1. “Wireless signal lost”: Managing information risks in a world without wires
Daniel Beaumont
Information Assurance Lead
eHealth Programme, Scottish Government
NOT PROTECTIVELY MARKED

2. Is there a ‘mobile’* explosion? *not really..

3. ...more like a 20 yr marathon First text message 1992
Internet early 1990s
Pay-as-you-go (which created mass consumer market) mid-1990s
Wireless LAN late 1990s
GPRS/3G early 2000s (i-mode long before i-phone)
‘Smart phone’ (PC, colour screen) early 2000s
Board IT teams know all about this...and generally good at managing it (e.g. WLANs)

4. ....bumps in road
Vendors have tried to get a wireless ‘big bang’ (e.g. WAP phones, MMS and often fell flat):
Lack of bandwidth
Lack of battery power in devices
Screen technology not advanced
Mobile applications still in infancy
Short-range wireless initially slow catch on consumer market
High production costs for some components

5. What is different now..? Key components for ‘tipping point’ have come together

6. eHealth leads face a lot of background noise........

7. I am senior and I want one!

8. Patient accessing service via wireless

9. R.O.I from existing tools
All of this demand just at time when we are supposed to be squeezing value out of existing IT investment (mainly fixed cable)
Far less money for .. buying more kit, putting in ever more complex support models for wireless

10. Getting to the nub of the problem
Boards now need to deal with implications of this wireless application ‘tipping point’ and derive benefits while managing risk
Take into account consumer pressure/convenience (‘pester power’) of staff but all decisions must be in interests of business even if it is not always popular
Need to cut through all this ‘background noise’ and work out what really are the information risks, and how to work out how to deal with them

11. Forget much of what you have heard and start on a clean sheet........
There is no such thing as 100% security
‘several pinches of salt’ for whatever vendors claim about devices/service (“It meets xyz International standard”)
Do not consider ITSOs, IG Leads or Caldicott Guardians as people as people who say ‘yes’ or ‘no’
Do not think you must buy in security expertise every time
Do not consider wireless as necessarily any more or less ‘secure’
Do not think confidentiality requirement drives all decisions
Do not think good security = encryption products

12. Instead....

13. Go for Information risk management approach
NHS staff, clinical and managerial are already really good at ‘risk management’ every day
Identifying risk (“this could happen to patient x given what I know about y”)
Explaining risk to others (“you cannot move this patient because..”)
Treating, avoiding, retaining risk (“we can treat x condition, but z condition can only be contained.”

14. Looking at information risks in the round
How often have you heard about privacy risks?
“Hey, you cant do that, we have personal data to protect at all costs...”
“not possible, because the product doesn’t do encryption”
“someone might eavesdrop on that data”

15. Remember: Information Assurance is C.I.A
Confidentiality AND Integrity AND Availability
NHS does have important confidentiality requirements (legal and moral)
But often this can dominate all discussion to the point where availability and integrity risks hardly get a look in......

16. Information risks in round: Availability
But how seldom you hear:
“the need for availability of data to clinicians outweighs the very small risk of information loss”
“I am worried that the chosen wireless solution could mean there are more service outages”

17. Information risks in round: Availability (2)
All wireless technologies are by their very nature intermittent (radio, infrared, microwave etc)
So a upper most in our minds must always be the ‘availability risk’ (*hence title of this presentation)

18. Broken cables rare event: have understanding single points of failure

19. Wireless outages: still learning about impacts

20. Information risks in the round: Integrity
How seldom do you hear:
“I am worried that mobile devices will lead to duplication of data, or data out of synch”
“We seem to be procuring a separate device for each application...the data will be different from desk-tops
“we have a pile of devices”

21. When should you do an information risk assessment?
Organisational level: e.g. whole board, team, process
Particular service to be launched (e.g. prior to delivery) especially if critical and/or if there is a high element of ‘unknowns’ relating to security
As result of a security incident (e.g. privacy breach)

22. Who should do information risk assessment?
Ideally, someone who is not in the project team and can provide an independent view
BUT, before you think to pick up phone to a consultancy etc there are lots of NHSScotland options
Your ISO
ISO from another board
Need to pool our skills much more internally

23. Information risks: whole process
Understanding business context (why is the service, which has wireless devices so important)
Who might be the ‘owners’ of that service
What are the impacts (worst case scenarios) relating to something going wrong with that service/process

24. Information risk assessment
Devices
How they are expected to be used
How they might be used in unexpected ways
Relevant regulatory requirements (e.g. Data Protection)
Types of attacker/motivation
Risks and vulnerabilities relating to any aspect of the whole process

25. Information risk assessment

26. Information risk assessment: reporting back to...?

27. Who are the information ‘risk owners’?
“A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.
NOT the same as a SIRO (Senior Information Risk Owner) or information asset owner

28. Who may need to be in the room?
Role
Why?
‘Owner’ proposed service
There is no such thing as a an IT project; the technology is there to enable a process/service that must be owned/run by someone else
Project Manager
To explain exactly how requirements are met and broad risks
Independent Risk Assessor
Explain results of risk assessment; and options
Caldicott Guardian/IG
Compliance with DP etc and best practice
eHealth lead
Is the service suitable for current architecture, how will it be released into live environment?

29. ‘Creative tension’ between advisors/enforcers/owners 

30. Key questions to be posed?
Which risks can and should be treated?
What residual risk is still left even with treatment?
Are the residual risks still too much to bear?
Which risks can be avoided (e.g. not doing something)?
Which risks can be retained?

31. Example: ‘risk retained’
“smart phone, whole disk encryption not possible ...but there is encryption on the application”

32. Residual risk....
User error could mean sensitive personal data ends up on the un-encrypted part of the device (e.g. My Documents, Camera)
*Revised NHSScotland mobile data says this is permissible up to ‘amber’ level.
User training awareness only ‘control’ to reduce this residual risk further......

33. What about B.Y.O.D? “Bring your own device”

34. B.Y.O.D: Fact or fiction? Commonly held assertion Reality?
Staff are clamouring for it now...?
Staff would prefer not to use different device for each purpose (not necessarily ‘own’ device)
Vendors have ‘cracked’ security’ ?
OK for services up to ‘amber’ and for . But many other problems relating to personally owned devices….not covered by encryption
Cheaper to support BYOD than official devices?
Not always; sheer range of variables can add to support cost
We could connect our own devices to NHS services via the web?
We do not currently have the web-architecture to do this. Few ‘online’ services. Our current remote access work on VPN/tokens/official devices etc

35. Current situation
NHSmail does allow use own mobile device (via Internet)
Some staff use own devices for capturing information (e.g. notes from minutes). Do they ever save it in the right place??
Not much else ?

36. Emerging situation: move with caution.....
What about ‘choose your own device’ C.Y.O.R??
takes employee preferences into account but devices still owned and controlled by org
Employees often complain about having multiple devices We could make a start by reducing the number of ‘official’ devices in workplace.
Supporting all the variables relating to people’s own phones can be more expensive than just issuing official ones.

37. B.Y.O.D
Need to sort out the ‘identity & access management’ and authentication aspects for remote users in general
Lots of products to secure applications; but having an agent installed on a personally-owned device does not = security
Need to think far more about how we classify information

38. So what is role of Scottish Government in all this…?

39. Balancing Act
Removing barriers to information sharing and innovation while upholding ministerial priorities and right degree of compliance…………..

40. Barriers are often around perceptions…

41. Priorities Information Assurance Strategy (working through it)
Good practice guidance (based on risk assessments)
Standards (where appropriate)
Building communications ISO/IG communities
Building capability (e.g. training, forums)
Links with clinical and professional groups
Leading and influencing within NHSScotland governance structures
Significant incident lessons learned….

42. Final thoughts….
Tackling some of the emerging security risks around mobile technology space can be scary…. BUT many of the current processes involving paper files and removable digital media are far scarier

43. Almost daily headlines

44. Mobile can help to improve security
Secure to any device (not the dreaded fax machine)
Patient portal accessed by smart-phone (not paper mail)
Remote access to the app (not the CD or memory stick)
Addresses/combination codes to homes of the elderly on secure tablet (not held on a paper print out)

45. Thanks for listening