Stephen Allcock, Director, Public Sector UKI, explores why identity security is crucial to maintaining the integrity of data in the NHS
The NHS is the fifth largest employer in the world. One of the biggest challenges faced is staff shortages and turnover, with thousands of vacancies across nursing, clinical and admin roles at any one time. With 1.7 million workers to keep track of in terms of access rights and responsibilities, this level of movement is a huge headache for both the frontline and back-office functions.
That’s because, aside from the major admin involved, it’s also a huge security vulnerability. Staff need to have the right access to the right information to carry out their jobs, but it should be no more, and no less than their responsibilities allow. Failure to keep a tight grip on this could lead to access being compromised, increasing the likelihood of a breach occurring.
It’s made even more complex by the level of sensitive information the NHS deals with on a daily basis – more than 200 NHS Trusts see on average one million patients every 36 hours, while by 2025, the annual growth rate of data for healthcare is predicted to reach 36%.
Keeping sensitive data and confidentiality secure is a top priority for the NHS and crucial to maintaining its integrity. Effective identity and data security structure can provide the infrastructure for the NHS to operate efficiently – even as workers come and go and new information comes in, helping it to stay as secure as possible.
Protective measures are a necessity
Any breach within the NHS could potentially have a detrimental effect – the average healthcare breach costs £6.6 million alone. Data security, therefore, needs to be the beating heart of the NHS structure.
NHS security leaders need to understand how information is being used and who has access. It is vital to ensure the NHS has control over information and data in its control. What’s more, measures must be in place to protect data from inappropriate use. It needs to know if and when there has been a data breach and how to act on it as soon as it becomes aware of an infringement.
Timing is everything. It can take weeks or months to detect if there has been an unauthorised data breach, with no way of knowing what information has been accessed unless there are sufficient safeguards in place.
Governance and regulation
The NHS has some of the most stringent regulations in place to protect sensitive data. The Data Protection Security Toolkit (DPST) is just one element of control for access to NHS data. The online self-assessment tool allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS sensitive data and systems need this toolkit to provide the assurance that they are practising good data security and that personal information is being handled correctly.
The National Data Guardian is in itself an independent body that oversees patient data and acts as a safeguard on the use of information. It allows patients to participate in the national patient opt-out, indicating that they don’t want their confidential patient information to be shared for purposes beyond their care across the health and care system in England. On top of that, the NHS has to comply with the general rules governing GDPR, which regulates how organisations gather, use and manage personal data. The seven Caldicott Principles also provide the overriding governance rules that dictate how the NHS gathers, stores and uses sensitive information. Of course, none of this is possible unless the NHS has a full and transparent understanding of what is happening to its data.
Managing unstructured data
An NHS Trust has potentially millions of documents in hundreds of thousands of folders, and across multiple repositories – both on-premises and in the cloud. This is typical “Unstructured Data” which accounts for around 80% of the total data that a trust holds – and which becomes impossible to manage. Some of the common themes we see are personally identifiable information and sensitive information being stored in the wrong place, over permissive access to sensitive data, no centralised identity governance process, no auditing on access, no monitoring of privileged account use and data being held outside of a retention policy.
The key is to ensure that the NHS can classify their data and put processes in place to manage access to it. An understanding of the types of data, knowing where it is, and providing adequate controls are all vital aspects of adhering to the DPST, Caldicott Principles and GDPR governance. This will allow organisations to know who has access to different levels and sensitivity of data and enable organisations to build an up-to-date asset register. Visibility into where all of the sensitive data resides, who has access to it and the auditing in place through identity security is crucial to understanding where any vulnerabilities may lie. This can subsequently help organisations mitigate against inappropriate use or a cyber-attack such as ransomware.
Data governance sits at the heart
A data breach can cause irreversible harm to not just reputation, but also to patient welfare. That’s why data governance sits at the heart of the NHS. Sensitive data must be protected at all costs – but to do this it needs to be managed appropriately. By aligning, streamlining and controlling this data through identity security, ensures the NHS continues to provide critical services, without any disruption.