16th October 2013
By Jason Parker-Smith
NHS Trusts have placed too much confidence with private sector companies entrusted with sensitive information assets, according to Jason Parker-Smith of Aston Information Security consultancy.
Here he explains the still looming dangers, exposed by the record fine imposed on Brighton and Sussex University Hospitals Trust with the EU now talking about fines of up to 2% of an organisation’s turnover for personal data breaches. Jason advocates that there needs to be a change of approach to ensure that such cases become isolated examples of poor practice.
If a company was asked to declare its level of security on a publicly available website, which business supplier in its right mind would state they have poor levels of information security in such an open manner?
Yet, many NHS trusts are showing high levels of faith in their Commercial Third Parties (CTPs) that handle highly confidential and sensitive information on little more than a NHS information governance self-assessment declaration.
This ludicrous state of affairs was illuminated with the case of Brighton and Sussex University Hospital Trust’s record fine.
The Trust was fined by the Information Commissioners Office (ICO) £260,000 for a data protection breach, reduced from £340,000, after a third party caused the incident.
The ICO has powers to issue fines of up to £500,000. Health (27%) and Local Government (17%) sectors that make up the lions share of fines which are said to now top £4million for public sector authorities. *
The ICO is coming down hardest on those organisations that cannot demonstrate that they have addressed security properly.
It is possible to outsource responsibilities but not accountability. It is naive to think that corporations would not be economical with the truth to win business, especially is they are not going to be audited.
Government’s own figures make bad reading
In the NHS Information Governance Toolkit declared earlier this year, trusts were reminded that they “are responsible for obtaining appropriate contractual assurance in respect of compliance with Information Governance (IG) requirements from all bodies that have access to the organisation’s information or conduct any form of information processing on its behalf”.
Just over 20%, up from 14% the previous year, of acute trusts declared, “Reviews and / or audits are conducted to obtain assurance that all third parties that have access to the organisation’s information assets are complying with contractual IG requirements.”
Shocking findings I think you will agree.
These trusts are expected to gain assurance that the contractors have met their information governance requirements and monitor the contracts.
But auditing suppliers has to be practical
At the end of the day of a trust wants to be assured that the data it is accountable for is handled securely by their commercial third parties.
It can do this by auditing the third party’s security. However a third party with, say, 30 NHS clients would not appreciate being audited 30 times. This would also not be cost efficient for the NHS to budget for 30 audits.
As previously mentioned, relying on the Contractors Information Governance’s declaration in a public domain could be naïve, and costly, to say the least.
So what are the options?
All trusts should have a good idea of their data flows.
By looking at these data flows it should be possible to understand where the most sensitive information is being shared outside of the trust with commercial third parties. It is these companies that a trust should focus on first to reduce their risk.
The trust should be auditing these companies to gain an understanding of the risks their data faces.
A simple solution?
An alternative option is for the commercial third parties to achieve the ISO 27001 certification.
The Information Governance Toolkit is heavily based around the information security management standard ISO 27001 so for companies that made an accurate information governance declaration it should not be difficult to achieve an acceptable level of information security and achieve this standard.
The only thing the trust then has to do is ensure they receive a copy of the certificate and that the scope of the audit covers the NHS data that is processed by the company. The scope is very important.
This solution means an independent audit has been conducted that gives the trust the necessary assurances that their data is safe and therefore reduces their risk. It also saves the NHS in allocating time and money to conduct their own audits.
Following the Brighton and Sussex University Hospital Trust’s breach it said it would be obtaining the services of an ISO 27001 accredited company for future IT disposals.
While the Information Governance Toolkit is not all about security, it is the security aspect that generally causes the financial harm i.e. fines and reputation damage if breached.
100% security is a fallacy, it is about trusts managing and reducing risk, and that responsibility falls firmly with them, regardless of contract clauses apportioning responsibility with suppliers.
We can take a positive from Brighton and Sussex’s fine, it is a warning but one that can be noted and appropriate measures taken for the information security of trusts and their patients.
Jason works with Aston Information Security and counts over 50 NHS trusts and Commercial Third Parties (CTPs) that provide service to the NHS as clients on issues such as compliance, business continuity and data protection. He can be contacted on 01273 25 28 27 and firstname.lastname@example.org