Dan Taylor: taking security out of the bunker
- 17 May 2016
However hard I try, it seems clear to me that cyber security still lives in the shadows.
It’s perceived as a dark art, something that we geeks do in a closeted room, fiddling about with routers and firewalls, obsessing over the latest firmware or actor vector, while plotting to get our hands on some nice, shiny piece of new hardware.
Of course we don’t help ourselves. I’m writing this whilst sitting in a white box that is our secure area at the Health and Social Care Information Centre.
We have PIN code entry, CCTV monitoring, different colour paper to use depending on whether we are recording sensitive information or not; and visitors are checked for security clearance and are frisked to make sure they’re not carrying concealed malware (ok, I may have made the last part up).
However, this perception is the biggest threat we have to keeping our health data and information safe. I know it may sound crazy, but just think about it for a moment.
If we think that the ability to keep our information safe lies solely with security experts, then we’re either saying that we as individuals are not accountable, or we are trusting the security of the many with the few. Surely that can’t be right?
Enabled by security
Anyone who hears me speak at events or conferences (when I am let out of the secure area, forms appropriately signed in triplicate) will hear me use the expression: “enabled by security”.
My belief is that this is a key tenet of delivering systems and services in the HSCIC. The move to electronic records, and the digital transfer of information and the technology enabled patient care that goes with them, has inherent risks.
But it also has exponential benefits to patients and the health and care system as a whole. Security should enable technological innovation, not by saying “no, you can’t do that”, but by saying “we can make this safer, by doing this…”
I champion the principle of ‘secure by design’; the idea that when something is designed it is designed with security as a first principle. Not a bolt on, not an addition, but an integral part of the system, service, or product.
If new infrastructure is deployed at any organisation, security should be built in and considered at the design stage, not as an afterthought.
However, technology cannot be the only line of defence. Yes, it is likely to start there, but as I observed at the start, does security really lie with security specialists and technology alone? The answer has to be “no”.
Defence in depth
When focussing on cyber security across health and care, the HSCIC considers three principles; people, process and technology. We call this a ‘defence in depth’ model.
I’m not going to cover technology in this column, not because it’s less important, but because I want to emphasise that security isn’t just about the tech (the darkened rooms or secure areas) but about our people and the processes that we all use day in and day out.
Effective security has to start with our people. Estimates vary, but official figures from the HSCIC show that around 1.3 million people work within health; the vast majority in delivering care.
Delivering great care involves handling confidential and sensitive data and using systems and services that transmit, store and record information, which is critical to patients and drives better outcomes.
We’ve all seen the news of the 56 Dean Street breach, a cyber security incident that wasn’t caused by technology.
This breach – which has just attracted a £180,000 fine from the Information Commissioner’s Office – happened because an individual made a mistake. They wanted to send out a newsletter and copied its distribution list into an email so that the distribution was visible to all.
This is not a criticism. After all, what are we doing as a sector to make sure our people understand their personal responsibilities in security?
Invest in our people
Security starts on the front line, not in a locked white room full of security experts. Do our colleagues have the relevant basic training in cyber security?
Do they understand their personal responsibility to keep data safe? Do they have specialist training to ensure their particular role maintains security?
As the NHS records, uses and transmits more and more information as part of the digital revolution, we need to support our people more and more, so that they can fulfil their responsibilities around information security.
At the HSCIC, we are in beta testing for a national cyber security training platform which will cover a number of basic areas for all staff and deliver a more complex module for more specialist staff.
It will be available to all health and care organisations and we hope it enable them to support and develop colleagues, so we can be sure our people form the first line of defence in securing information.
Best practice process
Process might sound boring, but it isn’t mundane. Appropriate processes provide the assurance that we work within a safe tolerance, and that we do things in a repeatable way that drives consistency and ensures security.
It’s as broad as it is wide. For example, do we have appropriate patching regimes for applications and systems to ensure vulnerabilities are closed?
Do we have good movers, leavers and changes processes to make sure access to systems is monitored and maintained? Do we have a process in place to remediate known cyber threats?
Put it all together
If we can marry excellent security processes with investment in our people, while delivering technology that’s secure by design; then we can stay ahead of the game.
I haven’t enough words in this article to look at each area in detail, but the important theme I want to distil is the need for defence in depth. Invest in people, support and implement best standard process, deploy technology that’s secure; and this will secure our information.
Dan Taylor
|