iSEEU Blog: Secure data in motion

ICO letter to local authorities urges data protection compliance

It has been reported that Christopher Graham, the Information Commissioner, has co-written a letter with Sir Bob Kerslake, head of the civil service. It has been sent to all English local authorities encouraging them to improve their data protection compliance and policies.

The letter was issued in the same week as the ICO issued a record fine to Midlothian Council - £140,000 for mis-sending sensitve documents on children and their carers on five occasions - and in the wake of a sequence of fines during 2011 for data breaches.

Promoting data protection compliance

The letter is reported to be similar in tone to one issued last year to data protection officers in the health sector. The letter is likely to recommend the following measures for promoting data protection compliance:

• Observance of published guidance for creating information governance policies,

• Require staff to under take information governance training,

• Ensure that a board-level individual is appointed to act as senior-level 'risk owner' responsible for data protection compliance, and

• Continuous communication with staff to make them aware of information governance policies and guidelines.

Further powers for data protection enforcement?

The ICO has also requested that the Ministry of Justice give it power to carry out compulsory audits of public bodies. This seems a sensible measure and one that is likely to be granted.

If it is, it will surely increase the pressure on public bodies to find ways of enforcing data protection compliance given the ICO's stated aim of focusing on health and criminal justice in 2012.

 

[image credit: www.ico.gov.uk]

Megaupload and the risks of file sharing sites

If you work in IT or data protection, it's highly likely that you're aware of the Megaupload case. The subject is remarkable for a number of reasons, not least because of the 'enigmatic' Kim Dotcom, the company's founder and figurehead who is awaiting extradition to the USA on charges of racketeering, copyright infringement, and money laundering. 

However, it is the issues around data protection and data security that are most intriguing.

File sharing sites - a simple solution to moving large files quickly...?

DepositFiles, ORON, Uploading, WUpload, FileSonic, Uploaded, HotFile, ZShare, FilePost, FileServe... 

Megaupload is just one of a number free file sharing sites that provide a simple means to upload and share a large file. It's become commonplace for most internet users and, according to reports, 50m users had an account with Megaupload. The challenge to data and information professionals individuals within their organisation will resort to them as the path of least resistance when they are in a rush.

Whilst these file sharing sites offer zero cost, ease-of-use and open access, they don't provide any protection for sensitive data. They should absolutely never be used for anything relating to work, never mind any kind of sensitive document. 

Who's in control of the data?

One of the other issues that the case highlights is how much control you have over data placed into one of these sites by someone in your organisation.

The Register reports that data stored on Megaupload may start being deleted from as early as Thursday this week. Whilst there is likely to be a very high proportion of copyrighted material amongst the data on Megaupload's servers, there are also documents, backups, family photos and videos, all of which cannot currently be accessed as the site has been closed (see image above).

We would urge a campaign to spread the message everyone in the organisation, using the Megaupload case as an example. Make sure that individuals in your organisation do not place data on file sharing sites and provide them with alternative solutions that are both secure and easy to use in both everyday and emergency situations.

Securing data to meet NHS Information Governance aims

One of the main challenges for NHS Information Governance professionals is ensuring that patient data is kept confidential and secure while enabling staff have access to the information needed, when they need it. It's a challenge faced by every part of the NHS every day.

Competing demands on information governance

Information Governance professionals know what a tricky task it is - balancing the need to act swiftly but securely. Getting it wrong could not only mean a fine from the Information Commissioner's Officer but also puts at risk the trust between carers and patients.

A survey of 1000 patients carried out last year found a third of them would travel more than 30 miles for treatment to avoid being treated at a hospital they didn't trust to keep their medical records confidential.

More challenges: cost-cutting, complexity, telehealth

It seems likely that the headaches faced will only become more severe in the next few years. Especially as the NHS places even greater emphasis on carers from different services – within the NHS and outside it.

Additionally, the Department of Health is launching projects such as the 3 Million Lives telehealth initiative, which are based around sharing even more patient information electronically, complicating the information governance picture still further.

Securing data to support information governance

Against this background, you need to create an environment which makes it quick and easy for your colleagues to do their jobs while still handling patient information appropriately.

A key component of any information governance strategy will be to implement processes and technologies that secure data when it is being sent to someone else involved in a patients’ care.

Tools for sending data need to allow information to be transmitted easily between clinicians, carers and patients while preventing it from being intercepted, lost or accidentally shared with the wrong people.

Download our white paper for more information. We explain how secure data in motion can help you and your colleagues address your Information Governance challenges and provide a useful checklist of what to look for in a secure data solution. 

ICO to "focus on NHS data protection and criminal justice privacy"

The recently published information rights strategy suggests that the ICO will put considerable focus this year on enforcing data protection in the health and criminal justice sectors. What this is likely to mean is significant sanctions for organisations where there are easily avoidable data breaches.

In the strategy, the ICO admits that it has to identify priorities whilst fulfilling its legal obligations. There are particular concerns about NHS data protection due to a legacy of data breaches. Privacy in the criminal justice sector is a concern because of initiatives such as crime mapping and the opening up of data sets. 

A firmer stance on data protection

The ICO has promised a firmer stance on data breaches and has even called for custodial sentences in serious cases. This indicates that the direction of travel is towards increased sanctions in the case of sensitive data being misdirected, lost or stolen.

The ICO can currently levy a fine of up to £500,000 for data protection offences and 2011 saw a number of fines where organisations had either lost USB sticks containing sensitive data or mis-directed data by emailing it to the wrong person.

What this means for professionals

The challenge for those working in health or criminal justice is to ensure that the correct information is available to those who need it in a timely fashion. Without the correct information, essential treatment, diagnosis or trials cannot progress. For that reason, there is always a temptation to find the path of least resistance and use non-secure tools like email or standard file transfer systems. Even when they know they probably shouldn't.

We would urge professionals to be aware of the potential risks. Email is not a secure or controlled means of sending data. More importantly, human error can lead to email being misdirected. This was the most common cause of breach in the public sector in 2011. 

What are the alternatives?

NHS and criminal justice organisations need to look at the tools that are straightforward and easy-to-use but built with data protection enforcement in mind.

Secure data transfer solutions that control access, use two-factor authentication and provide control and audit capabilities, can help professionals to take simple steps to prevent data breaches. 

For more information or to arrange a demonstration, contact ISEEU Global now. 

 

[image credit: http://www.channelweb.co.uk]

The ICO and data protection enforcement: 2011 in review

Data breaches and data protection stories were never far from the headlines in 2011. The recent blog post from Sir Christopher Graham, the Information Commissioner, suggests that actions will continue to grow in 2012. 

The ICO has a range of tools available to use against organisations that collect, use and keep personal information. Most often, a fine rather than custodial action is the outcome. However, last year a Parliamentary working group called for the use of custodial sentences in serious cases of data breach.

What data protection enforcement action can the ICO take?

The options open to the ICO are as follows:

• serve information notices on organisations requiring specific information,
• require an organisation to improve its compliance by issuing specific undertakings,
• serves enforcement notices to ensure an organisation that has suffered a breach complies with the law,
• conduct audits to check compliance within an organisation,
• conduct audits to assess whether an organisation follows good practice in data protection enforcement,
• issue monetary penalties up to £500,000 for serious breaches of the Data Protection Act (occuring on or after 6 April 2010),
• prosecution of those who commit criminal offences under the Data Protection Act, and
• report to Parliament on data protection issues that are of concern.

Prosecutions in 2011

In 2011, there were 5 prosecutions under the Data Protection Act. All related to individuals who has obtained personal details through their employment either for personal information or for personal gain. Interestingly, prosecutions weren't made against individuals in respect of their responsibility for data protection enforcement.

Monetary penalties in 2011

There were 7 fines issued in relation to data protection enforcement during 2011. The majority related to local authorities though one was a private sector case. The level of fine ranged from £1,000 to £130,000.

The smallest of the fines was in the private sector where a law firm (ACS Law) failed to keep safe the sensitive personal information of around 6,000 people.

Misdirected data was the cause of most fines

The public sector cases tended to relate to situations where an individual had posted or, more often, emailed sensitive information to the wrong recipients, exposing sensitive personal data. The largest fine was issued to Powys County Council where details of a child protection case were sent to the wrong recipient (£130,000). Surrey County Council was fined after an incident where a staff member emailed sensitive personal data to the wrong recipients of three separate occasions.

It seems that email, often seen as quick, reliable and secure delivery method, is the source of many data protection enforcement challenges for public bodies. The speed and ease of use is obviously attractive but organisations need to consider the risks and consequences of a data breach and look at solutions that combine control, audit, security and ease-of-use.

If you'd like to learn more about ISEEU's suite of data security tools, contact us now.

 

[image credit: www.ico.gov.uk]

ICO to pursue "practical but principled" data protection action

Does healthcare reform make increased data breach inevitable?

The NHS is currently undergoing its most radical shake up for many decades as significant budget cuts push forward the move to decentralise care into the hands of GPs. But what does this mean for information security and governance?

Frequent incidents of data loss in the NHS

Increased access and sharing of resources and clinical intelligence has disconcerted many healthcare and IT professionals as mounting incidents of NHS data loss puts data responsibility and the consequences of data loss on the shoulders of clincians. However, data in motion does not have to mean data at risk. Increased privacy training at all levels, together with the appropriate use of secure and intelligent software could lead to better and more systematic data security measures across the NHS.

Decentralisation of data responsibility - are GPs and clinicians ready?

January 2011 saw a proposed move toward decentralisation of data responsibility within the NHS, whereby GPs and clinicians will be accountable for protecting patient information whether static or in transfer. Unfortunately the odds of increased data security in this situation do not look favourable; the NHS has a turbulent track record when it comes to protecting data, and particularly data in motion.

As it stands, it is very likely that we will see an increase in data breaches if decentralisation reforms proceed without paying attention to data security and privacy aspects.

Key steps to a robust data protection strategy

The first step in achieving a robust data protection strategy for the NHS is to conduct training to create an environment where data protection is as much a part of everyday operation as the washing of hands. Standardised training would help staff to understand the different ways in which data might be compromised, the importance of adhering to certain data handling procedures, and the personal risks associated with actual data loss; fines, law suits, time and the loss of crucial patient respect and reputation.

Secondly, it is imperative that the NHS re-assess the IT solutions they use to protect data on a daily basis. Procedures supported by specialist software can eliminate data loss, and this is where ISEEU™ Global can help. Our software is already in place in the health sector where it provides innovative working practices through secure telemedicine solutions that improve patient care while cutting costs.

Securing data in transit

Products such as ISEEU Global Courier can provide the NHS with an advanced secure file transfer solution that prevents unauthorized access to files sent electronically over public networks. With Courier, GPs or clinicians can securely send and receive large files and folders (of multiple megabytes or gigabytes in size) such as X-Rays, images or other information to and from specialists and consultants as easily as posting a letter. The software features encryption and an authentication check point which validates recipients so confidential information is remains protected. And as with all ISEEU Global Software, Courier features an audit trail for tracking and reporting so that GPs can demonstrate compliance with stringent government security guidelines.

Utilising products designed by the technical specialists at ISEEU™ Global would provide both the knowledge and facilities to facilitate a shift in NHS data security, supporting a culture of privacy and protection. If a systematic data protection policy is implemented across the NHS, data loss could become a thing of the past.

For more information about our solutions for healthcare and NHS secure file transfer and collaboration or to arrange a demonstration, contact us now.

Related article: http://www.scmagazineuk.com/nhs-decentralisation--what-will-be-the-impact-on-security-of-data/article/197715/

NHS information security: iSEEU calls for end of USB memory sticks

The deadline looms for the introduction of heavy fines of up to £500,000 for organisations that breach data security rules (6 April 2010). iSEEU Global thinks that a serious review of NHS information security is due, starting with a ban on the use of USB memory sticks for storing and transmitting sensitive data in the NHS.

Data breaches of NHS information security could in significant fines

ISEEU warns that failure to address the issue of data loss in the NHS will cost NHS Trusts hundreds of thousands of pounds and put the confidential files of millions of vulnerable patients at risk.

The catalogue of NHS data losses is unacceptable with the Information Commissioner's Office (ICO) slamming the Health Service as one of the worst offenders for data loss, reporting as many incidents as the entire private sector. 

Three USB memory sticks containing sensitive information relating to the diagnosis and treatment of cancer patients in Middlesex and Surrey were lost. The data contained in the USB sticks was in Word format - leaving the information entirely accessible to anyone with a computer. There is also the well-documented example at Stockport Primary Care Trust when a member of staff lost a USB stick containing data extracted from the medical records of some 4000 patients. 

It is clear that removable storage devices and other portable media are a prescription for disaster for the healthcare and the NHS and they should have a government health warning on them at the very least. In a private company such embarrassing and potentially damaging incidents would lead to a wholesale review of procedures and the NHS should be no different. With the Government taking a much-needed tougher stance on the issue of data loss, now is the time for Trusts to review data protection and put systems in place to protect sensitive patient information.

Encryption is not infallible

While encryption has been hailed as the way forward for NHS Trusts, it is clear that even these are not infallible from security risks. Just last month USB maker SanDisk issued a recall of its Cruzer Enterprise series of USB flash drives, which are password-protected with built-in encryption and are used by some NHS Trusts, because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained in its devices. 

Why is portable media being used as an acceptable form of data transfer in the NHS in the first place, given the sensitivity of patient data and the implications for getting it wrong? 

The only way for government to ensure patient data is secure is to ban the use of removable media such as memory sticks and CDs which are all too easy to misplace or drop on the train. 

It is time for NHS Trusts to invest in their IT infrastructure and implement secure ways for NHS workers to remotely access central documents on the network safely and securely without the need to rely on haphazard quick fixes which pose serious security threats. Patients have a right to expect their personal information will be treated with the utmost care. 

NHS information security needs robust, flexible, secure transmission solution

Investing in a robust, secure IT solution which allows safe transmission of sensitive data would make the current NHS reliance on removable media redundant.

iSEEU advises NHS Trusts need to stop fire-fighting individual instances of data loss and start getting to the root of the problem. A review of IT infrastructure in the NHS is urgently required to address the issue of data access and transfer and ensure that the Government's investment in networks such as N3 are not wasted. The cost of implementing secure remote access and secure data transfer solutions is not significant compared to the heavy fines as well as the cost to Trust's reputations for losing valuable, confidential data.

While the appeal of the USB stick lies in its ease of use and cost effectiveness, there are similarly easy-to-use solutions that provide the robust security that USB sticks lack.

Find out more about iSEEU Global's portfolio of information security solutions or contact us to arrange a demonstration.

Remote working can mean business as usual

Public health issues such as Swine flu has highlighted the need for businesses and organisations to plan for business continuity during office absences. Keeping business data flowing securely is a key concern, and one which businesses will focus on if the anticipated second wave of swine flu hits this winter.

Secure remote working solutions are in demand

Organisations such as ISEEU™ Global have seen an increase in enquiries for their secure data access and collaboration tools since the pandemic outbreak. The Global Accessibility and Collaboration Suite, which allows secure data access, transfer and virtual meetings has received particular interest.

Phil Bullivant, Director of ISEEU™ Global commented: "The possibility that many offices could face larger than normal absences this season is forcing a review of contingency plans for remote working capabilities, leading business owners to question what systems to put in place.

"Enabling people to continue working if they are not able to access the office will be key to riding out the effects swine flu could have on an already struggling economy.

"There is of course, the security aspect to consider when installing these systems. The standard software available can leave businesses wide-open to security threats and may cause more damage in the long run. Installing secure solutions, will involve planning time for consultation and installation, but most proactive businesses still have enough timescale to allow for this."

Real-time security with flexible access to data

Unlike typical VPN (virtual private network) solutions the ISEEU™ Global Accessibility Suite delivers a highly secure solution for real-time remote working - data access and data transfer. Remote users have secure, fast and 'clean' access to their normal desktop applications without local caching of sensitive data to remote devices, and sensitive data files of any size or type can also be transferred securely without risk of being intercepted or lost in transit.

For managers aiming to liaise with teams, the ISEEU™ Global Accessibility Suite allows for effective remote management. The technology means users can not only securely access and transfer sensitive information, but can also easily meet in a highly secure virtual environment; something which until now cannot be achieved without the skill and knowledge of an IT integration security specialist.

For more information about iSEEU's secure remote working solutions or to arrange a demo, contact us now.