Stephen Allcock, director of public sector UK at SailPoint, explains why having an effective identity and data security structure is crucial.
Under the strain of the pandemic, the NHS has been forced to embrace technology and a ‘digital first’ attitude wherever possible. Doctors in large hospitals and small GP surgeries alike have had to embrace virtual appointments as face-to-face contact was minimised.
With 1.7m NHS workers across the UK servicing some one million patients every 36 hours, this generates a vast amount of sensitive data. Effective cyber security has never been more important.
To make the situation more complex, the NHS deals with huge staff shortages and turnover, with thousands of vacancies across clinical, nurse and admin roles at any given time.
It is critical that the NHS remains alert to its heightened risk of cyber-attacks during this era of uncertainty and digitalisation – especially given one in five cyber-attacks are now targeting the healthcare industry, with criminals intent to cause disruption on a major scale.
By 2025, the annual growth rate of data for healthcare is predicted to reach 36%. Having an effective identity and data security structure is crucial to providing the protection NHS infrastructure requires to operate efficiently and keep data secure.
Safeguarding sensitive information
The average healthcare breach costs £6.6m and healthcare data breaches are likely to have tripled this year. Any breach within the NHS could potentially have a detrimental effect. Data security, therefore, needs to be the beating heart of the NHS structure.
NHS security leaders need to understand how information is being used and who has access. It is vital to ensure the NHS has control over information and data in its control.
What’s more, it also needs to have measures in place to protect data from inappropriate use. It needs to know if and when there has been a data breach and how to act on it as soon as it becomes aware of an infringement.
Time is of the essence here. It can take weeks or months to detect if there has been an unauthorised data breach, with no way of knowing what information has been accessed unless there are sufficient safeguards in place.
Transparent understanding of data
The NHS has some of the most stringent regulations in place to protect sensitive data. The Data Protection Security Toolkit (DPST) is just one element of control for access to NHS data.
The online self-assessment tool allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS sensitive data and systems need this toolkit to provide the assurance that they are practising good data security and that personal information is being handled correctly.
The National Data Guardian is in itself an independent body that oversees patient data and acts as a safeguard on the use of information. It allows patients to participate in the national patient opt-out, indicating that they don’t want their confidential patient information to be shared for purposes beyond their care across the health and care system in England.
On top of that, the NHS has to comply with the general rules governing GDPR, which regulates how organisations gather, use and manages personal data. The seven Caldicott Principles also provide the overriding governance rules that dictate how the NHS gathers, stores and uses sensitive information. Of course, none of this is possible unless the NHS has a full and transparent understanding of what is happening to its data.
Increased visibility through identity governance
An NHS Trust has potentially millions of documents in hundreds of thousands of folders, and across multiple repositories – both on premises and in the cloud. This is typically ‘Unstructured Data’ which accounts for around 80 per cent of the total data that a trust holds, and which becomes impossible to manage.
Some of the common themes we see are personally identifiable information and sensitive information being stored in the wrong place, over permissive access to sensitive data, no centralised identity governance process, no auditing on access, no monitoring of privileged account use and data being held outside of a retention policy.
The key is to ensure that the NHS can classify their data and put processes in place to manage access to it. An understanding of the types of data, knowing where it is, and providing adequate controls are all vital aspects of adhering to the DPST, Caldicott Principles and GDPR governance.
This will allow organisations to know who has access to different levels and sensitivity of data and enable organisations to build an up-to-date asset register. Visibility into where all of the sensitive data resides, who has access to it and the auditing in place is crucial to understanding where any vulnerabilities may lie, and subsequently being able to mitigate against inappropriate use or a cyber-attack such as ransomware.
Securing data
Ransomware attacks across the health sector alone have seen a rise of 44% during the pandemic. Cyber-attacks like these can have serious consequences including reputational harm, and disruption to patient care and welfare. In the last year alone, we saw the impact of an attack on the Irish Health Service, which is still recovering months later.
The sheer volume of data being created must be secured and monitored effectively if the healthcare industry is to protect itself from being a key target of cybercrime. By ensuring data governance is aligned and controlled, the NHS can continue to provide critical treatment and service to the country – giving more time to focus on what really matters.
Pingback: Health Call secures £1million digital health contract