NHS systemic security issues highlight need for regular IT security audits

Reports that the Information Commissioner’s Office (ICO) is working with Connecting for Health to improve data security in the NHS are good to hear, but if the problem is – as has been reported – systemic in nature, then more radical action may be needed.

With approaching three per cent of the UK’s adult population now employed by the NHS, logic suggests that a sizeable number of these employees will – for one reason or another – be unlikely to fully take on board the reasons why IT security needs to be addressed in everything they do.

Most NHS staff – who do an excellent job by the way – understand they should not discuss patients outside of work, and also not compromise the patient’s personal information in any shape or form, but it’s a long way between securing a buff folder in a hospital environment to understanding why data held on a USB stick needs to be secure.

And this is what IT security professionals call stakeholder buy-in – a fundamental understanding of why security rules are in place and that staff need to do everything possible to maintain the integrity of those rules.

In an ideal world, every member of staff in the NHS – and any other organisation for that matter – would understand why security is needed, and defend their organisation’s data integrity at all times.

But in the real word, people go out of an evening, stop out late and, after feeling tired the next day, make a mistake with a USB stick, smartphone or laptop – which is where good IT security defences really come into their own.

These defences step in and do the electronic equivalent of asking the person `do you really want/need to do this?’ or even simply blocking the member of staff from performing what appears to be a silly or mis-informed action.

But in order to complete these actions effectively, the IT security needs to be pervasive, and that means that its efficiency and overall ability to protect data at all times needs for be reviewed and verified on an ongoing basis.

IT security has become a multi-faceted problem. The people who want access to systems, data or money have learnt to probe any weakness, whether that be social engineering or just gathering information that allows entry, careless conversations, insecure mobile storage or access to central systems.

Let’s not forget the more common access through the hacking techniques. Reports of USB’s being dropped in car parks, laptops left on trains and emails opened with ‘backdoors’ in them make good news.

There is no doubt the human element has been sensational but we must never forget that these incidents are small in number compared to the millions of attempted hacks via intrusion from outside to inside networks.

Budgets are hard pressed. Never let your efforts be distracted by what is in the news when a few pounds spent on enhancing your defences can dramatically improve your mitigation capability at the network perimeter (IPS/IDS/Firewall).

There is a major difference between creating a security culture and real technical improvement to defences. Both are essential but the process of developing policies, culture and then training thousands of staff is an expensive and long process. Improving the Intrusion detection at the point of connection to the outside world is available now, can be virtually immediate, and has very little cost involved.

And this is what IT security professionals like to undertake regular security audits and efficiency tests, It’s not for their own good, or because they like doing them. It’s because they are a must-have in today’s IT-pervasive workplace.

And with the NHS employing around 1.3 million members of staff in one shape or another, the IT security systems that defend private and personal data at all times need checking and auditing on a regular basis. This is why we think that the ICO needs to mandate the various NHS bodies to go much further on their ITsec audits than they do at present.

If this does not take place, then the NHS security faux pas will continue. Not because the IT security defences are inadequate, but because of the sheer volume of data that is handled on a day-to-day basis.

Ray Bryant is CEO of Idappcom. Ray started working life in a firm of London Chartered accountants, qualified as Chartered Company Secretary in 1979. His career in IT started in the very early days at Control Data Corporation.