The BBC has reported that the NHS has the highest number of serious data breaches of any UK organisation since the end of 2007, according to recent findings by the Information Commissioner’s Office.
David Smith, deputy commissioner at the ICO told the Infosec Security Conference that the NHS had highlighted 287 breaches since the end of 2007, most of which were breaches related to stolen data or hardware.
This accounts for more than 30 per cent of the total number of serious data breaches reported.
The NHS is the UK’s largest employer with 1.7m staff and is currently in the process of rolling out digital patient records. With this in mind, this latest news is rather concerning.
Most of the breaches (113) were the result of stolen data or hardware, followed by 82 cases of lost data or hardware.
So how is it that an organisation which insists that its third party IT service providers are ISO27001 certified can be responsible for a third of all data breaches in the UK?
To be truly effective, an Information Security Management System (ISMS) must be simple, usable and clearly communicated throughout the organisation in which it is employed.
In addition, responsibility and ownership of assets, policies and procedures must be clearly dictated and controlled at the highest level, to ensure disciplined adherence to the standards.
As the NHS itself is not ISO27001 accredited, some would argue that it may not be fully aware of the standards requirements and therefore there is little chance of the information security approach being effective.
So what is the information security approach of the NHS?
A good question and one that I am not even sure the NHS can answer.
It seems that the NHS may have assumed that in appointing ISO27001 certified third parties to conduct and manage certain services on their behalf, this will ensure the security of their information, data and information assets.
Unfortunately for the NHS, there is no such thing as accreditation by association.
The scope of the NHS’ information security assets is vast. As mentioned previously, the NHS is the largest employer in the UK and as with most modern organisations the majority of these employees will have access to some form of information processing asset.
Herein lays an enormous vulnerability to information security that is currently not being adequately controlled.
As these staff are not controlled by a NHS ISMS that dictates and controls an approach to information assets and regularly audits such controls to ensure that they are effective; each NHS employee presents an unregulated risk to NHS owned data.
Hence the frequency and nature of such data loss should come as no surprise. NHS data put into the trust of an organisation that runs an effective ISMS and is certified ISO27001 compliant should be considered secure. However, as soon as it is re-introduced into the realm of the NHS, there is absolutely no way that this will remain the case.
It is an unenviable task given the size of the organisation, but a coordinated approach must be adopted to secure the information within the NHS as an organisation.
I for one have opted out from plans to digitise patient records, not because of some civil liberties rant or fear of a ‘Big Brother’ state but because the risks to confidentiality, integrity and availability are uncontrollable under the current NHS information security model.