Special Report: Data Security

With technology changing the way health related information is stored, the importance of having good data security has never been more important. Andrea Downey investigates.

As technology in healthcare settings becomes more prominent, so too has the need for robust data security. As the way patient data is used and stored has moved away from more analogue means such as paper filing systems, the approach to data security must also change.

For Johan Åtting, chief information security officer (CISO) at Sectra, security simply cannot be an afterthought.

“A key concept that we use at Sectra is ‘security by design and by default’, security cannot be effectively added to a product or system afterwards, it has to be within focus from the design of a product throughout the building, testing and deployment of the product,’ he says.

“At Sectra, security architects are involved from the very start of the design of a product, and every development team has a security champion that ensures that security is considered in every aspect of development and testing.”

Åtting goes on to explain the importance of merging clinical and technological ideas – one cannot have a securely designed piece of health tech if there has been no clinical input. Put simply, it would render the technology moot.

“Security has to be balanced with clinical effectiveness and usability. If we implement security in a sub-optimal way it could hinder the usability or the clinical effectiveness of the product,” he explains.

Managing and protecting data

Darren James, technical lead at security software company Specops, offers a similar outlook. He stresses it is “imperative” for NHS trusts to properly manage and protect patient data.

“We’ve seen more and more attacks in recent years using the supply chain to gain access to a target organisations data. Healthcare, and in particular an organisation the size of the NHS, is particularly vulnerable due to the number of users, endpoints and systems that are currently in use,” he says.

“Therefore, it is imperative that NHS trusts make the right choice when selecting solutions that have access to patient and staff data and look in depth where and how that data is stored and transmitted.”

He gives the example of Specops self-service password reset (SSPR) system, Specops uReset, which uses a customers own active directory included in most Windows operating systems to store all enrolment data.

“This has a great benefits in that our customers maintain control of their data in their own network, in a database that is already fault tolerant, already backed up and already limited to the number of users who have access.”

In a nutshell, it’s about limiting the number of people who have access to the data and the number of places the information is stored. Too many cooks spoil the broth, if you will.

A patient safety issue

When thinking of the risks a data breach poses the first thought that often comes to mind is around the risks to business and operations, but in healthcare there’s an even bigger risk: patient safety.

even in the most minor of data breaches, if a patient’s medical information is leaked, or lost, or seen by someone they wouldn’t usually have shared that information with, that is a big violation of privacy and trust.

NHS Digital explains that getting data security wrong has the potential to undermine trust in the NHS, which has many knock-on effects for public health.

“The NHS is at the forefront of medical research, and this is increasingly facilitated by innovative technology, both in terms of ground-breaking medical devices as well as the computer systems developed for processing and analysing results,” a spokesperson told Digital Health.

“As we cross new technological boundaries, we need to make sure that these systems are protected from the start. Getting cyber security wrong has the potential to cause patient harm and undermine public trust in the NHS.

“By protecting data, we keep people’s trust so that they can continue to receive world class healthcare. Keeping data safe also saves lives.

Cyber-attacks can cause cancelled appointments and surgeries, possibly resulting in care diversion to other hospitals.”

The WannaCry attack in 2017 put cyber security in healthcare squarely at the front of people’s minds, particularly those working in health tech. The topic gained traction at board level in NHS organisations, and governments across the UK announced immediate action to support the NHS to protect itself in the event of a similar attack.

Understandably such a large-scale globally attack warrants such a response, but data breaches also happen on much smaller, but no less impactful, scales.

In 2020 health tech giant Babylon admitted that three patients were able to view recordings of other patients’ consultations using its GP at Hand app. It was put down to a software error.

Babylon reported the issue to the Information Commissioners Office (ICO) who deemed no further action was required. While this wasn’t a breach of the highest scale, private medical information is often discussed in GP consultations and isn’t something patient’s want readily available to strangers.

More recently a cyber-attack left software and services provider Advanced experiencing major outages across many of its products.

Advanced provides many services to the NHS, including NHS 111 and patient-check in. According to data from Digital Health Intelligence, Advanced provides various systems across 36 acute and mental health trusts in England.

A forensic investigation is currently underway to determine if sensitive patient data was at risk.

Shifting to a patient care issue

The key question for many in the health tech industry now, is how to shift cyber security from being purely a technological concern to also being a patient care concern.

Speaking at this year’s Digital Health Rewired, the national CISO for the Department of Health and Social Care Phil Huggins said he hoped to changed people’s perceptions of cyber in health and social care.

“I am very keen that we move cyber from being a technology issue to a patient care issue,” he said.

In practice, what does that mean? For Sectra’s Åtting, that requires a shift in mindset from healthcare providers and medical device and IT suppliers.

“Security is not only about technology, securityis also about usability, processes, policies and awareness training. The products must both be cyber secure and be effective and efficient for the intended medical purpose,” he says.

“It should be the intended clinical use of a product and the skill level of the users that sets the security requirements. It must be a joint effort between security experts, clinical experts and usability experts where the patient care is at the centre.

“This means that also medical device manufactures must apply this mindset and way of working, they cannot add security to a product at the end by adding a few technical measures.”
Specops ‘ Ward adds that security and ease of use should be equally considered when delivering technology.

“End users typically don’t like to use complex systems, they’ll find ways to work around them, and these workarounds usually involve some compromise in security, for example reusing a password, sharing a password or not confirming who the user is when they call in to the service desk,” he said.

“We know that everyone in the NHS has joined that organisation because they care about their patients, so we at Specops agree that if we can convince NHS staff about the importance of cyber security and show them that it doesn’t need to be an onerous task then at the same time they help secure their patients data – that is a great step in the right direction.
“Ultimately everyone in the UK will be a ‘customer’ of the NHS at some point in their lives, and as such it would be good for us all to know that the extremely private and personal data we trust the NHS with is secure.”

The current picture

NHS Digital says the organisation, along with its counterparts NHS England and the Department of Health and Social Care (DHSC) are always looking at “how we can best ensure the protection of patient and staff data, including identifying and adapting to evolving threats”.

The organisation provides a number of services to help NHS organisations better understand and mitigate security risks, including:

  • NHS Secure Boundary – a next generation firewall (NGFW) and web application firewall (WAF) that safeguards from digital and cloud-based threats.
  • Data Security Protection Toolkit – an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s 10 data security standards.
  • Cyber alerts – a system that alerts affected organisations about vulnerabilities.
  • Keep IT Confidential campaign – what NHS Digital describes as a “pick and mix” communications toolkit that organisations can use to educate staff about data protection.
Case study

Cyber Associates Network

NHS Digital runs a Cyber Associations Network, launched in 2019, which allows technology suppliers and healthcare organisations to share their own experiences to better test and deploy cyber security solutions.

Three years later the network has more than 2,000 members across public-sector health and care.

“Crucially, networking with cyber peers across health and care increases our ability to defend as one against cyber threats. It is all about making sure that frontline services have the digital infrastructure that they need to give patients the best possible care,” an NHS Digital spokesperson said.

A plethora of other work is also underway across government and NHS departments, including National Cyber Security Centre (NCSC), Cabinet Office, and the Department for Digital, Culture, Media and Sport (DCMS).

The DHSC recently published its data strategy – ‘Data Saves Lives: Reshaping Health and Social Care with Data’ – which focuses on harnessing data to drive better health outcomes, while also putting data such as care plans back in the hands of patients’.

While it aims to improve the countries use of data, including for research and better care planning, it also recognises the importance of importance of security with a renewed emphasis on trusted research environments (TREs).

A note to remember

For all its benefits, technology is not infallible. Something as small as an internet outage can wreak havoc on an NHS IT system.

Therefore, it’s vital technology suppliers plan with failure in mind, that way if disaster strikes plan B doesn’t need to be developed on the spot.

As Åtting puts it: “Despite all effort to secure systems and devices we must be aware that things will fail. It’s therefore important to plan for failure, have up to date continuity and disaster recovery plans, and to test them regularly.”