G-Cloud 9 – official Crown Commercial Supplier status awarded to Amicus ITS

Amicus ITS is delighted to confirm that it has been granted ‘Official Supplier’ status on the Government’s Digital Marketplace cloud services framework. This offers buyers a host of transparent, commoditised managed cloud services on G-Cloud 9, the latest Government procurement platform for technology services for the public sector, healthcare bodies, agencies and arm’s length organisations.

To check out what services you can get through Amicus ITS on G-Cloud 9, follow these simple steps to get our full service details:

1. Go to https://www.digitalmarketplace.service.gov.uk
2. Look under the heading ‘Find cloud hosting, software and support’.
3. Click on Cloud support or Cloud hosting
4. Enter one of the service descriptions below in the Keywords box (eg. NOC).
5. Amicus ITS’ services will be found on the first page of your search for each.

• Cloud hosting – Enterprise Compute Cloud
• Cloud support – Service Desk
• Cloud support – Network Operations Centre (NOC)
• Cloud support – SQL for Public Sector
• Cloud support – Security Operations Centre (SOC)
• Cloud support – Backup and Disaster Recovery

Alternatively to speed up navigation to Amicus ITS, if you type in ‘Amicus ITS’ in Cloud support, this will pull through all five services listed in that Lot.

Sales Director Les Keen commented:  “I am delighted to announce that we have been awarded official ‘Crown Commercial Supplier’ status by the CCS.  We have a thirty year heritage as a leading MSP and a fine pedigree of security accreditations which puts us in a compelling position as data guardians to offer specialist cloud and managed services to wider public sector organisations, healthcare and government departments. 

Being on G-cloud 9 will offer the rightful assurance and transparency that public service buyers demand and we have a highly experienced team here to guide everyone through the process. 

Indeed, early indications are already proving positive, with my team having fielded a number of enquiries from public bodies in the first 72 hours since our services went live.  We are here to help, so do contact us”.

The Government’s handy Buyer’s Guide to be found at:  https://www.gov.uk/guidance/g-cloud-buyers-guide.
Anyone wanting further information can contact any member of our G-Cloud 9 bid team on +44 02380 429429 or you can email us at:  bidteam@amicusits.co.uk

Not Much Deep Thinking Evident Behind NHS Trust’s Data Share with Google DeepMind

Not for the first time, the NHS has come under fire from patients, patient groups and the scrutiny of the UK’s National Data Guardian (NDG), Dame Fiona Caldicott – and the ICO’s chief Elizabeth Denham.

The Royal Free Hospital in London commissioned Google’s DeepMind division in 2015 to help develop a Streams app to detect acute kidney injury through a blood test to identify deterioration. They provided DeepMind with 1.6 million patient records in the process to enabling ‘real time’ testing.

• Patients at the Royal Free Hospital in London were mainly unaware that their details were being used by a third party, nor how it was being used.
• No details on the financial terms of the deal have been disclosed publicly.

To Dame Fiona Caldicott, whose letter to the Royal Free was recently leaked, laid out her  concern that the data had been transferred on a ‘legally inappropriate’ (read ‘unlawful’) basis.  The app being developed was not ‘central’ to patient clinical care.  Caldicott shared her concerns with the ICO.

Caldicott does not dispute the app’s ability to help clinicians save lives today, but added in her letter: “Given that Streams was going through testing and therefore could not be relied upon for patient care, any role the application may have played in supporting the provision of direct care would have been limited and secondary to the purpose of the data transfer.  My considered opinion therefore remains that it would not have been within this reasonable expectation of patients that their records would have been shared for this purpose.”

Google DeepMind’s clinical lead Dominic King, was swift to distance any cross-use of the patient data with other Google products or services, or use for commercial purposes.

The ICO’s Elizabeth Denham has yet to give her judgement on misuse under the Data Protection Act, but the issue underlines the importance of individual consent.  This will be evermore intensely examined with the forthcoming GDPR regulations in 2018.  As it stands though, the ICO nonetheless has powers to fine a company up to £500,000 for the misuse of personal data as well as seek individual criminal prosecution.

Irrespective of the worthiness and potential benefit to patients in the longer term from the app, Dominic King agrees: “I think one thing that we do recognise that we could have done better is make sure that the public are really informed about how their data is used.”

It may prove a costly oversight to the Royal Free at a time of increasing NHS budget constraints, as well as prompting an ignominious slap in the face to the Trust from its patient body through damage reputation.

Amicus ITS is continuing its series of thought leadership events, this time on GDPR through 2017 for its customers and invited guests.  Further information on the programme can be found by contact Marketing (email) or calling Lindsay Burden on 02380 429475.

3D printing gets smarter in healthcare

Since we last reported an amazing 3D printing story in January 2015, the technology continues to demonstrate its extraordinary enabling powers in the operating theatre for the NHS, with another life transformed as reported this week.

Surgeons were able to use 3D printers to replicate body parts in a kidney transplant from father to daughter at Guy’s and St Thomas’ NHS Foundation Trust in London recently.  With the contrast in size of the organs, 3D printers were used to make models of the daughter’s abdomen and father’s kidney from CT and MRI scans. This enabled the surgeons to accurately plan and rehearse the complex operation.

Hard printouts created the girl’s pelvis, whilst her liver was made softer in a liquid plastic model to enable the doctors to practice pushing it out of the way to make way for the new kidney. Happily, the little girl can now run around and eat normally and enjoy a very different outcome and normal childhood, whilst her parents have the simple joy of planning for her nursery integration in the Autumn.

Unlike in medical robotics where there have been more than two million operations since 2000 the robotics arena still carries challenges in winning over patient confidence.  Here however, the winning smiles of father and daughter amply reflect the achievement of partnership between the human hand and advanced printing technology that shows there is plenty more in store in the future of 3D printing.

first-kidney-transplant-3dprinting-changes-life-northern-ireland-toddler-lucy-1

Does your company include “cyber” on the Board agenda every month?

Amicus ITS has long been an exponent of the merit of having an IT expert on a company Board.  Indeed ‘cyber’ has been on Amicus ITS’ own Board’s monthly agenda for the past 18 months.

As we continue to convey this good practice recommendation with our customers, this message is now being endorsed by HM Gov’s Treasury department in a direct appeal to the major UK banks.

As reported in The Sunday Times (240116), Andrew Tyrie, Treasury committee chairman and Tory MP for Chichester, wrote to the major financial institutions over the weekend demanding that they take urgent steps to thwart hacking and data theft.  “Bank IT systems don’t appear to be up to the job”, he said.  “Every few months we have yet another IT failure at a major bank.  These IT weaknesses are exposing millions of people to uncertainty, disruption and sometimes distress.  Businesses suffer too.  We can’t carry on like this”.

The remedy is no magic potion.  The Treasury MP is advocating hard investment in computer systems and that banks answer to a new group within the financial regulator, the Prudential Regulation Authority.

No banks are immune.  Barclays, HSBC, Lloyds and the UK tax payer’s own bank Royal Bank of Scotland (RBS) have all suffered outtages.  Most recently, HSBC suffered a two day failure in its online banking services in January 2016. This follows last August’s dropout when a glitch prevented salaries being paid ahead of the August Bank Holiday.  Other banking failures have included mortgage and pension payments. RBS which has experienced many problems was fined £56 million in 2015 for an IT glitch in 2012 that left millions of customers unable to access their accounts.

The Deputy Governor of the Bank of England, Andrew Bailey is expected to head up a new specialist IT unit within the Bank of England’s Prudential Regulation Authority to ‘ensure lendors are investing enough in their systems’.  We wait to see whether this specialist financial regulator post has the teeth and influence to create the necessary change and improvements required – and soon.  If our banking blog of 31st January 2014 is anything to go by, it could be a very long wait.  Could this MPs plea be one of hope more than expectation?

Irrespective of business sector, it is a timely reminder for companies not to put off updating infrastructures or reinforcing vital firewalls by holding on to unspent, shored up profits post recession.  In our technically challenging world, businesses cannot afford NOT to maintain and future-protect their IT systems, let alone ignore recommendations to invest in protecting against increasingly sophisticated and cynical cyber threats facing every organisation.
• 80% of cyber attacks in 2014 were preventable (source:   Ponemon Institute)
• Only 21% of companies say their Board gets comprehensive information about cyber threat*.
• Only 17% of Board members believe they have a full understanding of the risks*.

Action – do a cyber health check review of your company after today:

• Re-evaluate the crown jewels of YOUR organisation (key information and data assets)
• Review risk from 3rd party suppliers (get into active compliance).
• Be pro-active and transparent about risk – your customers will thank you.
• Arrange for a cyber threat ‘pen test’ and get in shape for 2016.

In the constantly evolving world of cyber security, the wise understand that there is no panacea against cyber attack, it is just a matter of when – however, those best armed against the enemy will be the ones best prepared for attack, understanding and prompt response.

Why SMEs really should care about hacking

There may have been a mistaken belief amongst SMEs that they are NOT a principle target for cyber attack.  This has been firmly refuted by security firm Symantec following their research of the trends which evolved during 2015 and which has just been published in their latest report.

UK, US and Indian SMEs in particular are being targeted, specifically with the goal of stealing money from businesses.

Hackers are using two types of Trojans (a common cyber threat method through which the victim is conned into launching malware believing it to be harmless) and social engineering (a confidence trick – essentially to get people to perform an action or divulge confidential information).

The newer, more sophisticated threats target, “employees responsible for accounts and fund transfers”.

Scammers will send emails from stolen or compromised accounts often related to finance and lure the employee to open them.  The email contains a .zip attachment, which once clicked on, opens a Pandora’s Box for the cyber attackers to log key strokes, steal files, passwords, access the camera and microphone.  The logging of key strokes is more sinister in that it tracks the keyboard use and pathway thereby tracking different websites etc. and passwords not even held on the computer as part of the data heist.

The email subject line might have a heading  such as the following:
• Re:Invoice
• PO
• Remittance Advice
• Payment Advise
• Quotation Required
• Transfer Copy
• TT Payment
• PAYMENT REMITTANCE
• INQUIRY
• Qoutation
• QUOTATION
• Request for Quotation

Hackers use two publicly available remote access Trojans (RAT):  Backdoor.Breut and Trojan.Nancrat.  Nancrat being the one most commonly used in the UK.

And it doesn’t have to be a swift in/out attack.  Hackers, once in, are happy to mooch around the computer to find out how to steal money.  “In some cases, attackers have been known to even download manuals to figure out how to use certain financial software,” the Symantec report says.

The recommendation of course is not to open suspicious attachments and to exercise caution when using email. All too often, a too-speedy key stroke can lead to an accidental but high impact outcome for the firm.  The solution is to get educated about cyber attacks and what they look like and treat email communications with cautious respect. That way, you get smart and your company and customers stay safe.

Hactivists unmasked over BBC website collapse on New Year’s Eve 2015

“New World Hacking” finally claimed responsibility two days into 2016, following the attack on the BBC website which was a relatively common Distributed Denial of Service (“DDoS”) cyber attack.  The high profile targeting ensured that the BBC’s news service, iPlayer online TV and radio services were down for several hours on 31st December 2015, resulting in an error message being shown instead of the BBC homepage.

A DDos attack is where a website becomes overloaded with a surge of traffic it cannot handle, with result that the website’s servers stop responding to requests.

The targeting of the BBC was purportedly friendly fire!  The hactivists claim to concentrate on taking down websites supporting ISIS (Daesh) or sites affiliated to the terror group – and this exercise against the BBC was just to test the capabilities of their machines, because of the BBC’s high capacity to respond to traffic.  No doubt this made the BBC feel very comforted.

Amicus ITS security specialist Mark Heather added:  “This has been described as a DDoS attack but it appears to have been designed as a scoping exercise; not to attack the BBC per se, but to give the hactivists more insight as to their efficacy.  Unfortunately, there is little that companies can generally do to thwart this type of attack. But threat management can be deployed as part of a wider cyber security protection strategy”.

“Organisations can take certain preventative positive measures to thwart, circumvent or manage cyber threats.  ‘Threat analysis’ can be undertaken as part of an ongoing reputation exposure exercise. Your cyber security team can look out for any ‘Dark Chat’ underground threads published on web hactivist forums for example – and with this intelligence, then direct traffic towards a ‘honeypot’ mechanism for example” (see below)

honeypot-diagram

Honeypots can be used to check content before anything is passed through the firewall, as one of an organisation’s strategic steps to beefing up their data security.  As Mark comments:  “Much like the weather, you cannot stop rain from happening, but you can wrap yourself up warm and get your umbrella out knowing what the forecast is likely to be”. 

New-World-Hacking

EU data privacy rules – Impact across the pond

A new European privacy directive is about to be signed, one which could see US tech firms fined millions of dollars if they don’t comply.

The directive regulates how tech companies obtain and use user data. According to USA Today, companies must get a clear consent from the user and have to explain just what their data will be used for. Companies must also explain to the user how the data was obtained, and in case the user wants that data changed or completely deleted, the company must do so.

As an example, if they choose to delete their Facebook account, Facebook would have to also delete all the information it had collected about them. The directive has been in production for several years and will replace a patchwork of laws from the 1990s.

“A lot of the language in this regulation has been sharpened in response to US companies walking very close to the line as far as complying with EU data protection regulations,” said Danny O’Brien, the international director of the Electronic Frontier Foundation, a San Francisco-based cyber rights group for USA Today.

The Age of Data Consent will also be raised from 13 to 16 years old, meaning all younger than 16 will have to get their parents’ approval before giving their data to companies.

The European Commission and the European Parliament could not agree on the size of the penalty in case a company fails to comply, but it seems that 4% of the company’s global revenue could be the sweet spot. For companies the size of Google or Facebook, that is a lot of money.

As an IT Managed Service Provider, data controller and data processor, Amicus ITS has had to be proactive in looking at the impact of these changes for us and our customer base.  These changes, which will become law in the member states, reflect positively on individuals as we all obtain more rights over our data.  However, for any organization that holds or processes data these changes will have an impact that cannot be ignored.

eulaw