December 07, 2008

ISO 27001: Information Security

security.jpgWhat a difference the right person makes. During my first year at university I endured some impenetrable lectures on thermodynamics. The text book the lecturer recommended was equally gnomic. A change of course and a year later enter Dr. Hinchcliffe. His lectures were paragons of clarity which made the whole subject seem easy—enjoyable even.

After a period in the UK where CDs, zip drives and laptops containing large numbers of confidential data have been mislaid at a mind boggling rate it is hardly surprising that information security is now at the top of the agenda of many health organisations and their suppliers. I have recently been engaged in work for clients on information security particularly related to the ISO/IEC 27001 and 2 standards.

At the word standard eyes glaze because we assume they are as impenetrable as my first year thermo lectures. But if you want impenetrable try reading some of the books that are supposed to make the subject more accessible for your average manager or board member. They make the standards look like models of clarity.

If you are seeking to review your information security using ISO 27000 as the basis take my advice and read the standards, and, if necessary, get the right person who understands how they are applied operationally to help in any risk assessment and implementation. Don’t waste your money on derivative books.

January 06, 2008

Secure Health Records: hardware, software and brainware

Further to my recent postings on the essential technical and human aspects of secure and confidential information systems, I was watching the voluble Gyles Brandreth review the newspapers with Carol Vorderman on the Andrew Marr Show this morning. The discussion touched on the recent losses of personal data by various public sector organisations. Mr. Brandreth said the real problem was not hardware or software but brainware. Nicely put.

To add weight to this read this entry on the Joe Public blog.

December 31, 2007

Bolton Care Records Pilot

Picture of laptop, chain and lock.This morning the BBC followed up previous reports on the summary care record pilot in Bolton. The piece was generally supportive, but the customary GP expressed concerns about the security of information on a national system compared to that held locally.

Such concerns are not fully addressed by technical security, as I have previously argued, secure human systems are also essential. When I was young the escapologist Harry Houdini was a hero of mine. When asked why he found it so easy to escape from the most secure of safes, he answered it was because they were designed to prevent people from getting in not getting out. Recent events show even though getting in to secure IT systems may be difficult, taking large amounts of data out is not.

People need to decide if the benefits of an online record outweigh the risks and in the Bolton pilot they can opt out if they think they do not. But eventually we should all be given sufficient information to make that decision ourselves.

Some may want their GP to be their advocate in such matters, and some may not. When I registered with my GP I was not given an option to opt out of having my information stored locally on his IT system, which at least 7 other people in the practice can access.

Also read this article in the Manchester Evening News about the theft from the Royal Bolton Hospital of patient-based information on a local computer.

I wish you a happy and successful New Year.

December 24, 2007

More Losses of Confidential Data

files.jpgThe BBC reports this morning that a number of NHS trusts have admitted losing patient-based information that seems to have been carried on CDs and memory sticks.

It's a sad indicator of the sophistication of UK healthcare IT that it still needs to transfer confidential data by what the US calls "sneaker net" and has only recently been able to transfer computer records electronically between GP practices.

Higher levels of technical security on the planned National Care Records Service should make NHS data more secure, but, as I have said before, technical security takes us only so far and must be underpinned by secure human processes. Recent events suggest we have some way to go.

Not a long way to go to Christmas day, though, so I wish you a joyful and peaceful time.

November 27, 2007

Two CDs and a Storm

Picture of CDs"Please check the coffee cup coasters on your desk just to make sure," quipped a colleague today. But it's no laughing matter. Who would have thought two mislaid CDs could brew such a storm?

And it's just beginning. In future, cyber criminals will target high-value information. Personal emails, grocery purchases and—dare I say—patient record information such as the results of genetic and HIV tests, will have value on the black market and could lead to anything from spam mail to blackmail.

Technical steps such as encryption and identity management take us only so far. I remember hearing an anonymous cyber thief on the radio saying he wouldn’t bother trying to hack computer security. It was easier to simply bribe unscrupulous employees to get information.

But most people working with sensitive data take their responsibilities very seriously, though, as HM Revenue and Custom's loss of CDs packed with confidential information shows, it only takes one mistake (and we are human) to rattle plans for large databases of shared records to the roots.

October 11, 2007

A Question of Identity

fingerprint.jpgI have been working on identity management recently. It’s a Tír na nÓg for techies: tokens, certificates, assertions, authentication. But the real challenges may have more to do with human processes than technical ones.
Recent workshops suggest the biggest problems may be in user management and the granting and revocation of access rights.

The NHS has implemented high levels of security with its use of smartcards based on chips with high levels of PKI encryption and sound processes for user registration and authorisation. But this article shows how users can still thwart security, in this case by remaining logged in and allowing colleagues to use their access rights.

Gerald M. Weinberg says (I probably misquote): all problems are people problems. Perhaps one day someone will come up with an incompleteness theorem like Kurt Gödel’s: that confirms no matter how sophisticated IT becomes users will always break the system.