing of sensitive data have been developed and implemented in private industry worldwide. Why not examine their applicability to the NHS?
Clean up the data ‘toxic waste dump’ by deleting low-value/high-risk data, if permissible, and actively reconcile conflicting regulations.
Develop a ‘penalty matrix’. Though it may seem distasteful, publish throughout the enterprise a table of security behaviours that are unacceptable in employees dealing with sensitive data. It should also include what action will be taken against offenders. Then everyone will take security and regulatory compliance that much more seriously.
Regard the security rules and regulations as an ongoing process, not just a huge panic to get things in order a week before the compliance auditor comes in. NHS compliance officers should continually ensure that processes are adhered to and that staff awareness programmes are in place for regular education.

Remember that liability for data breaches cannot be outsourced. Business partners and outsourcing service providers may be a black hole for sensitive-data handling. Review third-party processor contracts, and implement a partner/service provider evaluation process.

A system-wide policy

The patient-record system is a valuable national resource for the healthcare of individual citizens, as a data resource for preventative care regimens and medical study, and as a potential foundation for new treatment techniques giving enhanced quality-of-life. It is also a system used by humans and hence subject to unintentional misuse as well as deliberate abuse. By identifying and eliminating practice redundancies, and by employing a common set of automated policies and technologies, a value-based culture of data security will protect this resource while allowing it to be used most efficiently and beneficially. System-wide data-security management is vital for its success.

Mike Howse, UK Managing Director with data security specialist Protegrity.

Jargon buster

Access controls
Access controls are software or hardware tools that stop people using electronic systems unless they have permission. Everyone who works in an office has basic access controls on their network (usually a Windows screen demanding username and password). Most people also have a swipe card that gets them through the doors of their building.

System administrators have three basic means of imposing access controls. One is to base restriction of access on something people do or don’t know (eg the password); the second is based on something the user does or doesn’t possess (eg a magnetic card or tag); the third is based on something the user is or isn’t — a photo of their face or a scan of their iris or thumbprint.
These three modes can be combined to provide any required level of security.

Cleartext data

The form of a message or data which is transferred or stored without cryptographic protection (and thus requires no special software to be read).

Encryption

Also referred to as scrambling. The process of obscuring information to make it unreadable without special knowledge or technology. Now used in protecting widely used systems such as Internet ecommerce, mobile telephone networks and bank automatic teller machines.

Firewall

An IT security device which is configured to permit or deny data connections set and configured by the organisation’s security policy, with the aim of controlling traffic between computer networks with different zones of trust. Can be hardware or software-based.

Open Web Application Security Project (OWASP)

An online initiative dedicated to finding and fighting the causes of insecure software. Founded by the not-for-profit charitable organisation The OWASP Foundation.

Policy management tools

Active policy management is a business-oriented way to manage the many risks inherent in electronic communications efficiently and effectively. These risks range from non-compliance with various regulations to the leakage of intellectual property and to inappropriate or offensive employee behaviour.

Payment Card Industry Data Security Standards

Set up by the PCI Security Standards Council — an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection — the PCI Data Security Standards help enhance payment-account data security, creating a unified, global system that is more accessible and efficient for all stakeholders — merchants, processors, point-of-sale vendors, financial institutions and payment companies alike.

To top^