Gemma Platt, managing executive for Vigilant Software, explores the challenges of data-sharing in the NHS and how data mapping could provide much needed clarity and better GDPR compliance
There is an overwhelming amount of data collected and stored in the NHS. On one hand, it can be an incredibly useful indicator about the effectiveness of service delivery, helping to inform future health programmes and improve diagnoses and treatment. However, the abundance of information could present a very real threat to security and compliance if it is not monitored and managed appropriately.
Public confidence in data-sharing has been tested in recent years by several high-profile breaches. In 2017, the global WannaCry attack led to nearly 20,000 cancelled hospital appointments in the UK. The Department of Health and Social Care (DHSC) estimates the breach cost the NHS £92m in direct costs and lost output as a result of disruption to services. This doesn’t factor in the penalties that could have been levied by GDPR, or the class action lawsuits from patients that could have followed.
The reason the NHS is such a rich target for cybercriminals is because it continues to rely on older technologies and operating systems, leaving them susceptible to attack. Earlier this year it was revealed that the NHS is still a major purchaser of fax machines, which have long been redundant in the private sector. Given the organisation is so sprawling and complex – and driven by the need to be cost-effective – it isn’t always possible to run the latest next-generation security tools, or integrate different moving parts in the most secure way.
What is certain is that the NHS would be unable to cope with enormous pay outs or fines in the aftermath of a serious incident. Could a severe cyberattack or data breach ultimately bring the end to free healthcare?
Mitigating risk with data mapping
Despite apprehensions around information security and compliance, the public still has faith in NHS organisations to manage patient data, and there is still strong support for information being shared to improve patient care and research. It’s therefore imperative that the NHS has a handle on what data is being stored, how it is used and what protection is in place to keep it secure.
Data mapping is about creating a visual overview of all the data collected and stored by an organisation, providing an insight into the potential risks associated with each data type and location. It doesn’t rely on data sources being exclusively available online, so it can account for the paper-based processes that are still inherent within the NHS.
There are several considerations that organisations need to be mindful of before embarking on data flow mapping. Personal data can reside in a number of locations and be stored in various formats; paper, electronic and audio. The first step is to decide what information needs to be recorded, and in what form factor. Next they need to identify what type of security measure – and the policy and procedures for its use – needs to be introduced, while also defining who controls access to it. The final challenge is to understand what the organisation’s legal and regulatory obligations are; this may include compliance standards such as the PCI DSS and ISO 27001, as well as the GDPR.
The steps to data mapping
Once there is an understanding of the data that is being recorded, where it’s stored and how it is being protected, the NHS can begin to chart the data flow. First you need to familiarise yourself with how and where the data moves in and outside the organisation.
Next, identify what kind of data is being processed - names, addresses, emails - and what format do you store the data in; is it hardcopy or digital? How are you collecting the data; is it through the post, telephone, email, and how do you share it, both internally and externally? What locations are involved in the data flow, and who is accountable?
Asking this series of questions allows technicians to see how information is being used, and hopefully foresee any inappropriate or unintended use of the data. It also demonstrates due diligence in information security and compliance, in accordance with GDPR.
We all know the value of data, and we’d be wise not to underestimate the challenge it presents for security and compliance. By having complete visibility and granularity on what information is available across an entire organisation, data processors can recognise threats earlier and mitigate risks before any damage can be done.