SC Magazine included an interesting item today on security and confidentiality in the UK's National Health Service. Anders Pettersson has suggested that the NHS is too busy to be harrassed over data protection/data leakage issues, and that the security industry should "come together to educate NHS Trusts and other organizations on simple measures to protect data."
That sounds fair enough, given the constant emphasis in the media on leakage incidents from the NHS and other public sector organizations, but I think it stems from a very simplistic perception of both the NHS and its security problems. There's a very English perception of the NHS either as a monolithic organization, and as a collection of loosely coupled hospitals and doctors' surgeries. Actually, it's both and neither. (For a start, there are a great many people working for the NHS who don't work in hospitals and surgeries: there's an immense support system that most people are not really aware of.)
The NHS is actually more like a disparate collection of departments and subsidiary organizations linked by a more-or-less common infrastructure, and itself subsidiary to the Department of Health and interfacing on several levels with local and central government (and, indeed with itself: your view of what constitutes the NHS can be quite different according to which of the countries that make up the UK you happen to be in.)
And it's pretty big. Figures like 1.25 to 1.4 million employees, around three million network nodes, 9-10,000 sites are sometimes quoted, and comparisons with the Chinese army and the Indian railway system are often made. So educating all those people at all those end sites is not a matter of simply writing a pamphlet and holding a couple of seminars. Is that the job of the security industry, though?
Well, I do believe, we have a responsibility to make good information available and raise the general level of education. But I happen to know that the NHS is not fully-staffed with IT illiterates. In fact, there was some pretty solid security expertise in the NHS earlier in this decade, both in the centre and at many of the end sites, though some of the effectiveness of those people was reduced by corporate dogma, even then.
As the new millennium wore on, it appeared to be taken as read in the corridors of power that the NHS should not be involved in hands-on security, at any rate as a central function. Instead, a model came in whereby end-site security was essentially the responsibility of end sites, responsibility for outsourced services was with the service provider, and the Information Governance team at NHS Connecting for Health would essentially concentrate on the security of central applications.
One of the by-products of this approach is that NHS organizations of any size are supposed to have specialized staff such as Data Protection Officers, who would deal with the requirements of the Data Protection Act and related issues, and Information Governance Managers who tend to be tasked with the whole range of security management. If some of them fail to convey messages about security and data protection to everyone they work with, is that because they're naive incompetents, or is it because they're struggling to keep up with the inconsistent demands imposed from above? (I mean national government, not just the next layer of local bureaucracy, though I'm sure it's possible to find both spectacular ability and naive incompetence at all levels...)
Here's a naive thought: perhaps when you outsource a service or devolve responsibility back to an organization at the perimeter, that's not the same as absolving yourself of responsibility. If end sites have not been adequately prepared for devolution, maybe that transition hasn't been entirely their fault.
Curiously enough, there's a recent initiative by the British Computer Society (BCS) that may offer some hope. The Personal Data Guardianship Code is aimed squarely at changing the culture of organizations as regards the handling of personal data, and addresses many of the issues Anders Pettersson wants addressed, without necessarily delivering the public sector into the hands of the security industry. Why is that a good thing? Because while (most of us) do have a sense of morality and conscience,, and while we certainly can come together in the public interest (AMTSO is a pretty good example of that, though I can't deny that the industry also benefits from good testing), we're not always impartial. Having looked through that document, I think it would give any organization in the UK (not just in the health service) a good starting point for educating its users. Indeed, it will work for organizations outside the UK and Europe (many European countries have similar legislation to the Data Protection Act, based on EC directive 95/46/EC ) because it focuses on general principles, not on a single technical solution.
That's where responsibility starts, and that's the first step towards effective security.
David Harley
Director of Malware Intelligence
