The NHS treats more than1 million people every 36 hours. These patients are often at their most vulnerable physically and emotionally, but so too are their digital selves. The health sector accounts for the most data security incidents in the UK —more than 40% of all UK incidents in Q4 2015 — and regulators are scrambling to find solutions to better protect confidential medical records and personal data. Yet in this sprint, policymakers are ignoring a basic principle that can keep us safer and more secure.
The value of our data is immense. Health data’s value comes from its stability: pre-existing conditions, medication logs, procedure codes — this data is evergreen, and names and national insurance numbers are difficult to change. By contrast, credit card numbers are transient data. As soon as a compromise is discovered, the number is changed and the data is worthless.
TheCare Quality Commission andDame Fiona Caldicott, the National Data Guardian,today published its review of thethe effectiveness of NHS organisations to handle this patient-confidential data and guidelines against which every NHS and care organisation will be held to account. The recommendations are an important step toward addressing the gaping holes in health security, including vital requirements like anamed person at board-level responsible for data security; mandatory training for all staff, with particular emphasis on board-level; and encouraging the use of up-to-date technology with the latest protection.
But the review has failed to address one of the most basic of requirements of cybersecurity: network visibility.
If the mind boggles at the number of people using the NHS in any given 36-hour period, the scale of the infrastructure that supports this operation may be beyond comprehension. There are, at best estimate, tens of millions of computers on the NHS system, millions more when you consider the Internet of Things – the myriad of x-ray machines, pacemakers, and medical machinery that rely on the Internet to deliver care. It also hosts 500 million patient records and billions of messages sent each year between patients and clinicians.
If we imagine the NHS network is a building, all of these millions of devices are its doors and windows, entry points for cyber criminals looking for access to sensitive data.
The scale of the NHS network, the fractured nature of procurement, and the widespread deployment of legacy IT means that even counting the number of computers on the network is impossible. If we don’t even know how many doors and windows we have, how can we have any hope of ensuring they are all secure?
Yet despite this vulnerability, a large majority of health care facilities use antiquated technology to protect their systems and to investigate breaches. Currently, it can take weeks or even months to find the source of a breach and get it resolved.
So while today’s recommendations are a step in the right direction, without a minimum standard within government of at least being able to count the number of devices NHS and other government agencies have on its systems, patient data cannot be counted as safe from a major breach. Not even close.
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.
About the author: Richard Olver is Vice President, EMEA, at Tanium in London.