Not Much Deep Thinking Evident Behind NHS Trust’s Data Share with Google DeepMind

Not for the first time, the NHS has come under fire from patients, patient groups and the scrutiny of the UK’s National Data Guardian (NDG), Dame Fiona Caldicott – and the ICO’s chief Elizabeth Denham.

The Royal Free Hospital in London commissioned Google’s DeepMind division in 2015 to help develop a Streams app to detect acute kidney injury through a blood test to identify deterioration. They provided DeepMind with 1.6 million patient records in the process to enabling ‘real time’ testing.

• Patients at the Royal Free Hospital in London were mainly unaware that their details were being used by a third party, nor how it was being used.
• No details on the financial terms of the deal have been disclosed publicly.

To Dame Fiona Caldicott, whose letter to the Royal Free was recently leaked, laid out her  concern that the data had been transferred on a ‘legally inappropriate’ (read ‘unlawful’) basis.  The app being developed was not ‘central’ to patient clinical care.  Caldicott shared her concerns with the ICO.

Caldicott does not dispute the app’s ability to help clinicians save lives today, but added in her letter: “Given that Streams was going through testing and therefore could not be relied upon for patient care, any role the application may have played in supporting the provision of direct care would have been limited and secondary to the purpose of the data transfer.  My considered opinion therefore remains that it would not have been within this reasonable expectation of patients that their records would have been shared for this purpose.”

Google DeepMind’s clinical lead Dominic King, was swift to distance any cross-use of the patient data with other Google products or services, or use for commercial purposes.

The ICO’s Elizabeth Denham has yet to give her judgement on misuse under the Data Protection Act, but the issue underlines the importance of individual consent.  This will be evermore intensely examined with the forthcoming GDPR regulations in 2018.  As it stands though, the ICO nonetheless has powers to fine a company up to £500,000 for the misuse of personal data as well as seek individual criminal prosecution.

Irrespective of the worthiness and potential benefit to patients in the longer term from the app, Dominic King agrees: “I think one thing that we do recognise that we could have done better is make sure that the public are really informed about how their data is used.”

It may prove a costly oversight to the Royal Free at a time of increasing NHS budget constraints, as well as prompting an ignominious slap in the face to the Trust from its patient body through damage reputation.

Amicus ITS is continuing its series of thought leadership events, this time on GDPR through 2017 for its customers and invited guests.  Further information on the programme can be found by contact Marketing (email) or calling Lindsay Burden on 02380 429475.

UK healthcare: cyber attack focus

NHS
More than 113 million patient records were stolen from hospitals and healthcare facilities around the globe as a result of security failures and cyber-attacks in 2015.

IBM’s Cyber Security Intelligence Index naming the healthcare industry as the number one attacked industry in 2015, it is no surprise that 41% of all security breaches reported to the UK’s information Commissioner’s Office (ICO) year were from the health sector.

These attacks have not only damaged the reputation of healthcare organisations but also their bank balances. The ICO has issued 11 fines amounting to £1.4 million between April 2010 and November 2015, with one NHS trust fined £325,000 for the use of unencrypted devices.

Notable cyber-attacks and security breaches in the healthcare industry
October 2016 North Lincolnshire and Goole NHS Foundation Trust (NLAG) had its systems infected with a virus that resulted in cancelling at least 35 patient operations, and other patients had to be relocated whilst the threat was dealt with.

In 2015
56 Dean Street, an NHS HIV, clinic released email addresses of 781 patients while sending out its monthly newsletter.   730 of these addresses contained the full names of the recipients. The breach was an internal error that the ICO rewarded with a £180,000 fine.

NHS-approved online pharmacy company, Pharmacy2U, sold details of more than 20,000 of its customers to marketing companies without their knowledge or consent. This breach resulted in the ICO fining the pharmacy £130,000.

Why is the healthcare industry under attack?

Better technology and the move to paper-free healthcare allows health professionals to look up and share life-saving information wherever and whenever it is needed. This is vital in improving patient care but it has brought the industry into the sights of cyber criminals.

Personal confidential data is valuable to those with malicious intent, meaning that health and social care systems will increasingly be at risk from external threats and potential breaches as technology becomes more prevalent. This has been emphasised by Lynne Dunbrack, research vice president for the International Data Corporation (IDC): “Frankly, health care data is really valuable from a cyber-criminal standpoint. It could be 5, 10 or even 50 times more valuable than other forms of data.”

Reviewing data security for the health and care industry has found that internal breaches are often caused by people finding workarounds to burdensome processes and outdated technology – and that those people may be unaware of their responsibilities.

How to stop these attacks

Step 1: Cyber Essentials certification

Cyber Essentials is the UK-Government-backed security scheme that sets out five security controls that could prevent around 80% of basic cyber-attacks, improving cyber security and preserving the reputation of the healthcare industry.

Cyber Essentials certification also demonstrates to patients, suppliers and third parties that data security is being taken seriously.  Amicus ITS works with CREST approved, cyber security organisations to ensure that your status has been independently verified by a third-party vulnerability scan.

Step 2: ISO 27001

ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS). It encompasses people, processes and technology, recognising that information security within the healthcare industry is not about technology alone.

Step 3: Protect your perimeter

With threats and threat actors continuously evolving there is a real need for intelligent perimeter protection as well as innovation with password and identity management. At Amicus ITS we are happy to provide advice to help ensure your data is as secure as possible.

Amicus ITS specialist information governance and security division, provides services to support NHS and public sector organisations. Our client base is substantial and includes corporations of all sizes. We believe our success in winning and retaining clients is due to Amicus ITS’ deep and ongoing understanding of N3 compliance requirements in the UK.

UK will be implementing the EU General Data Protection Regulations in May 2018

_90944246_elizabethdenham

Elizabeth Denham the UK Information Commissioner confirmed on 31st October 2016 that the UK would be implementing the EU General Data Protection Regulations.

She reported that The Secretary of State Karen Bradley MP announced the decision at the Culture, Media & Sport Committee meeting on 24th October 2016, confirming the following:   “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Elizabeth Denham confirmed, “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.  The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
 
Citizens want the benefits of these digital services but they want privacy rights and strong protections too.  Having sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by business, third sector organisations, the state and public service.
 
The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing. Today’s consumers understand that they need to share some of their personal data with organisations to get the best service. But they’re right to expect organisations to then keep that information safe, be transparent about its use and for organisations to demonstrate their accountability for their compliance”.

As Amicus ITS reported in our blog on 14th October 2016, the Information Commissioner’s Office is committed to helping UK businesses and public bodies to prepare to the meet the requirements for GPDR ahead of May 2018 and beyond.  It’s 12 point plan for business is published and all organisations are urged to review it against their current data protection measures.

Elizabeth Denham added:  “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.  We’ll be working with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate”.

The ICO advise they will be publishing guidance on different areas over the next six months.  Amicus ITS will ensure that we share these with you as they arise so you can best prepare your organisation for the tighter regulations, responsibilities and accountability.

Are you ready for GDPR?

Information-Commissioners-Office

As we know, the UK voted to leave the EU on 23rd June 2016.

The UK is required to serve notice under Article 50 of the Lisbon Treaty and this carries a two year notice period.

The General Data Protection Regulation is due to be implemented in less than two years – 25th May 2018.   GDPR applies not just to organisations established within the EU but to any organisation which processes the data of EU citizens. Or an organisation which offers goods and services to EU members.  It also serves to monitor online behaviour.

Even standing outside the EU, the long arm of GDPR will apply to any UK organisation handling the data of EU citizens.  The UK will need to prove ‘adequacy’ for data protection.

Countries globally are preparing now for GPDR.

For full details of the 12 steps your organisation is guided to take to prepare for GPDR, Amicus ITS invites you to read the ICOs PDF white paper “Preparing for the General Data Protection Regulation (GDPR) attached here:  ico-preparing-for-the-gdpr-12-steps

I strongly recommend all organisations to be actively researching what they need to do to comply with GDPR, as once released it automatically becomes law in all EU Member states.

ICO fine on TalkTalk revealed

talktalk_logo_0

The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015.  As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.

The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.

In nearly 16,000 cases, the attacker was able to steal bank account details.  Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection.  TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.

The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website.  Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.  Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”.  These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.

The next Amicus ITS cyber security event will be held on 24th November 2016.  Further details will be posted on the main Amicus ITS events page

Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

Lots to TalkTalk About With Latest Major UK Cyber Attack

In the wake of the third, “significant and sustained” cyber attack on a FTSE 250-listed UK company on Wednesday 21st October, TalkTalk is advising all of its 4 million subscribers that their personal data (including names, addresses, dates of birth, phone numbers, emails PLUS acount information, credit card and banking details) may have been breached.   The company is offering 1 year’s free credit monitoring for this latest breach, but it has not been a good period to have this toxic trading name.  TalkTalk suffered a sophisticated email scam in February 2015 which they claim was due to a third party contractor who had legitimate access to its customers’ data and in December 2014, the Guardian reported a possible data breach emanating from one of its Indian call centres, leaving some customers out of pocket by several thousand pounds and their banks offloading responsibility claiming the victims caused their losses by allowing the fraudsters illegal access through nefarious means.

The Information Commissioner’s Officer (ICO) started investigations into the hacking of Carphone Warehouse (owned by Dixons Carphone plc) in August affecting 2.4 million users and earlier this month, credit rating agency, Experian PLC’s North American unit was subject to a breach comprising the data of clients of US mobile carrier T-mobile USA Inc, affecting 15 million US customers and with reports of cyber offences reaching over 625,000 every month this Summer.

The Metropolitan Police Cyber Crime Unit has launched its investigation into the TalkTalk attack on its website.  Whilst TalkTalk’s CEO Dido Harding has confirmed that its website is now secure again and that TV, broadband, mobile and phone services have not been affected by the attack, its sales website and “My Account” bill checking services site have yet to be restored.  TalkTalk’s assurances about the seeming normality of service provision offers little comfort to its concerned customer base, few of whom will be surprised to hear the corporate has lost 10% in its share price within 24 hours of the bad news.   Claims have emerged today on BBC Radio 4’s Today programme that a Russian Islamist group had posted online that they were responsible for the attack. This is being investigated by the authorities, though TalkTalk are currently refusing to comment on this.

So where does this leave TalkTalk customers?
• Anyone who is victim of a cyber attack should maintain diligent monitoring of their bank and credit cards over several months to spot any suspicious transactions.  It may not necessarily be sudden and dramatic large scale financial losses that occur; there is an emerging trend for small scale withdrawals following hacks, far less eye-catching to the unwary consumer, but necrotic and damaging over the long term as part of a sustained syphoning of funds.

• Customers may be contacted by new 3rd party fraudsters, cashing in on the TalkTalk attack and contacting their already vulnerable customer base to gain access to their accounts, purporting to be TalkTalk staff trying to fix things. No real TalkTalk staff would demand direct account details over the phone – and this should set alarm bells ringing.

Cyber Precautions for Enterprise
For any company, it is imperative to have good process and policy safeguards with up to date malware and antivirus software installed, to wrap around the company’s data, users and applications.  However, in addition to this, commodity-based companies using the web to transact with the public and taking personal details and financial information, would be well advised to consider separating out the hosting of their website on a separate server to the main business server – and even having two different companies supplying this service to offer added security and peace of mind.  This would increase resilience, but of course is only step one for the data controller, step two is ensuring that the data is compliant ahead of the EU’s General Data Protection Regulation (GPDR) which comes into force in 2017.

talktalk_logo_0