I really ought to be concentrating on some writing deadlines, but I couldn’t ignore this item, flagged by Graham Cluley, Sophos blogger-in-residence and karaoke star. (I have to say that because I was rather rude about his singing at Infosec last month.) Graham and I both live in the UK, so the state of health of our National Health Service (NHS) is rather important to both of us.
Graham’s blog concerns the news that the UK Information Commissioner, whose office is concerned with such issues as data protection, privacy and freedom of information, has taken action against 14 NHS organizations that breached data protection legislation in some way, resulting in the loss or potential exposure of personal data.
The BBC reported that "between January and April this year there were 140 reported security breaches within the NHS – more than from central government and local authorities combined," while the Independent claims that the number of security breaches reported was only slightly less than the total number of breaches reported in the private sector. But perhaps we should get a little perspective here. Even in the UK, there is little understanding of what the NHS is, and how it works.
A great deal of NHS (and other public sector) functionality has been farmed out to private industry in the hope of cutting costs (yeah, right) and transferring risk. (Unfortunately, you can only transfer risk if the other party is prepared to accept it.) A significant number of press reports about data leakage in the public sector have taken little account of the involvement of private contractors and fuzzy interfaces with other groups such as local government, the prison service and so on. Nor is it generally realized that the NHS in general is subject to a degree of scrutiny that simply doesn’t happen in the private sector, or even in the more secret nooks and crannies of the State. Who really believes that the incidents reported to the Information Commissioner’s Office represent more than a fraction of all the data leakage incidents that take place in an era where massive databases can be carried back and forth on a DVD or a thumb drive?
The NHS isn’t one monolithic organization: it’s an "umbrella" directly employing (last time I checked) well over 1 1/4 million people in many thousands of semi-independent organizations, subject to strict budgetary and administrative controls imposed from central government via the Department of Health. The whole is loosely tied together by central networks and systems where some security functions such as messaging security are administered centrally (albeit by proxy: very little hands-on security is administered "in-house" in Leeds and Whitehall), but the local organizations that make up the bulk of the Service were told several years ago that they were responsible for their own local security and central guidance was withdrawn, or reduced to generic policy statements.
There does seem to have been some softening of the "you’re on your own and it’s your fault if it goes wrong" position: for instance, a centrally negotiated disk/media encryption solution became available some time ago which should have been deployed by now and may have mitigated the potential damage from some of those 140 breaches, but who knows?
However, the real issues here have little to do with security and everything to do with politics, the media, and the psychology of society. NHS and other public sector sites have fallen victim to the electioneering bluster of politicians of all parties, the media thirst for drama and bad news, and public disillusion with a government that has unaccountably failed to return England to a golden age where prescriptions were free, banks didn’t crash, most adults had a job, no-one had heard of AIDS or MRSA,and the Beatles were still together.
There is certainly a lot wrong with NHS security, and some of those million+ people have made massive blunders, but the Service still employs a great many competent and motivated people who don’t deserve to be treated as a political football and national scapegoat by a government and society that’s still struggling with the difficulties of online culture and finding its own place in the modern world.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence