Category Archives: NHS

Big Data …. Friend or Foe?

Delighted to have a post from Advent IM Operations Director, Julia McCarron.

Ellie has been asking me for a while now to do a blog piece on ‘big’ data, and I must confess to dragging my heels because I wasn’t really sure what it was. I guess if I had put my mind to it essentially it must have been the aggregation of information that made it ‘big’ and I’m not far off with that. But last night’s edition of Bang Goes the Theory made me think about what it means … and the fact that ‘big’ is probably too small a word to describe its reach.

 ID-100180473If we want to be specific about it, big data is defined as a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.[1]  But it seems to me that this 2-D definition doesn’t do it justice. From what I can see, it’s about taking these large data sets and analysing them to find patterns – that’s what makes it ‘useful’. What you do with those patterns can be for good or bad and can range from diagnostic to research to marketing to preventative in nature, and affect people, places, processes, objects … you name it basically.

I know this kind of analysis goes on because I have a ‘loyalty’ card that regularly sends me money off vouchers for the things I buy on a frequent basis/ I know internet banner ads show me handbags for a reason, usually because I’ve just purchased another one online. I understand that it’s the accumulation of data about my buying habits that is profiled to appeal to me; but I hadn’t realised just how far this can go. On the programme in question a big data collection company said that as a result of the release of DfT data on bicycle accidents, someone had within days written an app for people which told them where to avoid riding their bicycle and therefore minimise the risk of having said accident. Who would have thought that was possible? Rolls Royce engines contain computers that analyse their activity, whilst in the air, and report in real time on peaks and troughs outside the ‘norm’, which enable airlines to do maintenance work before a problem occurs.

But if you think about it big data isn’t new. Einstein’s Theory of relativity came about because he carried out hundred of experiments and analysed them painstakingly by hand. Intelligence services cracked Hitler’s codes by looking for recurring patterns, first totally reliant on the human brain before that human brain created freecrumpetsmachines to make the analysis easier and quicker. I only get 100 free ‘bonus’ points with my next purchase of Warburton’s crumpets because a computer looks at my buying habits and has identified that I buy them every week. (Other crumpets are available – actually no they aren’t). All that has changed is the scale, speed, selectiveness and sensitivity of the collection and review of that data.

The issue comes though when that big data is also personal data, and this is probably where most of us start to question whether it’s a good thing or bad thing. The BGTT Team demonstrated how easy it is to profile individuals from their online data footprints. It’s not just about what you put on various social media but it could also be an innocent publication of contact details by your local golf club. I’m a security conscious person, for obvious reasons, but I’m sure if someone really wanted to they could find out more about me than I thought was possible, just by running a few scripts and analysing trends. I’m a genealogy enthusiast and within minutes I could potentially find out when you were born within a 3 month window, the names of your siblings, your mother and father …. and those all important security questions; your mother’s maiden name and town of your birth.  So should we attempt to simply lock everything down?

 At the same time as all this personal big data is being analysed its also being put to good use.  Researchers are creating medical devices that can analyse brain activity and detect when a second brain trauma is occurring … and they’ve done this by analysing patterns and trends from hundreds of thousands of scan outputs to create a simply, non intrusive device that monitors pressures, electrical current and stimulus. If I opt out of my having my NHS patient record shared, I could make it that bit harder to find a cure … or be cured.

Ultimately, we wouldn’t be where we are today without big data but there is no doubt that in a digital age big data will just keep growing exponentially. I don’t think we can avoid big data and I don’t think we should, but from a security perspective I think we all just need to think about what we post, what we agree to make available, what we join up to and what we are prepared to say about ourselves in public forums. If a field isn’t mandatory don’t fill it in, don’t agree for your location to be published and maybe tell a little white lie about your age (girls we are good at that!). We can never be 100% secure – it’s not possible. Even our fridge can go rogue on us now and order food we’ve run out of but don’t actually want to replenish. But having a security conscious mind can protect us, whilst still providing a big data contribution. 

[1] Wikepedia

some images courtesy of freedigitalphotos.net

Advertisements

Data Protection and Temporary Workers – the Perfect Data Breach Storm?

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

advent IM data protection blog

oops there goes the sensitive data. Image courtesy of freedigitalphotos.net

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that  “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have.  Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?

Aspirationally Paperless?

First published in Tomorrow’s FM February 2013 as part of the Water Cooler regular feature with FM experts: Lee Haury, Liz Kentish, Wendy Mason, Martin Pickard, Lucy Jeynes, Iain Murray and John Bowen. The discussion was inspired by Health Secretary Jeremy Hunt’s desire to see the NHS go paperless by 2018….

The Advent IM response to a paperless NHS.

Data Protections Advent IM

Yay! Paperless was easy!

Paperless as a concept, has been around for a long time. Look around the average office and you will see varying degrees of success in its implementation. For many it is still largely aspirational. Removing  paper records does have some security benefits, presuming they were securely disposed of, of course! By this I mean you are removing one potential source of data loss, but how many of us can commit  to never printing off information or emails for instance? One security eye would always have to be on the possibility of employees doing this and valuable assets being put at risk or marching out of the door. Information is an asset, however it is stored. The NHS (for it is they and Jeremy Hunt who have inspired this discussion) has had a fairly disastrous year with Information Security and received huge monetary penalties. These breaches were not generally the result of hacks or other cyber-criminal activities but the result of poor security awareness and  people doing daft things with both paper records and electronic devices.

Bottom line is, if you are going to use mobile devices and remove the need for paper records, then Security policies have to be watertight and thoroughly trained through all users, they need to know they are accountable. That means if someone decides to load a laptop with thousands of patient records, they should be challenged or potentially prevented, by policy, from doing so. For instance if the device were used merely for securely accessing patient records as and when they were required, it would remove  the need for either paper or local digital storage. Hopefully the NHS are thinking a little further than merely paperless and thinking about how the replacement digital information is going to be stored and accessed. Significant and ubiquitous awareness training is required to make a success of any such initiative and prevent patient data risk.

Why Physical Security in NHS Trusts needs a major health check

Young Nurse Tending to Young Woman with Neck Brace and Arm Cast

Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff.  This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost – a pariah to any NHS Trust.

Looking at the Threat Landscape

In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. .  However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression.

The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour.  In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs;  car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.

Drugs: Expensive and potentially dangerous

Drugs: Expensive and potentially dangerous

The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as funding becomes available and usually without any long term objective in mind.  In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted.  For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do.  The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.)  A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed.

Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act.  The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed.  This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly.

In any organisation, loss creates cost and this is something each and every Trust is currently facing.  A recent Daily Mail article highlighted theft from the NHS as a serious issue.  Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives.  The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience.  These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data?  If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for.

During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.

iStock_000015534900XSmallSo how do Trusts shift the security mind set?

  • The Threat environment has changed and security needs to be approached as a cyclical, on-going process.  It needs to be reviewed and tested regularly.
  • The narrow view of security within the NHS as being aggression-based and the responsibility of the manned guarding component needs to be dispelled.  Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different.   A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else.
  • Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape.
  • Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of “this is the way we’ve always done it” and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information.
  •  A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review – removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.

Advent IM Senior Security Consultant – Paul Smith MSc MSyI

By popular demand…

Our NHS CCTV Awareness training day is back!

For all users and viewers of CCTV images in the NHS regardless of role, the ccourse is deisgned to keep NHS trusts on the right side of the Data Protection Act and ICO guidelines.

November 20th is the date for the training centre but if you have a larger group and would prefer us to come to you, we can arrange it for you.

You can get details of the course, prices  and a booking form here… 

“This was a really informative day. Lots of questions answered. I wish we had had this training when the CCTV was first installed.” – recent delegate from Cornwall Foundation Trust