Compromising data

Nick van der Bijl BEM, from the National Assiociation for Healthcare Security, investigates.

Recently a television investigation claimed that the patient records held by a private sector hospital had been offered to undercover investigators for £4 each by foreign sales representatives. The hospital had contracted the digitalisation of patient notes to a UK-based company. This supplier then passed the work to a sub-contractor, who, in turn, transferred the work to a third UK-based company. It was then contracted to a foreign sub-contractor and it was at this stage that human frailities stepped in when some files were offered for sale by two men with access to the information at the transcription centre. No NHS patient notes appear not to have been compromised although some files contained GP referral letters.

Data protection
UK data protection is governed by eight principles contained within the 1998 Data Protection Act, thus:

• Information must be processed fairly and lawfully.
• Information must be processed for one or more specified or lawful purpose, and not further processed in any way that is incompatible with the original purpose.Information must be adequate, relevant and not excessive.
• Information must be accurate and, where necessary, kept up to date.
• Information must be kept for no longer than is necessary for the purpose for which it is being used.
• Information must be processed in line with the rights of the individual.
• Information must be kept secure with appropriate technical and organisational measures taken to protect the information. 
• Information must not be transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the information

Section 55 (1a) of the Act also states that ‘A person must not knowingly or recklessly, without consent of the data controller obtain or disclose personal data or the information contained in the personal data’
    
During its convoluted passage, the information was technically in breach of:

• Principle 6 – Information must be processed in line with the rights of the individual.
• Principle 8 – Data shall not be transferred outside of the EEA (European Economic Area.  
• Principle 2 – Information must be processed for one or more specified or lawful purpose, and not further processed in any way that is incompatible with the original purpose.

High risk by nature
By its very nature, electronic information runs a high risk of being compromised, particularly in an age in which it can be manipulated with sometimes careless abandon. Some nations have acquired reputations as cost-effective outsourced IT labour, but not all have the same stringent data protection culture evident in the UK. Accepting that the hospital transferred the work in good faith, in risk management terms, it was responsible for the information until the contract conclusion. This can be difficult to achieve in some distant countries where there are thriving entrepreneurs with aspirations of wealth.
    
There are always lessons to be learned from every breach of security. In 1993, the then chief executive Sir Duncan Nicholls commented in a report on healthcare security: “Hospital exits and entrances were open much of the time, allowing anyone to walk in unchallenged. The lack of adequate security measures in hospitals is making them a paradise for opportunist thieves and vandals. One manager commented that hospitals were supermarkets without tills.”
    
Concerns had been raised about the theft of NHS and public property from NHS Trusts and, while this has not disappeared, by any means, the advent of convenient electronic information equipment, such as laptops, memory sticks and mobile communications, has escalated opportunities for data compromise. Electronic correspondence has made communications easier but it is evident from the losses that organisations are failing to develop defences to protect information. One application was the use by some medical fraternities of using Facebook to discuss patient treatment. This resulted in the 1990s in the recruitment of security managers by forward-thinking hospitals to advise on the protection of hospitals and their assets.

Protecting information
Accepting that NHS Connecting for Health is rolling out protective software, this is about 25 per cent part of the answer. The other 75 per cent revolves around practices that, at first sight, have little to do with computers – security awareness, physical security measures, investigation, accountability and common sense – but are critical. Defending electronic information solely with software is naïve.
    
A hospital manager managed to lose a laptop from his car by breaking a basic crime prevention principle of never leaving property in a view in a vehicle. Statistics suggest that it is at very high risk of theft. In offering the inevitable apology, a spokesman said that since the information had been encrypted and the laptop password could be accessed only by authorised staff, there was little chance that patient details could be compromised. The hospital seemed not to accept that personal information is part of the supermarket mentioned by Sir Duncan and that, given time, every security meaure can be breached. The Trust then went on the defensive by announcing that staff had been advised not to store such information on laptops.
    
So what principal lesson do we draw from this statement – Buy a pencil! This is backward step in an electronic age. A single lightweight laptop has replaced bundles of heavy files. They are vital components in the target-driven and evidence-gathering business culture of the 21st century NHS. It therefore follows that mature protective security measures should be adopted.

Understanding the problem
Careless handling of laptops has drawn stern warnings from the Information Commissioner’s Office, and rightly so, that compromise by public bodies is unacceptable. But that it still happens suggests that those responsible for information security either are not taking the matter seriously or, more likely, do not understand how information security fits into the overall security strategy. The problem that the ease in which information is gained is replicated by the lax manner in which it is protected.
    
A fundamental problem is that finance departments are often entrusted with information security and governance. Essentially, the guardian of the most important asset that a hospital has, namely information, is divorced from the department employed to protect the organisation, namely the security department. The conclusion must be that until such time as all security issues, such as security awareness, are placed under a single umbrella of security managers qualified in all aspects of protective security, then avoidable breaches of information will continue. An alternative is to employ information security specialists working directly with the security manager to develop electronic security strategies, enhance security awareness, training and education and investigate breaches of information security.   

Conclusions
No organisation can claim to be 100 per cent infallible and the actions of deliberate or accidental rogues will always overide corporate codes.
    
The use of offshore contractors to manipulate information is fraught with the risk of security controls being breached. When formulating contracts, think the unthinkable, guard against the unexpected and challenge assumptions.
    
Responses to breaches of IT security need to be mature and focused on learning lessons.   
    
Cost effective protection of information can be achieved by a sensible, co-ordinated security organisational structure using security systems working from the centre outwards.