Dan Taylor: what data security can learn from Euro 2016

  • 14 July 2016
Dan Taylor: what data security can learn from Euro 2016

If there’s one thing we’ve learned from English football’s latest debacle, it’s that whatever happens on the pitch it’s the manager or head coach that has to fall on his sword. 

It’s not like you see Jack, ‘Wazza’ or Joe resigning or offering back their match fees. No, it’s poor Roy who has to stand in front of the media in the 21st century equivalent of medieval stocks. 

Keep it to yourself, but as a West Brom fan I have a soft spot for Mr Hodgson; alas, he was stolen from us by those pesky suits at the FA. Fear not Roy, you’re welcome at the Hawthorns anytime.

Leadership matters

But, if we are being honest, a good leader goes a long way. To carry on the sporting theme, England’s rugby union side has been transformed through a new man at the top with strong leadership and fresh ideas. 

The inspiration of Ivan Lendl has driven Andy Murray to his third grand slam win, while Welsh football manager Chris Coleman took a limited side with some superstar talent (let’s be honest)  to the Euro 2016 semi-finals. 

We’ve all worked for good leaders. The people we remember from our career who inspired us or led from the front. A thought leader who drove us and our organisation forward. 

I remember Mr Inman at secondary school – he made ‘An Inspector Calls’ come alive, reading to us with a magnifying glass because his cataracts were so bad, but inspiring me to love literature and to want to read outside of the classroom. 

In work, I’ve been lucky to work for strong leaders. One day I might be a leader that people trust in…one day Dan, one day. But it’s not often we think of leaders in the data security space, is it? 

There are a few; Dame Fiona Caldicott is, of course, one of the most prominent; perhaps your Caldicott Guardian or IG lead. But just have a think…who is the person in your organisation who is leading the fight for good data security? 

Not so easy is it? 

So let’s make it even harder. How many clinicians are banging down the door of the ICT building, or the office of the IG lead or the entry to the secure area to make sure that you, I, and everyone else is doing what they need to do to protect data? Hmm…

Where are the NHS data security leaders?

Is it that these leaders exist, but we do not have enough of them? This isn’t a criticism, but I think there is a presumption or an assumption (both dangerous) that cyber security and data security is somebody else’s domain. 

To some extent I understand this; I might be able to tell you if a data centre can safely store patient data, but I leave the angioplasty to the experts.

Even so, I’d argue that cyber security is a bit like hygiene in a hospital. It is something that every member of staff has a responsibility for, whether that is the management accountant or a cardio surgeon. 

Everyone should practice good hygiene to prevent the spread of infection. As I said three months ago in my first article, should we leave the data security of the many, to the few? 

Earlier this month, the National Data Guardian Review into Data Security, Consent and Opt-outs was published (let’s use the shorthand NDG Review from here on in, after all they only give me a thousand words) (which is why we call it Caldicott 3 – ed).  

Dame Fiona has a very clear view on leadership in data security. It isn’t buried half way through the review or hidden in an annex; her first recommendation reads: “The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability.”

That’s pretty unambiguous.

The threat: it’s real, and we need to manage it

However, I’d like to take a step back and answer a few points that have been put to me on the back of my earlier columns. 

Genuine thanks for all the questions and queries, and a massive thank you also to those who commented, emailed and got in touch in respect to my last article asking for user feedback. I’ll write something on that next month and in the meantime, keep your comments coming. 

What I want to address is the threat. Let me do something that isn’t often said out loud or printed in column inches regarding data security in health; the threat is real, it is growing, and as an example, health has the greatest number of recorded data breaches of any sector in the latest Information Commissioner’s Office Report. 

Further, in a digital world, poor data security could lead to the integrity of data being compromised, or the availability of data being put at risk. Data security can affect patient outcomes. 

That shouldn’t be feared or overstated; it’s a risk to be managed and we are managing it, but we should slap on a health warning that as we make more information available digitally this risk needs to be managed in a different way.

That’s the diagnosis, here’s my recommended treatment; build on the good people we have, develop a culture that protects data; and ensure we have effective leadership that invests in people, process and technology. 

The NDG clear on this, but also that health is working hard to improve data security through committed staff across the system. In five years’ time, though, the methods and modes to deliver health and care will have been revolutionised. 

Handling, storing and securing data will have moved more towards digital and we need to move fast to keep pace with this change. This is where the leaders come in.

Too risky to be left to ‘experts’

The NDG review is great and for me, working in this sphere, it’s everything we could have hoped for as a platform to build from. But as I have said before, we at the centre are here to enable, not mandate. Our job is to enable better data security and protections locally. 

In the distributed model of the NHS it would be naïve of me to suggest the NDG review and a dozen of us in my team alone could enhance what we do across the entire health and care system. 

As such, we need people to step forward, grasp the nettle and make sure the health and care sector becomes a leader in the data security field. This isn’t just about technology; it also encompasses people and process.

The Health and Social Care Information Centre, and initiatives we’ll be launching this year, will be there to support the implementation of the NDG recommendations and standards (subject to consultation, of course). 

But real change will start with local leaders who want to change, motivate and improve how we manage data and information at an organisational and regional level. It’s also important that these leaders include CCIOs and clinicians, who add such a strong voice and who understand how data security can maintain positive patient outcomes.

If we have strong leaders, we will improve. If we lead others will follow. Everyone working in health has a personal responsibility to secure data, but sometimes we need someone to inspire us, to ensure we understand why we have that responsibility and to be the physical embodiment of what the NDG is seeking to achieve. 

Finding leaders on the ground

It’s like the football: Roy was a coach, but he didn’t lead. Leadership is having a clear philosophy, message and purpose. Oh Roy, that so wasn’t you.  

However, we have an opportunity be leaders in this field – not as specialist security experts but as proponents of excellence in information and data security within our organisations. Leadership can make such a massive difference.  

This won’t be for everyone. The NDG review is clear that leadership must be from the top, but my advice is leadership on protection of data can be your ward sister, your office manager, or your records clerk. I think it’s time we stood up and continue to stand-up.

If you don’t fancy that of course, I know a job going at St George’s Park, care of the Football Association… although I reckon data security might be easier

Dan Taylor

Dan Taylor is programme head for the Cyber Security Programme (CSP) and leads the Health and Social Care Information Centre's security operations.

The CSP undertakes a number of projects to build cyber-security defence across the country. Chiefly, Dan and his team have brought into operation the CareCERT service, which helps heath and care respond to potential threats as cyber security becomes ever more important in our current age of technology.

Dan has worked with the HSCIC and its forerunner operations since 2010, having previously worked across the NHS in management and leadership roles since 2004.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Two more Liverpool hospitals impacted by Alder Hey cyber attack

Alder Hey Children's NHS Foundation Trust has announced that the cyber attack it suffered last week has impacted two more hospitals.
Major cyber security incident declared at Merseyside hospital

Major cyber security incident declared at Merseyside hospital

A “major incident” has been declared at Wirral University Teaching Hospital NHS Foundation Trust “for cyber security reasons”.
Barts Health rolls out Cynerio cyber security platform

Barts Health rolls out Cynerio cyber security platform

Barts Health NHS Trust has rolled out Cynerio’s healthcare-focused cyber security platform across all of its sites.