Embed Size (px)
Citation preview
Aspects of Data SecurityRaj Samani Vice President – Communications, ISSA UKRita Arafa IG Deployment Officer, NHS CFH
Agenda
Reported issues
Impact
C.I.A.
What can we do?
Wrap-up including Questions
Reported Issues The current situation in the media: Reports in the Health Press and
General media: There may be a risk of breach of patient
data 2008 ‘A year of data breaches' - E-Health
Insider 28 Oct 2008 Reports of viruses in hospital systems
impacting on patient care NHS hit by a different sort of virus – More4
News 9th Jul 2009 Fears that patient data could be lost
Health data on lost memory stick – More4 News 9th Jan 2009
Data protection warning as more trusts lose patient records – Health Service Journal 16th July 09
Impact
When electronic clinical systems are compromised the following are at risk: Clinical Care Confidentiality Reputation
Data Breaches endanger: Confidentiality Confidence Reputation
Clinical Care Reports of viruses in hospital systems
impacting on patient care: November 08, Mytob computer virus caused havoc in
three major London hospitals when it spread so quickly that it overloaded computer networks - 70 patients had to go to other hospitals while ambulances were diverted to neighbouring hospitals to ensure that seriously ill patients did not suffer as a result of the slower manual systems being used
Sheffield, 800 PCs infected after just one computer in an operating theatre had its anti-virus software switched off.
During March 09 Greater Glasgow and Clyde NHS trust was struck by a computer virus called Conficker, which froze staff out of their computers for two days
Building security into key initiatives LAS Despatch Service, one ambulance arrived to find
the patient dead and taken away by undertakers
Confidentiality
A breach of patient’s data can be a breach in patient confidentiality Unauthorised access (internal) Unauthorised access (external)
What is the impact?
Reputation
Confidence be quickly lost by both the Staff using the systems and Patients.
Electronic records can end up being incomplete which can further reduce confidence.
Reputation
Perceived breaches of data security can seriously damage the reputation of both Clinical IT systems and the organisations that use them. “Everyone must recognise that data
breaches can cause harm, distress and hassle for the individuals affected, lead to serious financial losses and seriously affect the reputation of organisations.” eHealth
Insider 29 Oct 2008
C.I.A. and F.U.D
It is imperative that the following are protected: Confidentiality Integrity Availability
Without introducing: Fear Uncertainty Doubt
So what should be done? ISMS – Information Security
Management System
Establish roles and responsibilities
Management Planning – Identify where the gaps are by:
Reviewing, checking, implementing Plan-do-check-act
Why does it need to be done?To comply with the Data
Protection Act (principle 7)
For Public Assurance
Contractual, Legal and Regulatory Obligations
Care Record Guarantee
Roles and Responsibilities Information Asset Owner
The IAOs are responsible for ensuring that information risk is managed appropriately and for providing assurances to a Board level lead termed a Senior Information Risk Owner (SIRO)
Information Asset Administrator IAAs are operational staff with day to day responsibility for
managing risks to their information assets. SIRO: Senior Information Risk Owner
Is accountable Fosters a culture for protecting and using data Provides a focal point for managing information risks and
incidents Is concerned with the management of all information assets
Caldicott Guardians Is advisory Is the conscience of the organisation Provides a focal point for patient confidentiality & information
sharing issues Is concerned with the management of patient information
Privacy Officers
Suppliers:
• Plan ISMS review & improvement activities e.g. annual audit schedules
• Plan risk corrective action planning / reviewing etc.
Organisation IG:
• Inform programmes of impending supplier reviews
Suppliers:
• Implement risk corrective action plans
Organisation IG:
• Cascade risk corrective action plans to relevant programmes
• Monitor risk corrective action plans
Suppliers:
• Implement ISMS review & improvement activities
• Submit results to Organisation e.g. audit reports, risk corrective action plans, areas of concern, evidence of BAU activities
Suppliers:
• Review ISMS review & improvement activities
Organisation IG:
• Review results
• Provide guidance and influence supplier improvement activities e.g. audit schedule
• Ensure there is evidence of BAU ISMS activities
Process Overview
Information Assurance Regulatory Bodies ICO: Information Commissioner’s Office
Independent authority set up to promote access to official information and protect personal information
CESG: The Information Assurance (IA) arm of GCHQ and is
the Government's National Technical Authority for IA responsible for enabling secure and trusted knowledge sharing, which helps its customers achieve their aims.
http://www.gchq.gov.uk/about_us/cesg.html CPNI:
The Government authority which provides protective security advice to businesses and organisations across the national infrastructure.
CSIA: The Central Sponsor for Information Assurance
(CSIA) is a unit within the UK Government's Cabinet Office providing a central focus for Information Assurance (IA) activity across the UK.
Some positive quotes: The Royal College of GPs has put their support behind
the national rollout of the Summary Care Record. They said concerns over security of records and patient confidentiality had now been resolved, and declared ‘the need for a shared record is compelling’.
A team of RAF security experts recently spent three days attempting to penetrate the wireless networking component of a managed service covering healthcare for British Forces in Germany - and failed. The secure networking is part of a managed service, PAS 2.0, for Guy’s and St Thomas’ NHS Foundation Trust. eHealth Insider Jan 09
The Royal Marsden Hospital director of ICT Jon Reed said: "We've been able to create a remote environment that enables clinicians to have access to the applications they require but at the same time enforce the highest level of security for confidential patient records.” Public Sector Case study silicon.com Aug 08
Any Questions?
