Category Archives: public sector

Data Protection and Temporary Workers – the Perfect Data Breach Storm?

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

advent IM data protection blog

oops there goes the sensitive data. Image courtesy of freedigitalphotos.net

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that  “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have.  Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?

Advertisements

Aspirationally Paperless?

First published in Tomorrow’s FM February 2013 as part of the Water Cooler regular feature with FM experts: Lee Haury, Liz Kentish, Wendy Mason, Martin Pickard, Lucy Jeynes, Iain Murray and John Bowen. The discussion was inspired by Health Secretary Jeremy Hunt’s desire to see the NHS go paperless by 2018….

The Advent IM response to a paperless NHS.

Data Protections Advent IM

Yay! Paperless was easy!

Paperless as a concept, has been around for a long time. Look around the average office and you will see varying degrees of success in its implementation. For many it is still largely aspirational. Removing  paper records does have some security benefits, presuming they were securely disposed of, of course! By this I mean you are removing one potential source of data loss, but how many of us can commit  to never printing off information or emails for instance? One security eye would always have to be on the possibility of employees doing this and valuable assets being put at risk or marching out of the door. Information is an asset, however it is stored. The NHS (for it is they and Jeremy Hunt who have inspired this discussion) has had a fairly disastrous year with Information Security and received huge monetary penalties. These breaches were not generally the result of hacks or other cyber-criminal activities but the result of poor security awareness and  people doing daft things with both paper records and electronic devices.

Bottom line is, if you are going to use mobile devices and remove the need for paper records, then Security policies have to be watertight and thoroughly trained through all users, they need to know they are accountable. That means if someone decides to load a laptop with thousands of patient records, they should be challenged or potentially prevented, by policy, from doing so. For instance if the device were used merely for securely accessing patient records as and when they were required, it would remove  the need for either paper or local digital storage. Hopefully the NHS are thinking a little further than merely paperless and thinking about how the replacement digital information is going to be stored and accessed. Significant and ubiquitous awareness training is required to make a success of any such initiative and prevent patient data risk.

Why Physical Security in NHS Trusts needs a major health check

Young Nurse Tending to Young Woman with Neck Brace and Arm Cast

Traditionally the NHS has primarily focused its security efforts on the problems associated with violence and aggression toward staff.  This is because it is still perceived as the major concern and so continues to be the main focus of resource expenditure. Whilst the threat of aggression is clearly an issue that needs to be in scope, there are other areas that not only need attention for the wellbeing of the people involved, but also to help guard against spiralling cost – a pariah to any NHS Trust.

Looking at the Threat Landscape

In many cases, NHS Trust security is managed by former Police Officers who have a wealth of experience in dealing with aggression. .  However, it has to be acknowledged that the threat landscape, is far more varied than this head-on threat. Security threats come from a variety of sources and not all revolve around outright aggression.

The perception of the Security Officers duties in NHS Trusts is that they are to provide reassurance to the public, hospital staff and visitors in the event of violent behaviour.  In fact, there are a myriad of duties that they are called upon to carry out, some of which they are not trained to perform. These duties can include; searching for missing patients; attending patients on suicide watch; supervision of patients awaiting Mental Health professionals; foot patrols; cashier runs;  car park patrols; smoking patrols and issuing parking contravention notices, to name but a few.

Drugs: Expensive and potentially dangerous

Drugs: Expensive and potentially dangerous

The NHS is no different from any other organisation as far as security is concerned, security components are more often than not, bolted on as funding becomes available and usually without any long term objective in mind.  In a recent NHS Trust project, we was discovered that the absence of a strategic vision meant that funding had in fact, been wasted.  For example; additional CCTV cameras were installed without an understanding of what they were actually needed to do.  The CCTV system was not integrated with other security systems and this lack of integration represented not only a wasted opportunity to increase efficiency as well as improve security, it also wasted scarce financial resources. A CCTV audit revealed that there were actually too many cameras but few were positioned where they were needed. Furthermore, many cameras were capturing images that were actually unusable. (This problem only increases when you add in multi sites, using different systems.)  A rationalisation of the CCTV estate and review of their fitness for purpose is in many cases, the best way to proceed.

Another very important aspect to using CCTV systems that is often overlooked or perhaps not fully understood is the Data Protection Act.  The images that are recorded, stored and deleted constitute personal data that has to be properly handled and then when appropriate, properly destroyed.  This means everyone who monitors, has access to, stores or manages these images, needs to be properly trained, aware of their responsibility and understand how to treat the data properly.

In any organisation, loss creates cost and this is something each and every Trust is currently facing.  A recent Daily Mail article highlighted theft from the NHS as a serious issue.  Some equipment and facilities are very expensive. Loss or damage not only drive cost but can endanger lives.  The absence of a security-aware culture or one that is almost entirely focused on an aggression-based threat, allows loss to flourish as the investment can be made ineffectually, as we read about the CCTV example. Staff may prop open frequently used doors, or share door entry cards for convenience.  These are commonly found issues in security procedures in Trusts. What if that door gave access to drugs, vital equipment or confidential medical data?  If the cameras are also ineffectual, a thief could wander around and help themselves to thousands of pounds worth of equipment, or steal personal data that the NHS trust would be held accountable for.

During a recent project, a consultant found that no one challenged his presence in a medical record archive and said he could have easily made his way into a RESTRICTED information area by tailgating through the door; such was the lack of awareness.

iStock_000015534900XSmallSo how do Trusts shift the security mind set?

  • The Threat environment has changed and security needs to be approached as a cyclical, on-going process.  It needs to be reviewed and tested regularly.
  • The narrow view of security within the NHS as being aggression-based and the responsibility of the manned guarding component needs to be dispelled.  Everyone working within any organisation has a personal responsibility for security; an NHS Trust is no different.   A cultural change within Trusts is required to instil awareness . Only this way will everyone feel part of the security fabric and not something that is done by someone else.
  • Security Training and education should be standard in all Trusts; this should include an understanding of the real rather than perceived threat landscape.
  • Senior management need to understand how to maximise the effectiveness of their security infrastructure for the benefit of the Trust. This encompasses understanding all of the above plus a willingness to forget the mantra of “this is the way we’ve always done it” and move toward excellence. After all, effective security will prevent harm to staff, patients, visitors and contractors, protect costly equipment and dangerous drugs, prevent damage to other assets and loss of sensitive or personal information.
  •  A proper security review can identify areas where cost savings can be made or wasted costs controlled, such as the CCTV estate review – removing cameras that are not fit for purpose will reduce the maintenance bill. The review will also determine if cameras are fit for their purpose and placed in an appropriate location to mitigate the identified threats thus ensuring that the Trust meets its Duty of Care for staff, visitor and patient safety.

Advent IM Senior Security Consultant – Paul Smith MSc MSyI

By popular demand…

Our NHS CCTV Awareness training day is back!

For all users and viewers of CCTV images in the NHS regardless of role, the ccourse is deisgned to keep NHS trusts on the right side of the Data Protection Act and ICO guidelines.

November 20th is the date for the training centre but if you have a larger group and would prefer us to come to you, we can arrange it for you.

You can get details of the course, prices  and a booking form here… 

“This was a really informative day. Lots of questions answered. I wish we had had this training when the CCTV was first installed.” – recent delegate from Cornwall Foundation Trust

Watching you, watching me – CCTV in school toilets and why we need to consider more than numbers

Every once in a while, some stats will appear that capture everyone’s imagination and prove to be a sub editor’s dream for headlines. The Big Brother Watch FOI report release this week has brought with it a wealth of headline opportunities, many of them toilet related and all quite breathless in their indignation. But the placing of cameras in private places is just the beginning of the story.

Whilst as security professionals we can totally understand the general public’s shock at the level of CCTV use in secondary schools and academies, we were as disquieted as everyone else about the use of CCTV in areas such as toilets, showers and changing areas. Not everyone realises the complexity of securing a school, college or university. There may be several buildings with varying traffic and visitors. Effective security looks at all threats and risks and treats them appropriately. So it’s not very surprising that the hue and cry has erupted over the acceptability of placing CCTV cameras in such intrusive areas. When performing one day School Security Health Checks we suggest that a Privacy Impact Assessment be carried out, for what will be now be obvious reasons.

For us though it shows the beginning of the problem and isn’t an isolated issue. We deal with schools, colleges and universities frequently. One of the main things they like help with is CCTV and the Data Protection Act. A head teacher is a head teacher not a security expert but the responsibilities that come with managing the images that come from CCTV are quite expansive and are not limited to where the cameras are placed.

We find that for instance, external cameras may inadvertently be recording images that they should not be. So if the camera’s field of vision includes perhaps an area of a neighbouring garden or there is a view of someone’s home, then the use of that camera is contravening the Data Protection Act and the user could be fined. Its irrelevant that this was not the intention of the user, it simply can’t be done.

Also, there may be issues around storing and deleting the images. Schools need to be fully conversant with how to  secure the images they have captured. Security isn’t just about the camera, the images have to be handled carefully – as happens with pupil and staff personal data and protected from either malicious or accidental breach. Deleting images when they should no longer be stored is also covered by the Data Protection Act and once again a user could find themselves in hot water if images are not being securely deleted after the allotted period has expired.

Who views the images created by CCTV systems? Again this falls into the policy and procedure area when we perform health checks. Only appropriate and necessary staff should have access to CCTV images as would apply with any sensitive data for pupils or staff. If we are to use the wonderful security opportunity that CCTV affords us, we must do it securely and appropriately is the message that most comes out of the Big Brother Watch report. You can access the full report on a pdf here.

We plan to publish a White Paper on this topic and if you follow this blog you will receive a notification of when it has been released and where you can obtain a copy. Alternatively you can email us and ask for one. bestpractice@advent-im.co.uk or keep an eye on the website www.advent-im.co.uk

We have visualised some of the key elements we thought you may find interesting. These relate to both the number and ratio of CCTV cameras as well as those found in private areas in school. Whilst we don’t mind you using them if you wish, can you just drop us a note to let us know and make sure you credit both ourselves and Big Brother Watch.

Security out- sourcing: anything to learn from the G4S experience?

Security out- sourcing: anything to learn from the G4S experience?

Advent IM in Outsource magazine 20.07.12

Spreading the risk – a more secure alternative?

Recent events with G4S and LOCOG/the Government’s procurement of security for the Olympics, will clearly not be leaving the headlines anytime soon. Indeed you could be forgiven for thinking this was a security event, not a sporting one. Is there anything to be learnt from the Olympic Security out-sourcing? A good place to start would be to understand how organisations source physical security.

We have always done it this way

Let’s be clear, out-sourcing security can work and work very well for end users. The impetus for out-sourcing any service should have a solid base in the desire for the best possible service from people who are experts in their field. If the motivation is always cost cutting rather than sourcing excellence to improve end user experience, then nine times out of ten you will simply get what you pay for.

Physical Security has a long standing relationship with out-sourcing.  That does not mean however, that because it has been out-sourced for so long that it is done well in all cases.  Frequently, we see providers specifying to clients what they can have based on their portfolio of services, rather than the client understanding what they need based on Threat and Risk Assessments and specifying this to the provider. This is a bit like visiting a car showroom and saying, “sell me the car I need.” You may find yourself returning a short time later asking why you can’t fit your six kids into your Aston Martin but if you didn’t specify your needs from the outset the car sales person will see you what he wants … One size never fits all, it may fit some but everyone prefers something that meets their needs when they can get it. So, how can something as important as security not be bespoke?

Facility Management and Security

In business, Physical Security has been moving for many years into the Facility Management arena.  It is a natural place in many ways, especially if this is not simply managing the manned guarding aspect but also equipment contracts such as CCTV and door entry systems, PIR’s etc.

In-house FM may manage an out-sourced contract for Physical Security provision.  An FM provider may manage a contract for a client, or an in-house FM may manage a contract with an FM provider who manages a Physical Security Contract with a provider.  There may be a separate contract for management of equipment contracts, that could be managed by the in-house FM, the out-sourced FM provider, the security provider it has been out-sourced to or possibly even further along the chain (still with me?) …That is a lot of moving parts in a chain that requires clear areas of accountability at all stages, not to mention governance (who is guardian of CCTV image management for instance, and is everyone clear on that along with Data Protection Act requirements?). Governance also includes relationship management and compliance checks. Remember it is only the function that is being out-sourced, not the responsibility … or the accountability.

Proactive or Reactive Procurement?

“Understanding the risks involved can save money and reputational damage. Keeping your supplier close and having an open, honest relationship ensures any danger of things going wrong is reduced, or at least spotted early and corrected,”

– CIPS CEO David Noble

Chartered Institute of Purchasing & Supply (CIPS) state that it is the job of the buyer to ensure that:

  • Materials of the right quality
  • Are delivered in the right quantity
  • To the right place
  • At the right time
  • For the right price
  • And the sixth right: from the      right source

Reactive Procurement is taking only one or his heavily biased toward one of these ‘rights’. Proactive procurement is based on strategic decisions of all the six ‘rights’, then the supplier will not have been selected on price alone, for instance.

When we examine how Physical Security is sourced the issues and potential pitfalls, start to emerge. If we go back to our example of G4S and the Olympics, Government Procurement decided not to split security provision, and thereby risk, across several smaller providers, but to go with one large provider.  So the focus appears to have been on procurement ie. cost. Whilst we want our Government (and in this case LOCOG also) to be cost sensitive with our hard earned taxes, we also want the job done correctly. This option appears to have introduced a ‘single point of failure’ because only one supplier was procured.

This is the difference between sourcing the service you want, need and are specifying with expert knowledge and procuring the cheapest or ‘most economically advantageous’ as Government procurement tender documents read.  Let’s be clear, to a supplier, procurement is there to hard bargain on cost, they are not there to provide any level of expertise or the associated judgment call, on the service being requested.

For a regular organisation understanding that all stages of the chain have to be carefully managed, is key.  KPIs based upon the threat and risk landscape should be in place to ensure performance is being measured against the correct metrics. They also need to make sure that their bespoke needs are the ones being answered and not what the provider is telling them they can have. The threat and risk landscape will change, will a client be penalised for changes to reflect mitigation of these changing risks?

One final thought on proactive vs. reactive, G4S are shouldering 100% of the responsibility for this debacle, not Government procurement. On a realistic business level for organisations considering their options for out-sourcing security, when things go wrong it is rarely the procurement team who get an unhappy phone call from the end user, it is normally the Facility Manager.

The future

Many Facility Managers and providers welcome the idea of system integration – Security Systems can easily be included in this model and can provide very valuable data back to an organisation across disciplines when part of a wider integrated function. For this to be realistically achieved, and the associated service and cost improvements to be reaped, the whole chain of supply and accountability needs to be resilient and transparent. There are real benefits to be had from out-sourcing Security and even more to be had by bringing everything together to provide a holistic management view.

Some pointers

  • See it as an investment in an organisation’s excellence – for that is what it is. If you view it purely as a cost saving exercise, you may come unstuck.
  • Take expert advice on your real threats and risks and specify accordingly.
  • Get the bespoke solution you need not the solution the out-sourcing provider wants you to buy.
  • For larger out-sourcing projects think about spreading the risk of a single point of failure – more than one provider may be the answer.
  • Ensure clear, accountability, resilience and due diligence throughout the chain and wherever possible limit multiple ‘moving parts’.

Originally published in Outsource Magazine 23.07.12, reproduced here with the kind permission of the Editor.

Ellie

www.advent-im.co.uk

www.youtube.com/adventimsecurity

0121 559 6699

bestpractice@advent-im.co.uk

   

  

ICO Fine of the NHS Trust – Who Owns the Risk?

If you have an NHS card, receive NHS treatment and have ever been to hospital, raise your hand…either a lot of us all want to leave the room at the same time, or this particular kind of breach can affect pretty much everyone from the UK.

From the ICO website:

“NHS Hospital Trust  receives a Civil Monetary Penalty (CMP) for serious data breach.

Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act (DPA), the Information Commissioner’s Office (ICO) said today.

The fine is the highest issued by the ICO since it was granted the power to issue CMPs in April 2010.

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.”

You can read the full piece here.

Discussion of this penalty in various places online, has raised a variety of questions and opinions. Some people feeling, even within the Data Protection community, that this was ‘too harsh’ (source: Linkedin European Data Protection Forum discussion) Others, with a due sense of subject fatigue, feeling that not only was it right but that it is a bit more like the kind of penalty the ICO needs to be handing out and not just to the public sector either.

Looking at this particular breach and reading the arguments that the penalty was too high makes me wonder if people understand the risk scenario. The task of destroying these hard drives was out-sourced. They were still owned by the trust and they were still guardians of this data.

It looks like a failure of Risk Management that this occurred and one would question if proper due diligence was performed on the contractor tasked with this. A decent Risk Assessment would have suggested that they either sanitise the data prior to disposal or procure an on-site disposal service – the supplier of which should have been sourced from a reputable list like SEAP. I guess you get what you pay for.

The bottom line is the buck stops with the Trust, they were guardians of this data. They out-sourced the task not the risk or accountability. If the Chief Executive is the SIRO, which they should be, should they be made personally accountable for incidents like this? CESG guidance is very clear on how highly sensitive data should be handled in these circumstances, so there really is no excuse.