Patient First, the UK's largest patient safety event, will return to London's ExCeL on 21-22 November 2017
In light of recent NHS data breaches, Steve Mellings, founder of the Asset Disposal & Information Security Alliance and DP Governance Limited, looks at the importance of data protection
By the end of May next year, a key EU regulation governing data protection will have become part of UK law. The EU General Data Protection Regulation (GDPR) goes far further than existing legislation and comes in a time when technological and cultural attitudes towards data have changed beyond recognition. With both the Secretary of State, Karen Bradley, and Information Commissioner, Elizabeth Denham, confirming that Brexit will not stop the adoption of GDPR we know that this is one final EU Law which we cannot ignore. So, why is it so significant?
It’s been 20 years since the last EU Data Protection law. In that time we have grown to view data, personally and in the business sense, as a commodity. People now post pictures, tweet secrets and trade insults from a wide variety of devices – and in the process, break down the barriers to privacy our physical environment once provided.
This release of control on a personal level has boosted the appetite from businesses to use data in far more aggressive and advantageous ways. The concept of ‘Big Data’ is largely down to the ability of data analytics to take swathes of unstructured information and analyse and use it in ways which might prove useful for the controller. There is a statistic that suggests 90 per cent of all data generated came about in the past three years, so it follows that data protection is more than a passing fad and we’re at the very beginning of what will be a long, drawn-out battle to maximise data usefulness but not at the detriment of our privacy or rights.
The starting point was the passing of EU GDPR. And for once the regulators seem to have done a good job, and in quite difficult circumstances when you consider the maturity of data protection in terms of the broad EU membership. But it’s a sensible piece of law. It’s more specific than its predecessors, and whilst it continues to not deal in absolutes, it gives many clear guidelines to give us a starting point.
Of course, business will only start to take a real interest when cases are brought and penalty notices are served by the regulator. Or, worse, courts begin making awards for victims of non-compliance. Until then, many will undoubtedly pay lip service in terms of improvements, moving tentatively towards compliance.
But inaction is not an option. And, unlike many headline makers, I don’t believe the real concern is the published increase in the maximum fine, nor the proliferation of ‘cyber stories’. These are just a smokescreen. More important are the fundamental changes within the regulations that will force businesses to view data protection, not as a bolt on, but as an entire wrap-around solution.
Mandatory Breach Notification, Privacy Impact Assessments, evidence of permissible use from data subjects and the need to have business operations wrapped up in data protection processes ‘privacy by design’ are key themes. All of which cannot be ignored and which cannot be simply added-on. They need embedding and implementing across all business operations and expanding outside the limitations of a technology remit. After all, a data breach from a badly disposed-of asset or a lost USB stick is not a cyber attack, but a type of data breach resulting from a varied range of possible sources, including human error.
Approaching data protection
So if those operating in data protection or regulatory compliance look to the industry for help then, sadly, the industry will leave them wanting. The volume of FUD (fear uncertainty and doubt) spread so liberally throughout marketing and social media feeds is enormous. If one is to believe some articles, GDPR will spell the end to operational compliance as we know it - the only solution being to spend on seemingly endless technical solutions.
The truth in my opinion is a little different. Yes, I agree that in my experience the way organisations approach data protection today is not sufficient to either current laws lest alone GDPR. But this doesn’t mean you need to open the chequebook and wildly start spending. There are too many within the information security - and wider data protection - sector who promote compliance (£250 compliance tool kit anyone?) or sell solutions proclaiming they ‘help you meet your information security needs’, when all they are promoting is one small part of an operational and technical ecosystem which must be fully understood and controlled from within.
So, when faced with the question of helping data protection within the NHS, do we shut down and lock the door to show compliance - or take a pragmatic view and look to finally embark on a programme of improvement which results in what we all want – secure, available and accurate information to help our health system?
If so, where do we start? Like all improvement programmes, a solid first step must be an acceptance that problems exist and the motivation from all concerned to move from where they are today, to where they want to be. For data protection, this means understanding your current situation, and for the NHS, that doesn’t mean just asking the information governance manager or senior omformation risk officer. Data protection has a far more varied range of influencing factors than are generally understood - from supply chain management to information security, HR and training and third party management.
There are so many contributing factors that it is unsurprising that many organisations prefer to deal with known issues than look beyond to the root cause. In fact, many legal houses are simple advising clients to prepare for breach and invest in incident management and cyber insurance, seemingly in the belief that the problem is unmanageable.
What precisely is the problem?
I am fortunate enough to be involved in a project called DPG Pathfinder which looks to break down the ‘where are we now’ question into smaller more manageable and explicit areas. I helped into my specialist area of data processors and IT asset disposal, an area which the NHS has suffered historically in the past (over £500,000 in fines). But the project as a whole identifies over 70 core business activities and more than 1,300 areas of potential root cause issues.
Capturing intelligence relating to all these and enabling businesses to see the critical areas of concern, helps them progress from that difficult first step - because they know where they need to get to and understand how to get there.
During this project, I spoke to many practitioners and found a real feeling of being overwhelmed by the enormity of the project. Even seasoned information security professionals were only looking at problems from their own silo and admitted to feeling neither empowered nor motivated to take on more. Further still, risk-owners or heads of cyber were frustrated that, whilst the buck stopped with them, they didn’t feel they had the scope of resource to take on what they saw as an organisation-wide problem.
So when we look specifically at the NHS and GDPR, the question of ‘what precisely is the problem’ is perhaps the most pertinent. Even a cursory look at the penalty notices on the ICO website shows that the NHS has a history of dealing with data badly. But is that any surprise? In an environment where data is one of the most critical assets and needs to be available to be useful, and where the core purpose is health care, then any spend away from providing those front-line services is wasteful, is it not?
So, without getting into a political discussion about budgets and resource allocation, it’s clear to see why information governance and cyber is seemingly not viewed as an imperative requirement within the NHS. A recent Sky News freedom of information request showed that the average annual spend on cyber was £23,040. But with North Lincolnshire and Goole NHS Foundation Trust being forced to cancel operations due to malware, the time has surely come when spending in this area cannot be viewed purely as a cost. It must be viewed as an essential strategic spend.
But where do you spend your meagre budget?
As outlined, cyber is just one part of data protection and the wider framework needs to be explored to create a solid foundation from which to grow. A data protection ecosystem is constructed of varied and interlinked operational processes which build together to not only deliver on their operational purpose but to help put key building blocks in place to help the overall objective of data protection.
A cyber attack due to malware may be due to poorly configured hardware, bad user training, lack of investment in intrusion detection or a failure to respond to alerts. All of these can be viewed as standalone issues to be addressed after an investigation but that wouldn’t stop the same issue arising from a different attack vector.
If organisations are to stop having to respond to issues in a knee-jerk and reactive way, the best defence is to look at the root cause of the issues and to evoke change in these areas. If the NHS wants to take on data protection then there will be short-term pain as resource will be needed, budget will need to be allocated and motivation found. I discovered during my work on Pathfinder that, once a business starts to fully understand the scope of the problem, the solutions themselves don’t need to cost the earth.
Training, new policies, auditing, and vigilance are typically all in-house solutions which can start to shift the balance of power back into the hands of the controllers. Knowing where to focus and where to spend a limited budget is key if management are to view data protection not as an unsurmountable challenge but as a key business function, worthy of investment, strategic in nature and most importantly of all - everyone’s problem.