Aspects of Data Security - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Aspects of Data Security

Description:

The current situation in the media: Reports in the Health Press and General media: ... LAS Despatch Service, one ambulance arrived to find the patient dead and taken ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 17
Provided by: riar
Learn more at: https://www.bcs.org
Category:

less

Transcript and Presenter's Notes

Title: Aspects of Data Security


1
Aspects of Data Security
  • Raj Samani Vice President Communications, ISSA
    UK
  • Rita Arafa IG Deployment Officer, NHS CFH

2
Agenda
  • Reported issues
  • Impact
  • C.I.A.
  • What can we do?
  • Wrap-up including Questions

3
Reported Issues The current situation in the
media
  • Reports in the Health Press and General media
  • There may be a risk of breach of patient data
  • 2008 A year of data breaches' - E-Health Insider
    28 Oct 2008
  • Reports of viruses in hospital systems impacting
    on patient care
  • NHS hit by a different sort of virus More4 News
    9th Jul 2009
  • Fears that patient data could be lost
  • Health data on lost memory stick More4 News 9th
    Jan 2009
  • Data protection warning as more trusts lose
    patient records Health Service Journal 16th
    July 09

4
Impact
  • When electronic clinical systems are compromised
    the following are at risk
  • Clinical Care
  • Confidentiality
  • Reputation
  • Data Breaches endanger
  • Confidentiality
  • Confidence
  • Reputation

5
Clinical Care
  • Reports of viruses in hospital systems impacting
    on patient care
  • November 08, Mytob computer virus caused havoc in
    three major London hospitals when it spread so
    quickly that it overloaded computer networks - 70
    patients had to go to other hospitals while
    ambulances were diverted to neighbouring
    hospitals to ensure that seriously ill patients
    did not suffer as a result of the slower manual
    systems being used
  • Sheffield, 800 PCs infected after just one
    computer in an operating theatre had its
    anti-virus software switched off.
  • During March 09 Greater Glasgow and Clyde NHS
    trust was struck by a computer virus called
    Conficker, which froze staff out of their
    computers for two days
  • Building security into key initiatives
  • LAS Despatch Service, one ambulance arrived to
    find the patient dead and taken away by
    undertakers

6
Confidentiality
  • A breach of patients data can be a breach in
    patient confidentiality
  • Unauthorised access (internal)
  • Unauthorised access (external)
  • What is the impact?

7
Reputation
  • Confidence be quickly lost by both the Staff
    using the systems and Patients.
  • Electronic records can end up being incomplete
    which can further reduce confidence.

8
Reputation
  • Perceived breaches of data security can seriously
    damage the reputation of both Clinical IT systems
    and the organisations that use them.
  • Everyone must recognise that data breaches can
    cause harm, distress and hassle for the
    individuals affected, lead to serious financial
    losses and seriously affect the reputation of
    organisations. eHealth Insider 29 Oct 2008

9
C.I.A. and F.U.D
  • It is imperative that the following are
    protected
  • Confidentiality
  • Integrity
  • Availability
  • Without introducing
  • Fear
  • Uncertainty
  • Doubt

10
So what should be done?
  • ISMS Information Security Management System
  • Establish roles and responsibilities
  • Management Planning Identify where the gaps are
    by
  • Reviewing, checking, implementing
  • Plan-do-check-act

11
Why does it need to be done?
  • To comply with the Data Protection Act (principle
    7)
  • For Public Assurance
  • Contractual, Legal and Regulatory Obligations
  • Care Record Guarantee

12
Roles and Responsibilities
  • Information Asset Owner
  • The IAOs are responsible for ensuring that
    information risk is managed appropriately and for
    providing assurances to a Board level lead termed
    a Senior Information Risk Owner (SIRO)
  • Information Asset Administrator
  • IAAs are operational staff with day to day
    responsibility for managing risks to their
    information assets.
  • SIRO Senior Information Risk Owner
  • Is accountable
  • Fosters a culture for protecting and using data
  • Provides a focal point for managing information
    risks and incidents
  • Is concerned with the management of all
    information assets
  • Caldicott Guardians
  • Is advisory
  • Is the conscience of the organisation
  • Provides a focal point for patient
    confidentiality information sharing issues
  • Is concerned with the management of patient
    information
  • Privacy Officers

13
Process Overview
  • Suppliers
  • Implement ISMS review improvement activities
  • Submit results to Organisation e.g. audit
    reports, risk corrective action plans, areas of
    concern, evidence of BAU activities
  • Suppliers
  • Plan ISMS review improvement activities e.g.
    annual audit schedules
  • Plan risk corrective action planning / reviewing
    etc.
  • Organisation IG
  • Inform programmes of impending supplier reviews
  • Suppliers
  • Review ISMS review improvement activities
  • Organisation IG
  • Review results
  • Provide guidance and influence supplier
    improvement activities e.g. audit schedule
  • Ensure there is evidence of BAU ISMS activities
  • Suppliers
  • Implement risk corrective action plans
  • Organisation IG
  • Cascade risk corrective action plans to relevant
    programmes
  • Monitor risk corrective action plans

14
Information Assurance Regulatory Bodies
  • ICO Information Commissioners Office
  • Independent authority set up to promote access to
    official information and protect personal
    information
  • CESG
  • The Information Assurance (IA) arm of GCHQ and is
    the Government's National Technical Authority for
    IA responsible for enabling secure and trusted
    knowledge sharing, which helps its customers
    achieve their aims.
  • http//www.gchq.gov.uk/about_us/cesg.html
  • CPNI
  • The Government authority which provides
    protective security advice to businesses and
    organisations across the national infrastructure.
  • CSIA
  • The Central Sponsor for Information Assurance
    (CSIA) is a unit within the UK Government's
    Cabinet Office providing a central focus for
    Information Assurance (IA) activity across the UK.

15
Some positive quotes
  • The Royal College of GPs has put their support
    behind the national rollout of the Summary Care
    Record. They said concerns over security of
    records and patient confidentiality had now been
    resolved, and declared the need for a shared
    record is compelling.
  • A team of RAF security experts recently spent
    three days attempting to penetrate the wireless
    networking component of a managed service
    covering healthcare for British Forces in Germany
    - and failed. The secure networking is part of a
    managed service, PAS 2.0, for Guys and St
    Thomas NHS Foundation Trust. eHealth Insider Jan
    09
  • The Royal Marsden Hospital director of ICT Jon
    Reed said "We've been able to create a remote
    environment that enables clinicians to have
    access to the applications they require but at
    the same time enforce the highest level of
    security for confidential patient records.
    Public Sector Case study silicon.com Aug 08

16
  • Any Questions?
Write a Comment
User Comments (0)
About PowerShow.com