Sidewinder on a matter of principle
The basic principles of information security are enshrined in what has become known as the CIA Triad – confidentiality, integrity and availability. Davey Winder wonders whether they should be bolstered by some new principles; inspired by an ancient Greek.
NHS Connecting for Health (NHS CFH) says, quite correctly, that: “The principles of information security require that all reasonable care is taken to prevent inappropriate access, modification or manipulation of data from taking place.”
“I am minded to point out that the CIA Triad is now some twenty years old. Isn’t it perhaps time to update and expand on its principles?”
It points towards what has become known as the CIA Triad - confidentiality, integrity and availability - as the central pillars of data management best practice. And for good reason; if any of these principles were to be compromised, then the information healthcare providers need to protect is likely to be compromised also.
Principles in practice
I have no qualms with the NHS CFH information governance position that information must be:
· secured against unauthorised access to achieve confidentiality
· safeguarded against unauthorised modification to ensure integrity
· accessible to authorised users whenever they require it to deliver 24/7 availability.
However, I am minded to point out that the CIA Triad is now some twenty years old. Isn’t it perhaps time to update and expand on its principles?
“Patch management... might not mean much to Hippocrates, but he can be forgiven for being 2,400 years ahead of the game.”
I appreciate the irony in suggesting that we look back in order to move forward, but bear with me, as I look way back. All the way back to the 4th Century BC in fact and the Hippocratic Oath, which states (depending on which translation you refer to) that:
“All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.” That should be at the heart of all information security strategies.
Ten new principles to uphold
Without dismissing the CIA Triad, I think there are a number of new principles that deserve to sit alongside them. In no particular order, I would propose the following:
1. The principle of education: patients and staff alike must be aware of what access rights there are to confidential data.
2. The principle of cooperation: which acknowledges that all stakeholders must share in the protection of data, and that privacy and security policy must be developed in an open environment to ensure the broadest levels of trust.
3. The principle of secondary usage: that data retained for one reason is not used for another without proper consent.
4. The principle of patch management (this might not mean much to Hippocrates, but he can be forgiven for being 2,400 years ahead of the game): which demands that the focus should be on service packs followed by security updates, not the reverse.
5. The principle of compliance: which demands that security and privacy regulations (including the Data Protection Act, Human Rights Act, Freedom of Information Act and Access to Health Records Act) are strictly followed and abusers disciplined by a regulatory regime with teeth.
6. The principle of testing: to ensure that software and security updates are always tested before deployment as per best practise requirements.
7. The principle of accountability: to instil a designated hierarchy of compliance and responsibility.
8. The principle of convergence: synchronised rather than competitive security and access management tools, using single sign-on and strong authentication, provide a single security network and physical access policy.
9. The principle of encryption: which dictates that password protection alone is not enough, and only encrypted personally identifiable data can be moved around safely on portable media.
10. The principle of disclosure: ensuring patients whose data is affected by any breach are informed within an agreed time frame.
If, in the fifth millennium, medical practitioners should find themselves taking the Davey oath, even though it will take them longer to recite, it will be an honour!
Caldicott rules!
Although plenty of water has flowed under the bridge since the 1997 Caldicott Committee Report, it has to be said that the principles it highlighted deserve repeating today in the context of helping to build a secure environment in which patient data can be protected. Some are covered in my ten principles list, but the following must surely still apply too:
Principle 1 - Every proposed use of patient-identifiable information transferred within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate data guardian.
Principle 2 - Patient-identifiable information should not be used unless it is absolutely necessary.
Principle 3 - Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.
Principle 4 - Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years. In June, he won the Security Journalist of the Year 2008 award: the second time he has been given this honour in three years.