Sidewinder on setting security standards

Are guidelines enough when it comes to IT security in the NHS, or has the time come to consider the standards approach? Davey Winder investigates…

There can be no denying that it has been a rough old 18 months for the NHS as far as IT security is concerned, given the well documented catalogue of data breaches that have been reported as part of the Department of Health’s recent review of NHS security.
“Patient records have been lost on memory sticks, in the post, on stolen laptops and even just thrown away in the rubbish.”
According to the GP website, Pulse, problems have included 58 incidents in which patient records were lost on memory sticks, in the post, on stolen laptops and even just thrown away in the rubbish.

A DH spokesperson said in response that guidance had been issued to all branches of the NHS concerning the need for information governance. They also stated that good security is essential, which is why “we place so much emphasis in our guidance,” when it comes to the way that information is held and shared within the NHS.

Yet some security experts, both within and outside the NHS, are starting to question whether it is enough to rely on NHS Connecting for Health (NHS CFH) guidelines and assorted best practice documents. Some are suggesting that more is needed, and that it may be time for security standards to be implemented across the health service.

An obvious one to look at is ISO 27001, which replaces the old British Standard BS7799-2, and is intended to help organisations to set up and maintain an effective security management system that aligns with other management and audit standards.

(A whole family of ISO 27000 standards is being developed, although we’re only up to ISO 27002 at the moment, covering some specifics of information security).

“If compliance with ISO 27001 was mandatory, it would necessitate a more disciplined and structured approach to managing the complexities of security in the NHS.”

The pro view: standards reduce downstream costs

Ian Kilpatrick, chairman at Wick Hill, is in no doubt that the NHS should be using both ISO 27001 and ISO 27002, as well as X.805 for wireless. “As a lead organisation, in terms of breadth of vision, spend and more importantly risk,” he told me “it sets a bad example both domestically and internationally for the NHS to depend on guidelines rather than standards.”

He feels the NHS may be reluctant to go down the standards route because of its need to meet infrastructure goals within a budget, but he argues that “the correct implementation of standards not only reduces downstream costs, particularly in remedying security failures, but also provides the security framework and environment where users are security aware.”

The anti view: ISO 27001 would not improve security or patient care

Not all security experts agree, however. Bill McAvoy, a managing consultant at Quicksilva, believes that ISO 27001 and NHS CFH are pretty much complementary when it comes to security.

“Recent data leaks in the NHS and other government departments appear to have been the result of breaches of local controls: neither would have been stopped by ISO 27001,” he says: adding “these are issues at a local, trust level.”

Indeed, Mr McAvoy has trouble actually seeing where something like ISO 27001 would add any real value to the management and security of NHS data, where existing policy is rigid. “If people want assurance on security, this is already provided for through internal audits,” he insists.

“And when it comes to NHS CFH guidance, this is based on national and international health standards. The risk with ISO27001 is that a large investment is made without really positively improving security or patient care.”

“Available funds would be better spent on ensuring that the lessons of the past year are learned, that staff are properly educated and that IT managers are able to ensure that security policy is both sufficiently rigid and sufficiently enforced.”

Local security ownership

 Perhaps the most persuasive arguments come from Darren Salt, who recently left the NHS to work for security consultants Corsaire. He says conformity or otherwise with aspects of ISO 27001 is handled by the NHS’ Information Governance (IG) toolkit, which covers paper as well as electronic controls.

The responsibility for completing the annual toolkit return to the DH is usually handled by information governance coordinators, who report directly to Caldicott guardians. As such, Mr Salt says, “the toolkit return is a self-assessment box ticking affair” with no external audit of compliance and “offers little in the way of tangible benefits.”

Despite NHS CFH guidance and best practice, and the multitude of training materials to be found here on the Microsoft NHS Resource Centre and similar websites, Mr Salt argues that while ownership for security issues rests locally there will continue to be problems.

“If compliance with ISO 27001 was mandatory, it would necessitate a more disciplined and structured approach to managing the complexities of security in the NHS,” he argues, adding that it “would also give directors and chief executives in the NHS the assurance they need to ensure that security risks are being appropriately managed via external security audits.”

Money badly spent

Now I am all in favour of appropriately managing security within the NHS, but it also has to be done within a framework of budgetary restraint. That is the real-world situation, and it is unlikely to change. The dirty truth of the matter is that the NHS is inadequately resourced when it comes to proactive security management.

With little hard evidence to suggest that ISO 27001 would heal the wounds left by the data breaches of the past year, it is hard to conclude that the powers that be would consider the considerable fiscal cost of standards compliance money well spent.

The trouble with standards is there are so many of them, there is not a one size fits all solution. So I am left with the gut feeling that available funds would be better spent on ensuring that the lessons of the past year are learned, that staff are properly educated and that IT managers are able to ensure that security policy is both sufficiently rigid and sufficiently enforced.

About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.