170 likes | 285 Views
Aspects of Data Security. Raj Samani Vice President – Communications, ISSA UK Rita Arafa IG Deployment Officer, NHS CFH. Agenda. Reported issues Impact C.I.A. What can we do? Wrap-up including Questions. Reported Issues The current situation in the media:.
E N D
Aspects of Data Security Raj Samani Vice President – Communications, ISSA UK Rita Arafa IG Deployment Officer, NHS CFH
Agenda • Reported issues • Impact • C.I.A. • What can we do? • Wrap-up including Questions
Reported IssuesThe current situation in the media: • Reports in the Health Press and General media: • There may be a risk of breach of patient data • 2008 ‘A year of data breaches' - E-Health Insider 28 Oct 2008 • Reports of viruses in hospital systems impacting on patient care • NHS hit by a different sort of virus – More4 News 9th Jul 2009 • Fears that patient data could be lost • Health data on lost memory stick – More4 News 9th Jan 2009 • Data protection warning as more trusts lose patient records – Health Service Journal 16th July 09
Impact • When electronic clinical systems are compromised the following are at risk: • Clinical Care • Confidentiality • Reputation • Data Breaches endanger: • Confidentiality • Confidence • Reputation
Clinical Care • Reports of viruses in hospital systems impacting on patient care: • November 08, Mytob computer virus caused havoc in three major London hospitals when it spread so quickly that it overloaded computer networks - 70 patients had to go to other hospitals while ambulances were diverted to neighbouring hospitals to ensure that seriously ill patients did not suffer as a result of the slower manual systems being used • Sheffield, 800 PCs infected after just one computer in an operating theatre had its anti-virus software switched off. • During March 09 Greater Glasgow and Clyde NHS trust was struck by a computer virus called Conficker, which froze staff out of their computers for two days • Building security into key initiatives • LAS Despatch Service, one ambulance arrived to find the patient dead and taken away by undertakers
Confidentiality • A breach of patient’s data can be a breach in patient confidentiality • Unauthorised access (internal) • Unauthorised access (external) • What is the impact?
Reputation • Confidence be quickly lost by both the Staff using the systems and Patients. • Electronic records can end up being incomplete which can further reduce confidence.
Reputation • Perceived breaches of data security can seriously damage the reputation of both Clinical IT systems and the organisations that use them. • “Everyone must recognise that data breaches can cause harm, distress and hassle for the individuals affected, lead to serious financial losses and seriously affect the reputation of organisations.” eHealth Insider29 Oct 2008
C.I.A. and F.U.D • It is imperative that the following are protected: • Confidentiality • Integrity • Availability • Without introducing: • Fear • Uncertainty • Doubt
So what should be done? • ISMS – Information Security Management System • Establish roles and responsibilities • Management Planning – Identify where the gaps are by: • Reviewing, checking, implementing • Plan-do-check-act
Why does it need to be done? • To comply with the Data Protection Act (principle 7) • For Public Assurance • Contractual, Legal and Regulatory Obligations • Care Record Guarantee
Roles and Responsibilities • Information Asset Owner • The IAOs are responsible for ensuring that information risk is managed appropriately and for providing assurances to a Board level lead termed a Senior Information Risk Owner (SIRO) • Information Asset Administrator • IAAs are operational staff with day to day responsibility for managing risks to their information assets. • SIRO: Senior Information Risk Owner • Is accountable • Fosters a culture for protecting and using data • Provides a focal point for managing information risks and incidents • Is concerned with the management of all information assets • Caldicott Guardians • Is advisory • Is the conscience of the organisation • Provides a focal point for patient confidentiality & information sharing issues • Is concerned with the management of patient information • Privacy Officers
Process Overview • Suppliers: • Implement ISMS review & improvement activities • Submit results to Organisation e.g. audit reports, risk corrective action plans, areas of concern, evidence of BAU activities • Suppliers: • Plan ISMS review & improvement activities e.g. annual audit schedules • Plan risk corrective action planning / reviewing etc. • Organisation IG: • Inform programmes of impending supplier reviews • Suppliers: • Review ISMS review & improvement activities • Organisation IG: • Review results • Provide guidance and influence supplier improvement activities e.g. audit schedule • Ensure there is evidence of BAU ISMS activities • Suppliers: • Implement risk corrective action plans • Organisation IG: • Cascade risk corrective action plans to relevant programmes • Monitor risk corrective action plans
Information Assurance Regulatory Bodies • ICO: Information Commissioner’s Office • Independent authority set up to promote access to official information and protect personal information • CESG: • The Information Assurance (IA) arm of GCHQ and is the Government's National Technical Authority for IA responsible for enabling secure and trusted knowledge sharing, which helps its customers achieve their aims. • http://www.gchq.gov.uk/about_us/cesg.html • CPNI: • The Government authority which provides protective security advice to businesses and organisations across the national infrastructure. • CSIA: • The Central Sponsor for Information Assurance (CSIA) is a unit within the UK Government's Cabinet Office providing a central focus for Information Assurance (IA) activity across the UK.
Some positive quotes: • The Royal College of GPs has put their support behind the national rollout of the Summary Care Record. They said concerns over security of records and patient confidentiality had now been resolved, and declared ‘the need for a shared record is compelling’. • A team of RAF security experts recently spent three days attempting to penetrate the wireless networking component of a managed service covering healthcare for British Forces in Germany - and failed. The secure networking is part of a managed service, PAS 2.0, for Guy’s and St Thomas’ NHS Foundation Trust. eHealth Insider Jan 09 • The Royal Marsden Hospital director of ICT Jon Reed said: "We've been able to create a remote environment that enables clinicians to have access to the applications they require but at the same time enforce the highest level of security for confidential patient records.” Public Sector Case study silicon.com Aug 08