Monday, 7 February 2011

The tragic state of NHS information security.

Recently, I have taken some time to examine the state of information security within the NHS. What I have found is a culture which would shock most information security professionals and should dismay those responsible for ensuring the safety of what is deemed to be sensitive personal information, according to the Data Protection Act.

My sources of information vary from direct observation to anecdotal evidence albeit evidence from trustworthy sources.

My interest in NHS information security stems from a chat I had with the chap who was (at the time, 4ish years ago) responsible for the secrity of the links between NHS trusts. My question to him was innocent enough - 'Who is responsible for the security of the endpoints?' I was suprised to discover the response 'They are.' Meaning, the local trusts, hospitals or even surgeries.

Following on from that chat, I have taken particular interest in the security of information whenever I am in an NHS environment. I have visited several hospitals, primarily when visiting friends or family. I have visited many surgeries and other NHS trust buildings, when employed as a contractor fro the NHS and I have family working within the NHS who often ask me advice concerning the security of their systems.

In every - not most - every hospital I have visited, the mail is delivered around the hospital by trolley, the trolley is left outside wards unattended while the post for each ward is delivered within. It would be trivially simple for an individual to take post from the trolley.

In one particular NHS trust, all laptops were fitted with whole disk encryption. The whole disk encryption installed onto the laptops had the SAME password across the entire estate and the password was written on at least two of the laptops. I have no experience of other trusts laptops so I cannot state how widespread this problem is.

I have witnessed on many sites, account sharing. This is particularly endemic within small user groups, medical centres and doctors surgeries although it is not limited to them. It should be noted that central medical records are protected via a secure session using two-factor authentication however many other sensitive client details and reports are recorded on the hosting computer, with little or no protection afforded to them.

Physical security within the NHS is abysmal. In every - not most - every hospital I have visited, I have noticed network equipment cabinets that members of the public could easily access, either to install an additional device or to cause major disruption by disconnecting cables.
The physical protection afforded to computer systems within treatment and consulting areas in medical centres, surgeries and hospitals is sadly lacking. Many areas are protected by five button simplex locks, which take up to five minutes to brute-force, usually considerably less. Other areas are protected by 13 button locks, the codes for which can be trivially captured with a dry marker pen.

The NHS trust I was contracted to, when asked who was responsible for information security, replied 'I don't know - I think it's the IT director' This was said to me by an IT manager.

I have received medical details by post, of an elderly woman who lives ten miles away from me when appointment details were sent through for my son.

In addition, I have discovered unpatched systems, unsupported operating systems and out-of-date anti-virus software.

These are only a few examples of the incredibly poor information security I have noticed whn within NHS environments. I have many more examples that I could cite but it would achieve little else. I suspect the results of audits (if any are carried out) would make for some pretty grim reading.

The overall information security measures within the NHS, in my experience, are catastrophically poor. Why this is not more widely reported is a mystery to me. Almost everyone in the country has medical information stored and processed by the NHS so this should be a concern to pretty much everyone. I doubt my observations are restricted to the absolute worst NHS trusts - they are not limited to one trust but several trusts. I am sure information security breaches within the NHS are not being reported and if they are, they must be being covered up. The Department of Health has guidelines for Information Security within the NHS but there are no hard and fast rules concerning the protection of OUR information.
I believe it would be in our interests for the NHS to be required to comply with a data security standard. I appreciate there will be a huge cost involved in this, at a time when the NHS cannot afford to spend additional resources. however it is only a matter of time before a huge data loss is reported within the NHS which will cause a knee-jerk reaction to providing adequate protection for NHS held information, along with the associated 'quick-fix' costs such as those that have been endured by the MoD following the loss of the Navystar laptop and the Revenue and Benefits CDs.
It would be prudent for the NS to commence investing in Information Security now, rather than being forced into action at a later date.

No comments:

Post a Comment