Aspects of Data Security Raj Samani Vice President – Communications, ISSA UK Rita Arafa IG Deployment Officer, NHS CFH.

Slides:

Advertisements

Similar presentations

Safer IT Systems for the NHS Dr. Maureen Baker CBE DM FRCGP Special Clinical Adviser NPSA Clinical Safety Officer CfH.

Advertisements

Quality Accounts: Stakeholder Engagement. Introduction.

Introduction to Information Governance (IG)

Enhancing ethical culture through ethical decision-making Ethics training.

Promoting quality for better health services Best practice for laying the groundwork.

Rev.DescriptionAuthorDate 0.0First draftDavid Stone14/07/10 0.1ReviewPhil Walker Magi Nwoli Tony Heap Vanessa Kaliapermall 15/07/10 1.0FinalDavid Stone18/07/10.

Building the highest quality services in the country Nigel Barnes March 2008.

Corporate Records Management (Practitioner) Information Governance Policy Team NHS Connecting for Health.

Child Safeguarding Standards

Information Governance – Who Cares? Alistair Stewart Information Governance Co-ordinator.

Improving outcomes for older people: Monitoring and regulating standards Ann Close 8 th June 2011.

Philip M. J. Graham Head of Information Communications Technology (ICT) 13 th July 2010.

Revised Caldicott Manual- Practice Managers Groups Revised Caldicott Manual – November 2008.

Governance and quality Ian Sharp November 2006 Aims of the presentation To highlight the importance of quality management and quality assurance in the.

National Update: The information revolution and the 2012 Caldicott Review Simon Richardson – Information Rights Manager.

About CQC Sarah Seaholme Ram Sooriah 1 1.

Dr. Julian Lo Consulting Director ITIL v3 Expert

Public Health and Healthy Local Government Maggi Morris Executive Director of Public Health Central Lancashire.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

Contents Introduction Public protection

Promoting Excellence in Family Medicine Enabling Patients to Access Electronic Health Records Guidance for Health Professionals.

Welcome ISO9001:2000 Foundation Workshop.

Taskforce Implementation – Progress and Results Chris Rudge FRCS National Clinical Director for Transplantation Renal CDs Meeting 12 March 2010.

Commissioning for Culture, Health and Wellbeing Ian Tearle Head of Health Policy Directorate of Public Health, NHS Devon Wednesday 7 th March 2012.

Handling information 14 Standard.

NHS England & Customer Contact Centre FOI Introduction 2013.

Safeguarding Adults Board 6 th Annual Conference Adult Safeguarding and the NHS Alison Knowles Commissioning Director NHS England, West Yorkshire.

Clinical Risk Unit University College London International Perspectives Feedback from the review board Charles Vincent Clinical Risk Unit University College.

Assessment for improvement [Name] [Title] [Date / Event] V4.5.

Agency Risk Management & Internal Control Standards (ARMICS)

Reverse Commissioning An Effective Process to Engage BME Communities Dr Vivienne Lyfar-Cissé MBA Chair NHS BME Network.

Commissioner Feedback for SLAM CQC Inspection in September 2015 Engagement with Member Practices 1.

Commissioning Self Analysis and Planning Exercise activity sheets.

Presentation to HAUC (UK) Wednesday 30 May 2012 RINA London.

Health, Wellbeing and Social Care Scrutiny Committee.

The power of information Putting all of us in control of the health and care information we need Dr Susan Hamer National Director of Nursing, Midwifery.

Delivering Information Resources and Services to Primary Care Staff Pt. 1 Carsten Mandt Clinical Librarian Greater Glasgow Primary Care NHS Trust.

Healthcare Commission update Sue Fraser-Betts Senior Assessment Manager October

CALDICOTT PRESENTATION. History Caldicott report published in 1997 and implemented in 1999 Inquiry chaired by Dame Fiona Caldicott.

We are a group of national health and care organisations working together to provide a joined up and consistent approach to information governance. We.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

Breakaway Session 2: Data Protection and The Role of the Data Protection Supervisor Michael Mingle Director, NTSS Solutions (UK) D ATA P ROTECTION C ONFERENCE.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.

Information Security TechLink Seminar, 17 April 2013 James Knapton, Information Compliance Officer, Registrary’s Office.

Collaborative Working & Best Practice A Seminar by the Public Services Ombudsman for Wales.

Information Security tools for records managers Frank Rankin.

Council of Governors Meeting December 2013 Beverley Geary Director of Nursing.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

Information Sharing for Integrated Care A 5 Step Blueprint.

CESG. © Crown Copyright. All rights reserved. Information Assurance within HMG and Secure Information Sharing across the Wider Public Sector Kevin Hayes,

Uses of brain imaging data: privacy and governance implications Dr. Hester Ward Medical Director, Information Services Division, (ISD) Consultant in Public.

VICTORIAN CHARTER OF HUMAN RIGHTS AND RESPONSIBILITIES.

The Evolving IG Lead Role Phil Walker IGA. The IG Lead Role I am constantly surprised by the breadth and variety of work undertaken by IG Leads, but there.

HSCIC Cyber Security Presented by: Richard Ives - Stakeholder Engagement Manager IGA Conference - 16 Mar 2016.

Equality Impact Group (EIG) Terms of Reference Equality Delivery System (EDS2) Equality Delivery System (EDS2) Helen Rushworth – Director of.

NHS Information Governance Risk Management. Introduction Information risk to be managed in a robust manner Assurance to be provided in a consistent manner.

Information Governance A refresher for all staff who have previously gone through the full course.

Data protection headaches: GDPR, brexit AND perimeter risk

Data Protection Session

Aspects of Data Security

The National Data Guardian review & Government response

Governance and Ethics BID Workshop 18 June 2018 Maureen Glassey, Senior Investigation Advisor Integrity Unit.

Information Governance

The Public Sector Equality Duty

Registration Policy and Practice First Aid Forward

The Public Sector Equality Duty

The ICO: New Powers and Penalties

Handling information 14 Standard.

Presentation transcript:

Aspects of Data Security Raj Samani Vice President – Communications, ISSA UK Rita Arafa IG Deployment Officer, NHS CFH

Agenda Reported issues Impact C.I.A. What can we do? Wrap-up including Questions

Reported Issues The current situation in the media: Reports in the Health Press and General media: There may be a risk of breach of patient data 2008 ‘A year of data breaches' - E-Health Insider 28 Oct 2008 Reports of viruses in hospital systems impacting on patient care NHS hit by a different sort of virus – More4 News 9 th Jul 2009 Fears that patient data could be lost Health data on lost memory stick – More4 News 9 th Jan 2009 Data protection warning as more trusts lose patient records – Health Service Journal 16 th July 09

Impact When electronic clinical systems are compromised the following are at risk: Clinical Care Confidentiality Reputation Data Breaches endanger: Confidentiality Confidence Reputation

Clinical Care Reports of viruses in hospital systems impacting on patient care: November 08, Mytob computer virus caused havoc in three major London hospitals when it spread so quickly that it overloaded computer networks - 70 patients had to go to other hospitals while ambulances were diverted to neighbouring hospitals to ensure that seriously ill patients did not suffer as a result of the slower manual systems being used Sheffield, 800 PCs infected after just one computer in an operating theatre had its anti-virus software switched off. During March 09 Greater Glasgow and Clyde NHS trust was struck by a computer virus called Conficker, which froze staff out of their computers for two days Building security into key initiatives LAS Despatch Service, one ambulance arrived to find the patient dead and taken away by undertakers

Confidentiality A breach of patient’s data can be a breach in patient confidentiality Unauthorised access (internal) Unauthorised access (external) What is the impact?

Reputation Confidence be quickly lost by both the Staff using the systems and Patients. Electronic records can end up being incomplete which can further reduce confidence.

Reputation Perceived breaches of data security can seriously damage the reputation of both Clinical IT systems and the organisations that use them. “Everyone must recognise that data breaches can cause harm, distress and hassle for the individuals affected, lead to serious financial losses and seriously affect the reputation of organisations.” eHealth Insider 29 Oct 2008

C.I.A. and F.U.D It is imperative that the following are protected: Confidentiality Integrity Availability Without introducing: Fear Uncertainty Doubt

So what should be done? ISMS – Information Security Management System Establish roles and responsibilities Management Planning – Identify where the gaps are by: Reviewing, checking, implementing Plan-do-check-act

Why does it need to be done? To comply with the Data Protection Act (principle 7) For Public Assurance Contractual, Legal and Regulatory Obligations Care Record Guarantee

Roles and Responsibilities Information Asset Owner The IAOs are responsible for ensuring that information risk is managed appropriately and for providing assurances to a Board level lead termed a Senior Information Risk Owner (SIRO) Information Asset Administrator IAAs are operational staff with day to day responsibility for managing risks to their information assets. SIRO: Senior Information Risk Owner Is accountable Fosters a culture for protecting and using data Provides a focal point for managing information risks and incidents Is concerned with the management of all information assets Caldicott Guardians Is advisory Is the conscience of the organisation Provides a focal point for patient confidentiality & information sharing issues Is concerned with the management of patient information Privacy Officers

Suppliers: Plan ISMS review & improvement activities e.g. annual audit schedules Plan risk corrective action planning / reviewing etc. Organisation IG: Inform programmes of impending supplier reviews Suppliers: Implement risk corrective action plans Organisation IG: Cascade risk corrective action plans to relevant programmes Monitor risk corrective action plans Suppliers: Implement ISMS review & improvement activities Submit results to Organisation e.g. audit reports, risk corrective action plans, areas of concern, evidence of BAU activities Suppliers: Review ISMS review & improvement activities Organisation IG: Review results Provide guidance and influence supplier improvement activities e.g. audit schedule Ensure there is evidence of BAU ISMS activities Process Overview

Information Assurance Regulatory Bodies ICO: Information Commissioner’s Office Independent authority set up to promote access to official information and protect personal information CESG: The Information Assurance (IA) arm of GCHQ and is the Government's National Technical Authority for IA responsible for enabling secure and trusted knowledge sharing, which helps its customers achieve their aims. CPNI: The Government authority which provides protective security advice to businesses and organisations across the national infrastructure. CSIA: The Central Sponsor for Information Assurance (CSIA) is a unit within the UK Government's Cabinet Office providing a central focus for Information Assurance (IA) activity across the UK.

Some positive quotes: The Royal College of GPs has put their support behind the national rollout of the Summary Care Record. They said concerns over security of records and patient confidentiality had now been resolved, and declared ‘the need for a shared record is compelling’. A team of RAF security experts recently spent three days attempting to penetrate the wireless networking component of a managed service covering healthcare for British Forces in Germany - and failed. The secure networking is part of a managed service, PAS 2.0, for Guy’s and St Thomas’ NHS Foundation Trust. eHealth Insider Jan 09 The Royal Marsden Hospital director of ICT Jon Reed said: "We've been able to create a remote environment that enables clinicians to have access to the applications they require but at the same time enforce the highest level of security for confidential patient records.” Public Sector Case study silicon.com Aug 08

Any Questions?