The computer virus which affected Northern Lincolnshire and Goole NHS Foundation Trust in November is a further reminder that NHS organisations need to remain constantly on their guard against security breaches. As no ransom was demanded, it’s likely to have been a random attack, but reports suggest that 28 trusts have been hit by ransomware attacks in the last year. Additionally, the NHS was the UK’s biggest victim of data breaches in 2015 according to the Information Commissioner’s Office.
To help Trusts tackle these threats, the National Data Guardian Review was published in July 2016. The results of the public consultation into its recommendations are still to be published, but the key points made in the Review are relevant to across all sectors. It points out that leadership is vital to data security, and leaders have three areas of responsibility in minimising the security threat: technology, people and process.
Technology solutions are becoming increasingly sophisticated, such as pattern recognition software to track unusual behaviour. However even apparently ‘low tech’ equipment should be considered, as it only needs one back door for an organisation’s security to be compromised, such as the ubiquitous USB data stick.
The importance of people to security is something Fordway’s MD Richard Blanford has discussed on many occasions. Even the best processes and technology will not work unless people follow the correct processes, so organisations need to define security policy and obtain employee buy-in and commitment before looking for technical solutions.
People generated security breaches can range from an employee accidentally clicking on a malicious attachment to the case quoted in the Review, where an employee was socially engineered by a journalist to release pseudonymised information on hospital statistics which, due to their format, could have been re-identified. Employee education is vital to minimise such risks and, importantly, to ensure that if the worst occurs staff know what to do and who to contact to reduce the damage.
This takes us to the area of policy: security policy should be enforceable, realistic, acceptable to users and should not violate personal privacy laws. Policy should also ensure that organisations take all appropriate steps to prevent data loss, from regular patching to having a cyber security incident response procedure in place, a back-up of all business critical systems and a disaster recovery plan. Automation can be a great help– for example, the Review points out a malware attack resulting from patching not being updated, but organisations can automate their own patching using tools such as SCCM, or buy a cloud-based service such as Fordway’s PMaaS.
Policy also needs to take account of employee behaviour, and be supplemented with technology where appropriate to reduce risks. For example, policy may be that no data can be taken out of the organisation, but all too often staff save documents onto mobile devices to read at a more convenient time. If the device is lost, so is the data. The latest endpoint protection solutions can address this by both ensuring that data is backed up and automatically deleting it on a stolen or lost device – provided that the employee admits to the loss! Thus the three aspects of people, process and technology are the three legs of the security tripod. Fail to address any of them adequately and the results could be disastrous.
NHS Cloud and IT Consultancy - Fordway Blog