Dan Taylor: taking security out of the bunker

  • 17 May 2016
Dan Taylor: taking security out of the bunker
Or: how to stop worrying and learn to love defence in depth

However hard I try, it seems clear to me that cyber security still lives in the shadows.

 It’s perceived as a dark art, something that we geeks do in a closeted room, fiddling about with routers and firewalls, obsessing over the latest firmware or actor vector, while plotting to get our hands on some nice, shiny piece of new hardware.

Of course we don’t help ourselves. I’m writing this whilst sitting in a white box that is our secure area at the Health and Social Care Information Centre.

We have PIN code entry, CCTV monitoring, different colour paper to use depending on whether we are recording sensitive information or not;  and visitors are checked for security clearance and are frisked to make sure they’re not carrying concealed malware (ok, I may have made the last part up).

However, this perception is the biggest threat we have to keeping our health data and information safe. I know it may sound crazy, but just think about it for a moment.

If we think that the ability to keep our information safe lies solely with security experts, then we’re either saying that we as individuals are not accountable, or we are trusting the security of the many with the few. Surely that can’t be right?

Enabled by security

Anyone who hears me speak at events or conferences (when I am let out of the secure area, forms appropriately signed in triplicate) will hear me use the expression: “enabled by security”.

My belief is that this is a key tenet of delivering systems and services in the HSCIC. The move to electronic records, and the digital transfer of information and the technology enabled patient care that goes with them, has inherent risks.

But it also has exponential benefits to patients and the health and care system as a whole. Security should enable technological innovation, not by saying “no, you can’t do that”, but by saying “we can make this safer, by doing this…”

I champion the principle of ‘secure by design’; the idea that when something is designed it is designed with security as a first principle. Not a bolt on, not an addition, but an integral part of the system, service, or product.

If new infrastructure is deployed at any organisation, security should be built in and considered at the design stage, not as an afterthought.

However, technology cannot be the only line of defence. Yes, it is likely to start there, but as I observed at the start, does security really lie with security specialists and technology alone? The answer has to be “no”.

Defence in depth

When focussing on cyber security across health and care, the HSCIC considers three principles; people, process and technology. We call this a ‘defence in depth’ model.

I’m not going to cover technology in this column, not because it’s less important, but because I want to emphasise that security isn’t just about the tech (the darkened rooms or secure areas) but about our people and the processes that we all use day in and day out.

Effective security has to start with our people. Estimates vary, but official figures from the HSCIC show that around 1.3 million people work within health; the vast majority in delivering care.

Delivering great care involves handling confidential and sensitive data and using systems and services that transmit, store and record information, which is critical to patients and drives better outcomes.

We’ve all seen the news of the 56 Dean Street breach, a cyber security incident that wasn’t caused by technology.

This breach – which has just attracted a £180,000 fine from the Information Commissioner’s Office – happened because an individual made a mistake. They wanted to send out a newsletter and copied its distribution list into an email so that the distribution was visible to all.

This is not a criticism. After all, what are we doing as a sector to make sure our people understand their personal responsibilities in security?

Invest in our people

Security starts on the front line, not in a locked white room full of security experts. Do our colleagues have the relevant basic training in cyber security?

Do they understand their personal responsibility to keep data safe? Do they have specialist training to ensure their particular role maintains security?

 As the NHS records, uses and transmits more and more information as part of the digital revolution, we need to support our people more and more, so that they can fulfil their responsibilities around information security.

At the HSCIC, we are in beta testing for a national cyber security training platform which will cover a number of basic areas for all staff and deliver a more complex module for more specialist staff.

It will be available to all health and care organisations and we hope it enable them to support and develop colleagues, so we can be sure our people form the first line of defence in securing information.

Best practice process

Process might sound boring, but it isn’t mundane. Appropriate processes provide the assurance that we work within a safe tolerance, and that we do things in a repeatable way that drives consistency and ensures security.

It’s as broad as it is wide. For example, do we have appropriate patching regimes for applications and systems to ensure vulnerabilities are closed?

Do we have good movers, leavers and changes processes to make sure access to systems is monitored and maintained? Do we have a process in place to remediate known cyber threats?

Put it all together

If we can marry excellent security processes with investment in our people, while delivering technology that’s secure by design; then we can stay ahead of the game.

I haven’t enough words in this article to look at each area in detail, but the important theme I want to distil is the need for defence in depth.  Invest in people, support and implement best standard process, deploy technology that’s secure; and this will secure our information.

Dan Taylor


 

Dan Taylor is programme head for the Cyber Security Programme (CSP) and leads the Health and Social Care Information Centre's security operations.

The CSP undertakes a number of projects to build cyber-security defence across the country. Chiefly, Dan and his team have brought into operation the CareCERT service, which helps heath and care respond to potential threats as cyber security becomes ever more important in our current age of technology.

Dan has worked with the HSCIC and its forerunner operations since 2010, having previously worked across the NHS in management and leadership roles since 2004.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

How to equip NHS staff with cyber security skills they will use

How to equip NHS staff with cyber security skills they will use

Too often, cyber security training is a seen as a burden. But it is possible to make it relevant and useful, writes Nasser Arif.
Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside Integrated Care System has selected a healthcare cyber security platform from Cynerio to strengthen its defences.
How to find your inner ‘cyber defender’

How to find your inner ‘cyber defender’

A "back to basics" and "honest" approach to personal cyber security can help NHS staff make larger improvements at work, writes Nasser Arif.