Transcript Slide 1

Daniel Beaumont
Information Assurance Lead
eHealth Programme, Scottish Government
NOT PROTECTIVELY MARKED
Is there a ‘mobile’* explosion?
*not really..
...more like a 20 yr marathon
 First text message 1992
 Internet early 1990s
 Pay-as-you-go (which created mass consumer market)
mid-1990s
 Wireless LAN late 1990s
 GPRS/3G early 2000s (i-mode long before i-phone)
 ‘Smart phone’ (PC, colour screen) early 2000s
Board IT teams know all about this...and generally good
at managing it (e.g. WLANs)
....bumps in road
Vendors have tried to get a wireless ‘big bang’ (e.g. WAP
phones, MMS and often fell flat):





Lack of bandwidth
Lack of battery power in devices
Screen technology not advanced
Mobile applications still in infancy
Short-range wireless initially slow catch on consumer
market
 High production costs for some components
What is different now..?
Key components for ‘tipping point’ have come together
eHealth leads face a lot of background noise........
I am senior and I want one!
Patient accessing service via
wireless
R.O.I from existing tools
 All of this demand just at time when we are supposed
to be squeezing value out of existing IT investment
(mainly fixed cable)
 Far less money for .. buying more kit, putting in ever
more complex support models for wireless
Getting to the nub of the problem
 Boards now need to deal with implications of this
wireless application ‘tipping point’ and derive benefits
while managing risk
 Take into account consumer pressure/convenience
(‘pester power’) of staff but all decisions must be in
interests of business even if it is not always popular
 Need to cut through all this ‘background noise’ and
work out what really are the information risks, and
how to work out how to deal with them
Forget much of what you have heard and
start on a clean sheet........
 There is no such thing as 100% security
 ‘several pinches of salt’ for whatever vendors claim about
devices/service (“It meets xyz International standard”)
 Do not consider ITSOs, IG Leads or Caldicott Guardians as people
as people who say ‘yes’ or ‘no’
 Do not think you must buy in security expertise every time
 Do not consider wireless as necessarily any more or less ‘secure’
 Do not think confidentiality requirement drives all decisions
 Do not think good security = encryption products
Instead....
Go for Information risk
management approach
NHS staff, clinical and managerial are already really
good at ‘risk management’ every day
 Identifying risk (“this could happen to patient x given what I
know about y”)
 Explaining risk to others (“you cannot move this patient
because..”)
 Treating, avoiding, retaining risk (“we can treat x condition,
but z condition can only be contained.”
Looking at information risks in the
round
How often have you heard about privacy risks?
 “Hey, you cant do that, we have personal data to
protect at all costs...”
 “not possible, because the product doesn’t do
encryption”
 “someone might eavesdrop on that data”
Remember: Information Assurance
is C.I.A
Confidentiality
AND Integrity AND Availability
NHS does have important confidentiality requirements
(legal and moral)
But often this can dominate all discussion to the point
where availability and integrity risks hardly get a look
in......
Information risks in round: Availability
 But how seldom you hear:
 “the need for availability of data to clinicians
outweighs the very small risk of information loss”
 “I am worried that the chosen wireless solution
could mean there are more service outages”
Information risks in round: Availability (2)
All wireless technologies are by their very nature
intermittent (radio, infrared, microwave etc)
So a upper most in our minds must always be the
‘availability risk’ (*hence title of this presentation)
Broken cables rare event: have
understanding single points of failure
Wireless outages: still learning
about impacts
Information risks in the round:
Integrity
 How seldom do you hear:
“I am worried that mobile devices will lead to
duplication of data, or data out of synch”
 “We seem to be procuring a separate device for each
application...the data will be different from desk-tops
 “we have a pile of devices”
When should you do an
information risk assessment?
 Organisational level: e.g. whole board, team,
process
 Particular service to be launched (e.g. prior to delivery)
especially if critical and/or if there is a high element of
‘unknowns’ relating to security
 As result of a security incident (e.g. privacy
breach)
Who should do information risk
assessment?
 Ideally, someone who is not in the project team and
can provide an independent view
 BUT, before you think to pick up phone to a
consultancy etc there are lots of NHSScotland options
 Your ISO
 ISO from another board
Need to pool our skills much more internally
Information risks: whole process
 Understanding business context (why is the service,
which has wireless devices so important)
 Who might be the ‘owners’ of that service
 What are the impacts (worst case scenarios) relating to
something going wrong with that service/process
Information risk assessment
 Devices
 How they are expected to be used
 How they might be used in unexpected ways
 Relevant regulatory requirements (e.g. Data
Protection)
 Types of attacker/motivation
 Risks and vulnerabilities relating to any aspect of the
whole process
Information risk assessment
Information risk assessment:
reporting back to...?
Who are the information ‘risk
owners’?
 “A Caldicott Guardian is a senior person responsible
for protecting the confidentiality of patient and
service-user information and enabling appropriate
information-sharing.
 NOT the same as a SIRO (Senior Information Risk
Owner) or information asset owner
Who may need to be in the room?
Role
Why?
‘Owner’ proposed service
There is no such thing as a an IT project;
the technology is there to enable a
process/service that must be owned/run
by someone else
Project Manager
To explain exactly how requirements
are met and broad risks
Independent Risk Assessor
Explain results of risk assessment; and
options
Caldicott Guardian/IG
Compliance with DP etc and best
practice
eHealth lead
Is the service suitable for current
architecture, how will it be released into
live environment?
‘Creative tension’ between
advisors/enforcers/owners 
Key questions to be posed?
 Which risks can and should be treated?
 What residual risk is still left even with
treatment?
 Are the residual risks still too much to bear?
 Which risks can be avoided (e.g. not doing
something)?
 Which risks can be retained?
Example: ‘risk retained’
“smart phone, whole disk encryption not possible ...but
there is encryption on the application”
Residual risk....
User error could mean sensitive personal data ends up
on the un-encrypted part of the device (e.g. My
Documents, Camera)
*Revised NHSScotland mobile data says this is
permissible up to ‘amber’ level.
User training awareness only ‘control’ to reduce this
residual risk further......
What about B.Y.O.D?
“Bring your own device”
B.Y.O.D: Fact or fiction?
Commonly held assertion
Reality?
Staff are clamouring for it
now...?
Staff would prefer not to use different
device for each purpose (not necessarily
‘own’ device)
Vendors have ‘cracked’
security’ ?
OK for services up to ‘amber’ and for email.
But many other problems relating to personally
owned devices….not covered by encryption
Cheaper to support BYOD
than official devices?
Not always; sheer range of variables can
add to support cost
We could connect our own
devices to NHS services via
the web?
We do not currently have the web-architecture
to do this. Few ‘online’ services. Our current
remote access work on VPN/tokens/official
devices etc
Current situation
 NHSmail does allow use own mobile device (via
Internet)
 Some staff use own devices for capturing
information (e.g. notes from minutes). Do they
ever save it in the right place??
 Not much else...............?
Emerging situation: move with
caution.....
 What about ‘choose your own device’ C.Y.O.R??
takes employee preferences into account but devices still
owned and controlled by org
 Employees often complain about having multiple
devices...... We could make a start by reducing the number
of ‘official’ devices in workplace.
 Supporting all the variables relating to people’s own
phones can be more expensive than just issuing official
ones.
B.Y.O.D
 Need to sort out the ‘identity & access management’
and authentication aspects for remote users in general
 Lots of products to secure applications; but having an
agent installed on a personally-owned device does not
= security
 Need to think far more about how we classify
information
So what is role of Scottish
Government in all this…?
Balancing Act
Removing barriers to information sharing
and innovation while upholding ministerial
priorities and right degree of
compliance…………..
Barriers are often around
perceptions…
Priorities
 Information Assurance Strategy (working through it)
 Good practice guidance (based on risk
assessments)
 Standards (where appropriate)
 Building communications ISO/IG communities
 Building capability (e.g. training, forums)
 Links with clinical and professional groups
 Leading and influencing within NHSScotland
governance structures
 Significant incident lessons learned….
Final thoughts….
Tackling some of the emerging security risks around
mobile technology space can be scary….
BUT many of the current processes involving paper files
and removable digital media are far scarier
Almost daily headlines
Mobile can help to improve security
 Secure email to any device (not the dreaded fax
machine)
 Patient portal accessed by smart-phone (not paper
mail)
 Remote access to the app (not the CD or memory
stick)
 Addresses/combination codes to homes of the
elderly on secure tablet (not held on a paper print
out)
Thanks for listening