While the world focuses on what happened to the NHS cyber attack and seeks answers to questions about ransomware, the age of its IT systems, whether or not the NHS had the correct anti-virus and intrusion detection technology or if there were adequate back-ups so they can restore the data; even whether or not it should pay the ransom demands – the real questions have yet to be asked.
The NHS, like any other enterprise, is subject to UK and European Data Protection Laws and has to abide by those laws. We have a data protection authority in the UK called the ICO (Information Commissioner’s Office) that provides specific guidelines to the law and is there as the authority to enforce these laws. Specifically the ICO provides a guide to the data protection act. Under Information Security (Principle 7) it states:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The NHS has failed to comply with the UK data protection law and clearly failed in the Information Security Guidelines Principle 7, so what action will the ICO take now?
Global enterprises and the NHS alike are deploying cloud-based architectures. NHS employees are leveraging mobile, smartphone and distributed cloud architectures and cloud applications. This modern day cloud based architecture presents significant challenges to protect the PII and sensitive PII data under the current UK data protection law.
Data Protection is only getting tougher
The UK is going through a much needed new focus on the protection of PII and sensitive data being driven by a pre-Brexit European Regulation (not a directive) known as GDPR (General Data Protection Regulation) which will become law by May 25, 2018. Even post-Brexit, the raised standards of data protection under GDPR will mean it will be fully implemented in the UK for the protection of UK citizens’ data. The UK ICO as the UK data protection authority has said so.
Instructions and guidelines for GDPR were issued over a year ago and organisations were given two years to implement these new controls by 25 May, 2018. This means that organisations – also known as Data Controllers under GDPR – have to be in ‘full flight’ now to be live by the deadline date. Were the NHS on this journey to address GDPR, were they in ‘full flight’ with less than 12 months to go towards implementing GDPR? If they were “in-flight” would this attack have been prevented?
Before we launch into just the IT teams of the NHS, where were the Risk, Compliance and Legal teams on the NHS regarding abiding to the UK Data Protection laws who are all responsible for the compliance of the data protection laws? How will the ICO now respond towards the NHS in failing to follow the law?
The problems facing the NHS should serve as a reminder to any organisation about the significance of data protection laws today and the fast approaching GDPR laws. Every CEO and board should be challenging its Compliance, Risk, Legal and IT team on how secure they are. Are their organisations at risk to tomorrow’s headlines for cyber security attacks and therefore failing to protect their customers’ PII and sensitive PII data?
NCC Group reviewed recent ICO fines for UK based companies that did not abide to the UK Data Protection Laws and lost customers’ PII and sensitive PII data. It then applied the rules for GDPR fines and concluded that the well documented Talk Talk fine would have risen from £880,500 to £59m! We have to ask: “What should the NHS fine be now and what would it be under GDPR?”
The point is that it’s no coincidence that these cyber-security attacks are more likely to happen to companies that do not invest and have latest approaches to protecting customers and their own confidential and sensitive data. In the modern day era with distributed and cloud based architectures with a distributed workforce that leverages the productivity of using smartphones and IoT, it’s never straightforward to fully protect against such attacks and compromises using traditional IT security approaches. It is an ever moving target. You too have to change the game to stay ahead of the cyber attackers with a new approach. The focus has to move from traditional IT security to much more focus on information or data security. In other words, the focus has to be on protecting the data itself – wherever it is. This renders the data useless in the case of cyber attacks that attempt to compromise this sensitive data.
Under the new, much tougher GDPR guidelines, this is refered to as Pseudonymising and Anonymising of PII and sensitive data, rendering it useless if it got into the wrong hands. The GDPR is recognising that more complex cloud based architectures are making life easier for cyber criminals, so it is getting tough and more demanding with new approaches to protecting confidential and sensitive data.
eperi is a leading cloud data protection (CDP) vendor that directly maps solutions to GDPR requirements. eperi has solved the biggest challenge that first generation encryption solutions cannot address: to make the protected data useable to the organisation (or data controller) without compromising the strength of the encryption and keeping the organisation in full control of its own data, a key requirement for GDPR. This means even if data had been compromised, then it would be totally unusable to cyber criminals.
This latest cyber attack on the NHS should serve as further proof that no organisation is immune or off-limits to cyber attackers. It is vital that all industries take heed and assess where they are most vulnerable and in doing so, start with the data.