NHS faces up to security challenge

The Government's NHS Plan sets out a number of bold objectives for the NHS, to which the Information for Health (IFH) strategy...

The Government's NHS Plan sets out a number of bold objectives for the NHS, to which the Information for Health (IFH) strategy responds with proposals for further overhaul and extension of the information management and technology (IMT) infrastructure to support those objectives.

Steve Daniels

Health service

Information, security and confidentiality feature strongly, and rely heavily on the introduction of an encryption policy and compliance with BS7799, the code of practice for information security management.

There is a general misconception, fuelled by high-profile security breaches and significant media focus, that the NHS has not been addressing the issues. The statement from the Data Protection Commission that it will be monitoring the NHS closely also emphasises that there is ground to be made up.

However, the NHS Information Authority (NHSIA) has a long-established programme that addresses the issues. This has been instrumental in establishing trained "Caldicott guardians" and "information security officers" within all NHS constituents. It has initiated information security risk assessments of such key programmes as NHSNet and the Strategic Tracing Service, and has supported NHS constituents in establishing the beginnings of a security culture.

The intention to adopt BS7799 will make this activity more transparent, by including security requirements for GP systems within the accreditation process, for example. It will also step up the rate of change by simplifying the task of compliance with the NHSNet Code of Connection for the NHS' "care partners".

Achieving compliance with BS7799 is not, however, a simple task. The standard requires proof of an information security management system (ISMS), to establish a continuous improvement cycle. It is not just a matter of implementing a range of technical measures.

The standard contains a series of control objectives, for which appropriate measures need to be derived via a structured and suitably detailed risk assessment. This is a task most NHS constituents have so far avoided.

The NHSIA has undertaken some assessments that are being shared with trusts but many NHS constituents have yet to be addressed. There is a strong case for central funding and facilitation of this process, which would be significantly cheaper than if each trust goes its own way.

Achieving compliance with the standard is, in practice, rarely achievable at the organisation level in a single pass. The standard's focus is on information points towards processes and thus progressive application.

The IFH update states that a comparison against the standard (a "gap analysis") is required by the middle of this year, with security improvement and a compliance audit being undertaken by the year's end. This timetable, similar to that of government in 2000, is very ambitious.

To address these issues, significant resources and central support systems within the NHSIA will be required. Such resources are scarce and typically trade at a price that the NHS is rarely prepared to pay. Internal resources are already stretched and most constituents will be concerned about the opportunity cost if those resources are transferred to a support task.

At present, the NHSIA's security infrastructure team is quite small and is unlikely to be able to deliver the level of support that NHStrusts will seek.

Even with all that addressed, NHS constituents have a final hurdle to overcome. No amount of good practice and advice can deliver security if the personnel who make up the organisation do not adopt it.

There is little doubt that clinical and nursing staff feel more vulnerable and under attack than ever before. Perceived constraints on their working practices will need to be sold well, and more actively enforced than has been the case to date.

The adoption of BS7799 by the NHS is to be welcomed, but the challenge it entails is significant. Let us hope that the real commitment and resources needed, will be found.

Steve Daniels is principal consultant at Insight Consulting

Read more on Antivirus, firewall and IDS products