ESET Threat Blog

SC Magazine included an interesting item today on security and confidentiality in the UK’s National Health Service. Anders Pettersson has suggested that the NHS is too busy to be harrassed over data protection/data leakage issues, and that the security industry should "come together to educate NHS Trusts and other organizations on simple measures to protect data."

That sounds fair enough, given the constant emphasis in the media on leakage incidents from the NHS and other public sector organizations, but I think it stems from a very simplistic perception of both the NHS and its security problems. There’s a very English perception of the NHS either as a monolithic organization, and as a collection of loosely coupled hospitals and doctors’ surgeries. Actually, it’s both and neither. (For a start, there are a great many people working for the NHS who don’t work in hospitals and surgeries: there’s an immense support system that most people are not really aware of.

The NHS is actually more like a disparate collection of departments and subsidiary organizations linked by a more-or-less common infrastructure, and itself subsidiary to the Department of Health and interfacing on several levels with local and central government (and, indeed with itself: your view of what constitutes the NHS can be quite different according to which of the countries that make up the UK you happen to be in.)

And it’s pretty big. Figures like 1.25 to 1.4 million employees, around three million network nodes, 9-10,000 sites are sometimes quoted, and comparisons with the Chinese army and the Indian railway system are often made. So educating all those people at all those end sites is not a matter of simply writing a pamphlet and holding a couple of seminars. Is that the job of the security industry, though?

Well, I do believe, we have a responsibility to make good information available and raise the general level of education. But I happen to know that the NHS is not fully-staffed with IT illiterates. In fact, there was some pretty solid security expertise in the NHS earlier in this decade, both in the centre and at many of the end sites, though some of the effectiveness of those people was reduced by corporate dogma, even then.

As the new millennium wore on, it appeared to be taken as read in the corridors of power that the NHS should not be involved in hands-on security, at any rate as a central function. Instead, a model came in whereby end-site security was essentially the responsibility of end sites, responsibility for outsourced services was with the service provider, and the Information Governance team at NHS Connecting for Health would essentially concentrate on the security of central applications.

One of the by-products of this approach is that NHS organizations of any size are supposed to have specialized staff such as Data Protection Officers, who would deal with the requirements of the Data Protection Act and related issues, and Information Governance Managers who tend to be tasked with the whole range of security management. If some of them fail to convey messages about security and data protection to everyone they work with, is that because they’re naive incompetents, or is it because they’re struggling to keep up with the inconsistent demands imposed from above? (I mean national government, not just the next layer of local bureaucracy, though I’m sure it’s possible to find both spectacular ability and naive incompetence at all levels…) 

Here’s a naive thought: perhaps when you outsource a service or devolve responsibility back to an organization at the perimeter, that’s not the same as absolving yourself of responsibility. If end sites have not been adequately prepared for devolution, maybe that transition hasn’t been entirely their fault.

Curiously enough, there’s a recent initiative by the British Computer Society (BCS) that may offer some hope. The Personal Data Guardianship Code is aimed squarely at changing the culture of organizations as regards the handling of personal data, and addresses many of the issues Anders Pettersson wants addressed, without necessarily delivering the public sector into the hands of the security industry. Why is that a good thing? Because while (most of us) do have a sense of morality and conscience,, and while we certainly can come together in the public interest (AMTSO is a pretty good example of that, though I can’t deny that the industry also benefits from good testing), we’re not always impartial.  Having looked through that document, I think it would give any organization in the UK (not just in the health service) a good starting point for educating its users. Indeed, it will work for organizations outside the UK and Europe (many European countries have similar legislation to the Data Protection Act, based on EC directive 95/46/EC ) because it focuses on general principles, not on a single technical solution.

That’s where responsibility starts, and that’s the first step towards effective security.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Sadly, I’m now back in not-so-sunny England, but one of my colleagues forwarded me an item about security breaches reported by healthcare organizations. On January 1st it became mandatory in California for such organizations to report incidents where non-anonymized patient data may be been intentionally or unintentionally disclosed to someone unauthorized. In the first five months, more than 800 incidents were reported by organizations and patients.

While most of the incidents reported so far seem to have been incidental (such as faxing documents containing personally identifiable patient data to the wrong number), there are one or two reports that have a much higher profile. According to Kim Zetter’s article in Wired, 23 hospital workers accessed, without authorization, the records of a single mother on public assistance who gave birth to octuplets, while the actress Farrah Fawcett filed a complaint before her death accusing employees of the UCLA Medical Center of leaking information about her to the National Enquirer.

Zetter also notes that healthcare providers in California have criticized this legislation for being “too rigid”. Perhaps that’s not surprising, since a breach can cost an organization or individual up to $250,000. However, it seems fairly mild from a European perspective.

There, all personal data (not just medical data) are subject to legislation like the UK’s Data Protection Act based on an EC (European Community) directive (95/46/EC), which every EU member state has used as the basis for national legislation. The UK Act, for example, defines eight Principles that data controllers are required to abide by. However, there is also a great deal of healthcare-specific legislation to which both private and public sector organizations are required to conform, some of which also has a direct impact on privacy and data control. (In the UK, most healthcare comes within the domain of the National Health Service, which in turn is controlled by the government’s Department of Health.)

The NHS Code of Practice on Confidentiality published by the Department of Health actually defines three main classes of data:

• Patient Identifiable Information includes information that identies an individual patient directly or indirectly
• Anonymised Information has had data removed that could be used to identify the individual.
• Pseudonymised Information includes data keys (unique references such as a patient number or code) that cannot be ascribed directly to an individual in the context of that specific data, but which can be used by authorized persons to access personal information where necessary from other data sources.

The many recorded instances of data breaches within the NHS and other government organizations shows that there’s a lot more to data protection than classifying data. However, the implementation of such classifications, in combination with measures for controlling who has access to information once it has been classified, can go a long towards reducing the impact of security breaches.

Strict legislation may be irksome, but sometimes you just have to balance an organization’s aversion to the risk of paying large fines against the need to protect the privacy of the individual.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Threatblog notifications: http://twitter.com/esetresearch
White Papers Page: http://www.eset.com/download/whitepapers.php

I really ought to be concentrating on some writing deadlines, but I couldn’t ignore this item, flagged by Graham Cluley, Sophos blogger-in-residence and karaoke star. (I have to say that because I was rather rude about his singing at Infosec last month.) Graham and I both live in the UK, so the state of health of our National Health Service (NHS) is rather important to both of us.

Graham’s blog concerns the news that the UK Information Commissioner, whose office is concerned with such issues as data protection, privacy and freedom of information, has taken action against 14 NHS organizations that breached data protection legislation in some way, resulting in the loss or potential exposure of personal data.

The BBC reported that "between January and April this year there were 140 reported security breaches within the NHS – more than from central government and local authorities combined," while the Independent claims that the number of security breaches reported was only slightly less than the total number of breaches reported in the private sector. But perhaps we should get a little perspective here. Even in the UK, there is little understanding of what the NHS is, and how it works.

A great deal of NHS (and other public sector) functionality has been farmed out to private industry in the hope of cutting costs (yeah, right) and transferring risk. (Unfortunately, you can only transfer risk if the other party is prepared to accept it.) A significant number of press reports about data leakage in the public sector have taken little account of the involvement of private contractors and fuzzy interfaces with other groups such as local government, the prison service and so on. Nor is it generally realized that the NHS in general is subject to a degree of scrutiny that simply doesn’t happen in the private sector, or even in the more secret nooks and crannies of the State. Who really believes that the incidents reported to the Information Commissioner’s Office represent more than a fraction of all the data leakage incidents that take place in an era where massive databases can be carried back and forth on a DVD or a thumb drive?

The NHS isn’t one monolithic organization: it’s an "umbrella" directly employing (last time I checked) well over 1 1/4 million people in many thousands of semi-independent organizations, subject to strict budgetary and administrative controls imposed from central government via the Department of Health. The whole is loosely tied together by central networks and systems where some security functions such as messaging security are administered centrally (albeit by proxy: very little hands-on security is administered "in-house" in Leeds and Whitehall), but the local organizations that make up the bulk of the Service were told several years ago that they were responsible for their own local security and central guidance was withdrawn, or reduced to generic policy statements.

There does seem to have been some softening of the "you’re on your own and it’s your fault if it goes wrong" position: for instance, a centrally negotiated disk/media encryption solution became available some time ago which should have been deployed by now and may have mitigated the potential damage from some of those 140 breaches, but who knows?

However, the real issues here have little to do with security and everything to do with politics, the media, and the psychology of society. NHS and other public sector sites have fallen victim to the electioneering bluster of politicians of all parties, the media thirst for drama and bad news, and public disillusion with a government that has unaccountably failed to return England to a golden age where prescriptions were free, banks didn’t crash, most adults had a job, no-one had heard of AIDS or MRSA,and the Beatles were still together.

There is certainly a lot wrong with NHS security, and some of those million+ people have made massive blunders, but the Service still employs a great many competent and motivated people who don’t deserve to be treated as a political football and national scapegoat by a government and society that’s still struggling with the difficulties of online culture and finding its own place in the modern world.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Okay, sorry about the horrible pun. It suddenly occurred to me that people (especially those from outside the UK) might be somewhat shocked that the Barts and the London NHS Trust, a group of three major hospitals in London took so long to deal with a malicious program that was, apparently, detected by their provider as long ago as January 2008. I still don’t know exactly how a fairly elderly variant of a positively antique mass mailer managed to escape both the on-site anti-malware service and the NHS email service protection, but it doesn’t surprise me that the Trust’s IT team were cautious about the recovery, prioritising clinical areas rather than administrative staff.

Some years ago, the entire NHS suffered a fairly lengthy network outage because the Code Red worm was known to be infecting some unprotected machines. At that point, there were over three million systems known to be connected to the NHS network – I’ve no idea what the current figure is but I doubt if it’s less – so it would have been miraculous if there were no unprotected or infected machines. So there were two main considerations: (1) essential services shouldn’t be disrupted – and by that I mean clinical services, not the director of something or other being unable to track something he was auctioning (or bidding on) on eBay (2) the NHS should not be transmitting malware to the rest of the world. In a rational, properly secured healthcare organization, a networking problem, even over days rather than hours, really shouldn’t endanger lives. So the WAN service was severely restricted while a handful of machines were traced and cleaned/patched, but life went on in Britain’s health service: it wa a little more difficult to keep the wheels greased, but no panics or mass burials.

This time, too, there seems to have been a determined effort to maintain control and balance: a crisis, but not the drama you might have expected. In fact, in spite of our increasing dependence on sophisticated electronics, it looks as if healthcare is still about people making do and coping, not about The Machine Stops. Which cheers me up, anyway. Political dissensions notwithstanding.

David Harley CISSP FBCS CITP
Director of Malware Intelligence.

I’m still in Washington, but have just picked up some news that reminds me not only of home, but of my job of a few years ago, when I worked as a security manager for the UK’s National Health Service. It’s been announced that the Barts and The London NHS Trust, which includes several of the best-known hospitals in London (St. Bartholomew’s, the Royal London, and the London Chest Hospital), has been hit by a virus (apparently a version of the venerable Mytob email worm). It’s been commented that an urgent review of the Trust’s security policy is needed. That couldn’t do any harm - how come so many systems were apparently compromised? - but the problem may go a little deeper than that.

Unless the infrastructure has changed dramatically in the last 2 1/2 years, much NHS email (and there is a lot of it – well over a million people work for for the National Health Service) goes through a mail service currently called NHSmail. NHSmail (which is at least the third incarnation of this particular service) was intended to replace the relay services that carried the bulk of NHS email at the beginning of this decade. The current service is defended by "cutting edge" anti-virus and anti-spam, and that protection was supposed to have been extended to the relay services several years ago. So, there is certainly a question to be asked about the state of the Trust’s own email defences. I have to wonder, though, how email-borne malware can apparently still get through to an NHS site as easily as it could earlier in the decade, when email services were far more fragmented and decentralized?

David Harley CISSP FBCS CITP
Director of Malware Intelligence