Daniel Beaumont Information Assurance Lead eHealth Programme, Scottish Government NOT PROTECTIVELY...
45
“Wireless signal lost”: Managing information risks in a world without wires Daniel Beaumont Information Assurance Lead eHealth Programme, Scottish Government NOT PROTECTIVELY MARKED
Daniel Beaumont Information Assurance Lead eHealth Programme, Scottish Government NOT PROTECTIVELY MARKED
Daniel Beaumont Information Assurance Lead eHealth Programme,
Scottish Government NOT PROTECTIVELY MARKED
Slide 2
Is there a mobile * explosion? *not really..
Slide 3
...more like a 20 yr marathon First text message 1992 Internet
early 1990s Pay-as-you-go (which created mass consumer market)
mid-1990s Wireless LAN late 1990s GPRS/3G early 2000s (i-mode long
before i-phone) Smart phone (PC, colour screen) early 2000s Board
IT teams know all about this...and generally good at managing it
(e.g. WLANs)
Slide 4
....bumps in road Vendors have tried to get a wireless big bang
(e.g. WAP phones, MMS and often fell flat): Lack of bandwidth Lack
of battery power in devices Screen technology not advanced Mobile
applications still in infancy Short-range wireless initially slow
catch on consumer market High production costs for some
components
Slide 5
What is different now..? Key components for tipping point have
come together
Slide 6
eHealth leads face a lot of background noise........
Slide 7
I am senior and I want one!
Slide 8
Patient accessing service via wireless
Slide 9
R.O.I from existing tools All of this demand just at time when
we are supposed to be squeezing value out of existing IT investment
(mainly fixed cable) Far less money for.. buying more kit, putting
in ever more complex support models for wireless
Slide 10
Getting to the nub of the problem Boards now need to deal with
implications of this wireless application tipping point and derive
benefits while managing risk Take into account consumer
pressure/convenience (pester power) of staff but all decisions must
be in interests of business even if it is not always popular Need
to cut through all this background noise and work out what really
are the information risks, and how to work out how to deal with
them
Slide 11
Forget much of what you have heard and start on a clean
sheet........ There is no such thing as 100% security several
pinches of salt for whatever vendors claim about devices/service
(It meets xyz International standard) Do not consider ITSOs, IG
Leads or Caldicott Guardians as people as people who say yes or no
Do not think you must buy in security expertise every time Do not
consider wireless as necessarily any more or less secure Do not
think confidentiality requirement drives all decisions Do not think
good security = encryption products
Slide 12
Instead....
Slide 13
Go for Information risk management approach NHS staff, clinical
and managerial are already really good at risk management every day
Identifying risk (this could happen to patient x given what I know
about y) Explaining risk to others (you cannot move this patient
because..) Treating, avoiding, retaining risk (we can treat x
condition, but z condition can only be contained.
Slide 14
Looking at information risks in the round How often have you
heard about privacy risks? Hey, you cant do that, we have personal
data to protect at all costs... not possible, because the product
doesnt do encryption someone might eavesdrop on that data
Slide 15
Remember: Information Assurance is C.I.A Confidentiality AND
Integrity AND Availability NHS does have important confidentiality
requirements (legal and moral) But often this can dominate all
discussion to the point where availability and integrity risks
hardly get a look in......
Slide 16
Information risks in round: Availability But how seldom you
hear: the need for availability of data to clinicians outweighs the
very small risk of information loss I am worried that the chosen
wireless solution could mean there are more service outages
Slide 17
Information risks in round: Availability (2) All wireless
technologies are by their very nature intermittent (radio,
infrared, microwave etc) So a upper most in our minds must always
be the availability risk (*hence title of this presentation)
Slide 18
Broken cables rare event: have understanding single points of
failure
Slide 19
Wireless outages: still learning about impacts
Slide 20
Information risks in the round: Integrity How seldom do you
hear: I am worried that mobile devices will lead to duplication of
data, or data out of synch We seem to be procuring a separate
device for each application...the data will be different from
desk-tops we have a pile of devices
Slide 21
When should you do an information risk assessment?
Organisational level: e.g. whole board, team, process Particular
service to be launched (e.g. prior to delivery) especially if
critical and/or if there is a high element of unknowns relating to
security As result of a security incident (e.g. privacy
breach)
Slide 22
Who should do information risk assessment? Ideally, someone who
is not in the project team and can provide an independent view BUT,
before you think to pick up phone to a consultancy etc there are
lots of NHSScotland options Your ISO ISO from another board Need to
pool our skills much more internally
Slide 23
Information risks: whole process Understanding business context
(why is the service, which has wireless devices so important) Who
might be the owners of that service What are the impacts (worst
case scenarios) relating to something going wrong with that
service/process
Slide 24
Information risk assessment Devices How they are expected to be
used How they might be used in unexpected ways Relevant regulatory
requirements (e.g. Data Protection) Types of attacker/motivation
Risks and vulnerabilities relating to any aspect of the whole
process
Slide 25
Information risk assessment
Slide 26
Information risk assessment: reporting back to...?
Slide 27
Who are the information risk owners? A Caldicott Guardian is a
senior person responsible for protecting the confidentiality of
patient and service-user information and enabling appropriate
information-sharing. NOT the same as a SIRO (Senior Information
Risk Owner) or information asset owner
Slide 28
Who may need to be in the room? RoleWhy? Owner proposed
serviceThere is no such thing as a an IT project; the technology is
there to enable a process/service that must be owned/run by someone
else Project ManagerTo explain exactly how requirements are met and
broad risks Independent Risk AssessorExplain results of risk
assessment; and options Caldicott Guardian/IGCompliance with DP etc
and best practice eHealth leadIs the service suitable for current
architecture, how will it be released into live environment?
Slide 29
Creative tension between advisors/enforcers/owners
Slide 30
Key questions to be posed? Which risks can and should be
treated? What residual risk is still left even with treatment? Are
the residual risks still too much to bear? Which risks can be
avoided (e.g. not doing something)? Which risks can be
retained?
Slide 31
Example: risk retained smart phone, whole disk encryption not
possible...but there is encryption on the application
Slide 32
Residual risk.... User error could mean sensitive personal data
ends up on the un-encrypted part of the device (e.g. My Documents,
Camera) *Revised NHSScotland mobile data says this is permissible
up to amber level. User training awareness only control to reduce
this residual risk further......
Slide 33
What about B.Y.O.D? Bring your own device
Slide 34
B.Y.O.D: Fact or fiction? Commonly held assertionReality? Staff
are clamouring for it now...? Staff would prefer not to use
different device for each purpose (not necessarily own device)
Vendors have cracked security ? OK for services up to amber and for
email. But many other problems relating to personally owned
devices.not covered by encryption Cheaper to support BYOD than
official devices? Not always; sheer range of variables can add to
support cost We could connect our own devices to NHS services via
the web? We do not currently have the web-architecture to do this.
Few online services. Our current remote access work on
VPN/tokens/official devices etc
Slide 35
Current situation NHSmail does allow use own mobile device (via
Internet) Some staff use own devices for capturing information
(e.g. notes from minutes). Do they ever save it in the right
place?? Not much else...............?
Slide 36
Emerging situation: move with caution..... What about choose
your own device C.Y.O.R?? takes employee preferences into account
but devices still owned and controlled by org Employees often
complain about having multiple devices...... We could make a start
by reducing the number of official devices in workplace. Supporting
all the variables relating to peoples own phones can be more
expensive than just issuing official ones.
Slide 37
B.Y.O.D Need to sort out the identity & access management
and authentication aspects for remote users in general Lots of
products to secure applications; but having an agent installed on a
personally-owned device does not = security Need to think far more
about how we classify information
Slide 38
So what is role of Scottish Government in all this?
Slide 39
Balancing Act Removing barriers to information sharing and
innovation while upholding ministerial priorities and right degree
of compliance..
Slide 40
Barriers are often around perceptions
Slide 41
Priorities Information Assurance Strategy (working through it)
Good practice guidance (based on risk assessments) Standards (where
appropriate) Building communications ISO/IG communities Building
capability (e.g. training, forums) Links with clinical and
professional groups Leading and influencing within NHSScotland
governance structures Significant incident lessons learned.
Slide 42
Final thoughts. Tackling some of the emerging security risks
around mobile technology space can be scary. BUT many of the
current processes involving paper files and removable digital media
are far scarier
Slide 43
Almost daily headlines
Slide 44
Mobile can help to improve security Secure email to any device
(not the dreaded fax machine) Patient portal accessed by
smart-phone (not paper mail) Remote access to the app (not the CD
or memory stick) Addresses/combination codes to homes of the
elderly on secure tablet (not held on a paper print out)