Risk Assessment - Cyber Security Capabilities – Community Paramedics22nd November 2016

Author: Michael Exton, MSc

Version: 2.0

Notice: This risk assessment was conducted and compiled by Michael Exton MSc on behalf of Community Paramedics on a Pro Bono basis.

Michael Exton completed his undergraduate degree in History in 2014 from Plymouth University before reading International Security MSc at the University of Bristol 2015-2016.

From 2014-2015 Michael worked for Lloyd’s Banking Group undertaking financial transactions for clients as well as conducting “Know Your Customer” (KYC) checks, counter-fraud, and anti-money laundering operations. Since September 2016 Michael has worked with the Minister for the Constitution and Democratic Engagement Chris Skidmore MP.

2

CONTEXT – THE DATA PROTECTION ACT 1998The Data Protection Act exists to safeguard the information and personal details of a British subject and controls the use of said information by organisations, businesses, and the government (Gov.uk, 2016). Every organisation, business, or person who has access to sensitive personal information/data must follow the regulations set out in the act (ibid).

SENSITIVE PERSONAL DATA The Data Protection Act defines Sensitive Personal Data as any of the following (TSO, 2005: 3):

A. The racial or ethnic origin of the data subject B. The subject’s political opinionsC. The subject’s religious beliefs or other beliefs of a similar natureD. Whether the subject is a member of a trade union (within the meaning of the Trade Union and

Labour Relations (Consolidation) Act 1992) E. The subject’s physical, mental health or conditionF. The subject’s sexual lifeG. The commission or alleged commission by the subject of any offence H. Any proceedings for any offence committed or alleged to have been committed by the subject,

the disposal of such proceedings or the sentence of any court in such proceedings.

While there are no precisely defined penalties for individuals or organisations who have failed to protect the subject’s information under the DPA 1998, failure to have adequate protection in place can lead to loss of reputation as well as severe financial penalties being levelled against a firm found to be in breach of the act (DKLM, 2016) (Glenday, 2013).

DATA PROTECTION ACT REGULATIONSThe DPA regulations must be strictly adhered to. Failure to comply with these regulations may result in a civil or criminal law suit being filed.

The regulations are as follows:

1. All information is used fairly and lawfully2. All information is to be used for limited or specifically stated purposes3. All information must be used in a way that is adequate, relevant, and not excessive4. All information must be accurate to the best of the subject’s and organisations ability5. All information must not be kept for longer than is absolutely necessary6. All information must be handled according to people’s data protection rights7. All information must be kept safe and secure8. All information must not be transferred outside the European Economic Area without adequate

protection

3

These regulations are applicable to all devices used by an organisation for professional means, including hand-held mobile devices. While the DPA does not require organisations to use Security Service level technology to protect the information, it is strongly recommended that all devices, servers etc… are protected by the best technological services and encryption that the company can afford (ICO, 2016).

THE FIRST PROTECTION PRINCIPLEIn order to be compliant with the DPA, the organisation has to ensure that the information it holds is used “fairly and lawfully”.

The ICO have confirmed the following:

“The Data Protection Act does not prohibit the sharing of personal data [,] however an organisation would need to comply with principle 1 and satisfy a condition for processing from Schedule 2. If the information is sensitive personal data one condition for processing would also need to be satisfied from Schedule 3” (ICO Live chat, 2016)

In layman’s terms, this means that the organisation must comply with the following regulations if the organisation wishes to disclose client information, even to the client themselves (ICO, 2016).

The organisation must:

1. Have legitimate grounds for collecting and using the collected personal data2. Data will not be used in ways that have unjustified adverse effects on the individual(s)

concerned3. The organisation will be transparent about how it intends to use the data and give individuals

appropriate privacy notices when collecting their personal data4. The organisation will handle people’s personal data only in ways they would reasonably expect5. The organisation is not do anything unlawful with the data

THE SEVENTH PROTECTION PRINCIPLE “The typical computer network isn't like a house with windows, doors, and locks. It's more like a gauze tent encircled by a band of drunk teenagers with lit matches” - Robert Steele, Chief Executive Officer, Open Source Systems, Former CIA analyst and Deputy Director of the U.S. Marines Intelligence Center

As shown above, the seventh mandatory regulation laid out by the DPA requires that all client information must be kept in a “safe” and “secure” environment. This is a task becoming more difficult by the hour, with most IT and cyber-security experts now advising that it is impossible to stop hacking attempts and that efforts should be diverted to creating a system that will not prevent an attack but survive it. The former Director of the FBI Robert Mueller agrees with this principle and stated that it was an inevitability that the websites and servers of private companies would be hacked, sometimes repeatedly and that risk mitigation was the only solution (Probasco, 2015). At the same time, physical security must be ensured. It would be a waste of valuable time, resources, and energy to develop a

4

state-of-the-art server system with encryption protection if someone in the organisation’s work environment could access an unlocked computer while the employee was absent from their computer.

In order to mitigate risk towards both the organisation and clients, as described by the DPA:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (DPA, 2005)

In layman’s terms, this means that the organisation must design its security measures that fit the nature of the personal data that is held; ensure that the individual(s) responsible for maintaining security know what their responsibilities entail; ensure that the correct physical and technological security is in place back up by robust policies and procedure; ensure staff are well trained and reliable; be ready to swiftly respond to any security breach.

PHYSICAL SECURITYPhysical security is another important factor that is covered by the DPA and is just as important in maintaining the security of the organisation and its clients.

It is highly advisable that only authorised persons can alter, disclose, or destroy client and employee data; those authorised stay within their remit and do not act beyond the scope of their authority in this regard; personal data MUST be recoverable in the case of loss, damage, or destruction.

The ICO stipulates that certain factors must be considered and the appropriate steps taken regarding the physical security of the organisation. It is, therefore, important to assess the following (ICO, 2016):

1. The nature and extent of the organisation’s premises and computer systems2. The number of staff in the organisation of workplace environment3. The extent of access to personal data

In order to prevent physical intrusion into the organisation’s systems, if password protection is not already in place, it is strongly recommended that this is implemented as soon as possible. Password protection should be applied at multiple levels to prevent easy access to the organisation’s system. If further protection can be applied this should be taken (see list of recommendations).

It is also a good idea for employees to be aware of their surroundings. If an employee notices a person displaying suspicious behaviours or activities while patient or employee information is present, save the information, close the program, and politely enquire whether you can help.

TECHNOLOGICAL SECURITYAs well as employees being aware of their surroundings, technological security must also be ensured. The ICO recommends the following (ICO, 2016):

1. Personal data held or used by a third party on the organisation’s behalf (under the Data Protection Act you are responsible for ensuring that any data processor you employ also has appropriate security).

5

2. The organisation’s computer security needs to be appropriate to the size and use of the organisation’s systems.

3. Technological developments should be noted and considered however the organisation is also entitled to consider costs when deciding what security measures to take.

4. The organisation’s security measures must be appropriate to your business practices. For example, if the organisation have staff who work from home, measures should be in place to ensure that this does not compromise security.

5. The measures taken must be appropriate to the nature of the personal data the organisation holds and to the harm that could result from a security breach.

Note: Please be advised that the greater the client base and storage space, the more likely that information may be lost, misused or corrupted.

THIRD PARTY DATA PROCESSORS AND SERVERSOrganisations under the DPA are entitled to use third party servers to store information. However, it should be noted that in the case of a cyber-attack or an accident which results in the loss or damage of personal data it is the organisation and not the third party that will be held liable. To prevent this from happening and to demonstrate compliance with the DPA

The Act contains special provisions that apply in these circumstances. It says that where you use a data processor:

1. The organisation must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do for the organisation

2. Reasonable steps must be taken to check that those security measures are being put into practice

3. There must be a written contract setting out what the data processor is allowed to do with the personal data. The contract must also require the data processor to take the same security measures you would have to take if you were processing the data yourself.

Although this may be time-consuming and frustrating, it is vital that a contract is drawn up to protect the organisation and the server provider from legal action in the case of data loss.

Please see below for the ICO approved model of third party contract.

SECURITY ISSUES – DRUPAL PLATFORMDrupal has a strong and reliable reputation within the IT community and is generally considered to be a safe website platform, if not the safest (Hubbard, 2016). The platform is used by several major companies such as CNN, PayPal, and Twitter as well as being used by government offices in more than 150 countries (ibid) (Villorente, 2013).

As Drupal is an open-source software, unlike profit-driven companies who are compelled to hide security breaches, Drupal consistently works with its client base to locate, isolate, and eliminate any vulnerabilities in the site code that may arise. Drupal’s transparency in dealing with security issues, as

6

well as Drupal’s own in-house security team working with Drupal users, typically results in issues being fixed in a matter of hours. Drupal will then release an update that will look to protect sites from the most recent attack (Drupal, 2016). It is highly advisable that you update your system with ever new update to prevent security breaches.

NOTABLE BREACHESIn October 2014 Drupal reported a security issue that was ranked “25/25” in seriousness. This involved a syndicate of hackers (currently believed to be freelance Eastern European cyber-criminals) being able to exploit a single line of code to gain entry to the platform (Burge, 2014). Potentially, criminals could completely take over any website they had access to and exploit it.

This attack was unusual as it took the hackers only 7 hours to find a vulnerability and exploit it. It is also possible that the attack on Drupal was connected to the attempted hack-attack on the White House that occurred at the same period, with certain departments of the US government also using Drupal (BBC, 2014). Owing to the technical skill of the hackers, the possibility of Russian government involvement, and the rarity of such attacks happening under usual circumstances, it is unlikely that attacks this serious in nature will occur on a regular basis.

More recently, in July 2016 Drupal reported that a breach that was considered “20/25” severity was found and was similar to the previous attack e.g. attempted to take over certain websites. However, the attack was swiftly blocked and a new version of Drupal released soon afterwards.

PROTOCOLS FOR A SECURITY BREACHAs per the DPA, the organisation is required to have a plan in place in order to deal with mass data loss. It is strongly advised that internal issues are dealt with first, however, it is also expected that the appropriate people and organisations are informed of any breaches, losses etc… that may affect other organisations (ICO, 2016).

1. Containment and recovery – the response to the incident should include a recovery plan and, where necessary, procedures for damage limitation.

2. Assessing the risks – the organisation should assess any risks associated with the breach, as these are likely to affect how the organisation proceeds once the breach has been contained. In particular, the organisation should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.

3. Notification of breaches – the organisation should be clear about who needs to be notified and why in the event of a breach. You should, for example, consider notifying the individuals concerned such as the ICO; other regulatory bodies; other third parties such as the police, and the banks.

4. Evaluation and response – it is important that the organisation investigate the causes of the breach and also evaluate the effectiveness of the organisation’s response to it. If necessary, policies and procedures should be updated accordingly.

7

Please see below the official documentation on reporting Breach Management to the ICO as well as a guide on how to deal with breach management.

RECOMMENDATIONS FOR FURTHER SECURITY MEASURESSmaller companies using Drupal often find themselves in a paradoxical situation when faced with security issues. While the majority of detected hackers target larger companies via Drupal, it is smaller companies that are unable to buy and maintain a large and dedicated cyber-security teams that are often affected.

It is therefore highly recommended that certain safety precautions exist to prevent a breach of the company servers or the DPA. Before reading these recommendations, I strongly suggest reading through the official guide on the Data Protection Act laid out by the ICO.

1. Reserve (Back Up) Servers: In order to comply with the Seventh Protection Principle any data that is lost, altered, or destroyed must be recoverable. Not only will the reserve server ensure the company is fully compliant with the DPA but will also potentially save hundreds to thousands of hours re-recording patient/client details in the case of mass file corruption or deletion.

2. Consistently update systems: Hacks against Drupal occur on a sporadic basis with each new attack resulting in an update being released soon after. It is highly advisable that you continue to update your systems as newer editions of Drupal will eliminate lines of vulnerable code that may be present in older versions of the software.

3. Update passwords: It is advisable that both employee and server passwords are changed on a regular basis. Depending on how much the organisation will be affected by a password transition, it would be advisable to change passwords every month. If this is not possible, attempt to change at the earliest opportunities

4. Improve Physical security: Owing to the nature of the stored information and the “hot seat” environment that the organisation is based in, all employees should remember to lock their computers every time they are absent from their computer, no matter how long the employee will be absent

5. Physically Secure Passwords: A further method of physical security would be investing in a “Yubikey” password protection device. This device is designed to fit into USB slots with a single key programmed to match a single computer. An employee will keep this key on their person (the device can be attached to a keyring) and after typing in their username and password will insert the key into their computer and press the button in the middle of the key. This will create an encrypted and unique one time use password that will allow the employee to access the system. Note: This is an advisory measure, subject to the organisational budget. Link to website available here: https://www.yubico.com/

6. Security Mailing List: Anyone using Drupal should subscribe to the security mailing list (by editing your account profile) in order to automatically keep up to date with the latest security advisories of all types.

8

To subscribe to the security mailing list: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

7. Use of free EPCR (Electronic Patient Care Record) apps and software: It is highly recommended against using free EPCR programs as the information entered will be automatically stored and backed up onto third party systems. These systems may or may not be encrypted whose administrators are under no obligation to keep this information confidential, which could lead to patient files being sold to Big Data companies. This would result in the organisation failing to comply with the DPA. It would also be extremely ill advised to install these programs onto personal devices as these programs are not physically secure and could lead to increased risk of both physical and on-line data theft.

8. Use of Personal Devices: Personal devices can only be used in incidences where patient information is not saved as a “cookie” or cached. Patient data therefore cannot be recoverable once it is submitted electronically. There is a physical risk for the client whose information is being input, however provided no information is retained on the phone after submission, this risk is minimal.

REFERENCES AND LINKSBBC, (2014) “White House Computer Network ‘Hacked’”, BBC News Online, accessed 21/11/2016, available at: http://www.bbc.co.uk/news/technology-29817644

Burge, S (2014) “8 Things to Know About the Drupal Security Issue”, accessed 21/11/2016, available at: https://www.ostraining.com/blog/drupal/8-things-drupal-security/

The Stationary Office (2005) “The Data Protection Act 1998 – Amended 2005”, accessed 21/11/2016, available at: http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf

Drupal Security Team, (2016) “Security Advisories”, Drupal, accessed 21/11/2016, available at: https://www.drupal.org/documentation/is-drupal-secure

DKLM Solicitors (2016) “Data Protection Breaches – Recent Cases”, accessed 21/11/2016, available at: http://www.dklm.co.uk/site/library/commercialgeneral/data_protection_breaches_recent_cases.html

Glenday, J (2013) “Sony fined £250k over Data Protection Act Breach” accessed 21/11/2016, available at: http://www.thedrum.com/news/2013/01/24/sony-fined-250k-over-serious-data-protection-act-breach

Gov.uk (2016) “The Data Protection Act”, accessed 21/11/2016, available: https://www.gov.uk/data-protection/the-data-protection-act

Information Commissioner’s Office, (2016) “Guide to Data Protection – Information Security (Principle 7)”, accessed 21/11/2016, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/

Probasco, L (2015) “How Secure is Your Data in Drupal? And 5 Essential Security Tips”, accessed 21/11/2016, available at: https://pantheon.io/blog/secure-your-data-drupal

9

Villorente, G (2013) “Why is Drupal Secure?” X-Team, accessed 21/11/2016, available at: http://x-team.com/2014/02/why-is-drupal-secure/

APPENDICES Live Chat with an ICO advisor

[1:38 PM] Michael Exton has joined the room[1:38 PM] ico_victoriap has joined the room[1:38 PM] ico_victoriap has joined the room[1:39 PM] ico_victoriap: Good Afternoon[1:40 PM] Michael Exton: Sorry about that, I was disconnected. Would it be possible to confirm that there is no

differentiation between phones and computers regarding data input for the DPA 1998?

[1:42 PM] ico_victoriap: Regardless of the way in which the personal data is stored it would still need to be kept secure, in line with principle 7 of the Act. It may be that different measures are taken with regards to this depending on where the data is stored.

[1:43 PM] Michael Exton: Thank you for confirming that.[1:45 PM] Michael Exton: Further to that point, is there a software standard that the company must operate in

order to be considered compliant?[1:45 PM] Michael Exton: We are currently using Drupal and would like to confirm this is acceptable.[1:48 PM] Michael Exton: I've been advised that in regards to your first point that none of the data that is taken

on the mobile device is stored on that device; the information is sent to an encrypted server owned by the company. Is this still compliant?

[1:48 PM] ico_victoriap: The Data Protection Act 1998 isn't specific with regards to this it just states Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

[1:53 PM] Michael Exton: Again, thanks for confirming. We can therefore, use any software, provided it is encrypted with a backup to prevent mass data loss without having to reach a certain technical limit.

[1:56 PM] ico_victoriap: Our guidance with regards to encryption can be found on our website at the following link https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/ As we are an independent regulator we do not endorse or recommend any products or services.

[1:56 PM] ico_victoriap has joined the room[1:59 PM] Michael Exton: Thank you. Final query, will the company be able to give back confidential info of our

client to the client (with their consent and limiting the information that we send to them e.g. if our company has provided medical services to that client, the info they will receive will only indicate that the client has received care but will not detail specifics?)

[2:04 PM] ico_victoriap: The Data Protection Act does not prohibit the sharing of personal data however an

10

organisation would need to comply with principle 1 and satisfy a condition for processing from Schedule 2. If the information is sensitive personal data one condition for processing would also need to be satisfied from Schedule 3. Further guidance can be found on our website at the following link https://ico.org.uk/for-organisations/guide-to-data-protection/principle-1-fair-and-lawful/

[2:05 PM] Michael Exton: Thank you for confirming that. You have been most helpful. We will have a look at the links you have provided and will get back in contact if we have any more queries.

[2:07 PM] ico_victoriap: Is there anything else I can help you with?[2:07 PM] Michael Exton: I think our questions have been answered for now. Thank you.[2:07 PM] Michael Exton has left the room

11