1. Risk Assessment - Cyber Security
Capabilities – Community Paramedics
22nd
November 2016
Author: Michael Exton, MSc
Version: 2.0
2. 2
Notice: This risk assessment was conducted and compiled by Michael Exton MSc
on behalf of CommunityParamedics on a Pro Bono basis.
Michael Exton completed his undergraduatedegreein History in 2014 from
Plymouth University beforereading InternationalSecurityMSc at the University of
Bristol 2015-2016.
From 2014-2015Michaelworked for Lloyd’s Banking Group undertaking financial
transactionsfor clients as well as conducting “KnowYour Customer” (KYC) checks,
counter-fraud, and anti-moneylaundering operations. SinceSeptember 2016
Michael has worked with the Minister for the Constitution and Democratic
EngagementChris SkidmoreMP.
3. 3
CONTEXT – THEDATA PROTECTIONACT 1998
The Data ProtectionActexiststosafeguardthe informationandpersonal detailsof aBritishsubjectand
controlsthe use of saidinformationbyorganisations,businesses,andthe government(Gov.uk,2016).
Everyorganisation,business,orpersonwho hasaccessto sensitivepersonalinformation/datamust
followthe regulations setoutinthe act (ibid).
SENSITIVE PERSONAL DATA
The Data ProtectionActdefinesSensitive Personal Dataasany of the following(TSO,2005: 3):
A. The racial or ethnicoriginof the data subject
B. The subject’spolitical opinions
C. The subject’sreligiousbeliefsorotherbeliefsof asimilarnature
D. Whetherthe subjectisa memberof a trade union(withinthe meaningof the Trade Unionand
Labour Relations(Consolidation)Act1992)
E. The subject’sphysical,mentalhealthorcondition
F. The subject’ssexual life
G. The commissionorallegedcommissionbythe subjectof anyoffence
H. Anyproceedingsforanyoffence committedorallegedtohave beencommittedbythe subject,
the disposal of such proceedingsorthe sentence of anycourtin such proceedings.
While there are nopreciselydefinedpenaltiesforindividualsororganisationswhohave failedtoprotect
the subject’s informationunderthe DPA 1998, failure tohave adequate protectioninplace canleadto
lossof reputationaswell assevere financial penaltiesbeinglevelledagainst afirmfoundtobe inbreach
of the act (DKLM, 2016) (Glenday,2013).
DATA PROTECTION ACT REGULATIONS
The DPA regulations mustbe strictlyadheredto.Failuretocomplywiththese regulationsmayresultina
civil orcriminal lawsuitbeingfiled.
The regulations are as follows:
1. All informationisusedfairlyandlawfully
2. All informationistobe usedforlimitedorspecificallystatedpurposes
3. All informationmustbe usedinawaythat is adequate,relevant,andnotexcessive
4. All informationmustbe accurate tothe bestof the subject’sandorganisationsability
5. All informationmustnotbe keptforlongerthanisabsolutelynecessary
6. All information mustbe handledaccordingtopeople’sdataprotectionrights
7. All informationmustbe keptsafe andsecure
8. All informationmust notbe transferredoutside the EuropeanEconomicAreawithoutadequate
protection
4. 4
These regulationsare applicable toall devicesusedbyanorganisationforprofessionalmeans,including
hand-heldmobile devices. While the DPA doesnotrequire organisationstouse SecurityService level
technologytoprotectthe information,itisstronglyrecommendedthat all devices,serversetc…are
protectedbythe besttechnological servicesandencryptionthatthe companycan afford(ICO,2016).
THEFIRSTPROTECTION PRINCIPLE
In orderto be compliantwiththe DPA,the organisationhastoensure thatthe informationitholdsis
used“fairlyandlawfully”.
The ICO have confirmedthe following:
“The Data ProtectionActdoesnotprohibitthe sharingof personal data [,] howeveran
organisationwouldneedtocomplywithprinciple 1and satisfyaconditionforprocessingfrom
Schedule 2.If the informationissensitive personal dataone conditionforprocessingwouldalso
needtobe satisfiedfromSchedule3”(ICOLive chat, 2016)
In layman’sterms,thismeansthat the organisation mustcomplywiththe followingregulationsif the
organisationwishestodisclose clientinformation,eventothe clientthemselves (ICO,2016).
The organisationmust:
1. Have legitimate groundsforcollectingandusingthe collectedpersonal data
2. Data will notbe usedinways that have unjustifiedadverseeffectsonthe individual(s)
concerned
3. The organisationwill be transparentabouthow itintendstouse the dataand give individuals
appropriate privacynoticeswhen collectingtheirpersonal data
4. The organisationwill handlepeople’spersonal dataonlyinwaystheywouldreasonablyexpect
5. The organisationis notdo anythingunlawful withthe data
THESEVENTHPROTECTIONPRINCIPLE
“The typical computernetworkisn'tlike a housewith windows,doors,and locks. It'smorelike a
gauzetentencircled by a band of drunkteenagerswith lit matches”- RobertSteele,Chief
Executive Officer,OpenSource Systems,FormerCIA analystandDeputyDirectorof the U.S.
MarinesIntelligence Center
As shownabove,the seventhmandatoryregulationlaidoutbythe DPA requiresthatall client
informationmustbe keptina “safe”and “secure”environment. Thisisataskbecomingmore difficultby
the hour,withmost IT and cyber-securityexpertsnow advisingthatitisimpossibletostophacking
attemptsandthat effortsshouldbe divertedtocreatingasystemthat will notpreventanattackbut
survive it. The formerDirectorof the FBI RobertMueller agreeswiththisprinciple and statedthatitwas
an inevitabilitythatthe websitesandserversof private companieswouldbe hacked,sometimes
repeatedly andthatriskmitigationwasthe onlysolution(Probasco,2015). Atthe same time,physical
securitymustbe ensured.Itwouldbe a waste of valuable time,resources,andenergytodevelopa
5. 5
state-of-the-artserversystemwithencryptionprotectionif someone inthe organisation’swork
environmentcouldaccessanunlockedcomputerwhilethe employee wasabsentfromtheircomputer.
In orderto mitigate risktowardsboththe organisationandclients,asdescribedbythe DPA:
“Appropriate technical andorganisational measuresshall be takenagainstunauthorisedor
unlawful processingof personal dataandagainstaccidental lossordestructionof,ordamage to,
personal data”(DPA,2005)
In layman’sterms,thismeansthatthe organisationmustdesignitssecuritymeasuresthatfitthe nature
of the personal datathat isheld; ensure thatthe individual(s) responsible formaintainingsecurityknow
whattheirresponsibilitiesentail;ensure thatthe correctphysical andtechnological securityisinplace
back up byrobust policiesandprocedure;ensure staff are welltrainedand reliable;be readytoswiftly
respondtoany securitybreach.
PHYSICAL SECURITY
Physical securityisanotherimportantfactorthatiscoveredbythe DPA and isjustas importantin
maintainingthe securityof the organisationanditsclients.
It ishighlyadvisable thatonlyauthorisedpersonscanalter,disclose,ordestroyclientand employee
data; those authorisedstay withintheirremitanddonotact beyondthe scope of theirauthorityinthis
regard;personal dataMUST be recoverable inthe case of loss,damage,ordestruction.
The ICO stipulatesthat certainfactorsmustbe consideredandthe appropriate steps takenregardingthe
physical securityof the organisation.It is,therefore, importanttoassessthe following(ICO,2016):
1. The nature and extentof the organisation’spremisesandcomputersystems
2. The numberof staff inthe organisationof workplace environment
3. The extentof accessto personal data
In orderto preventphysical intrusionintothe organisation’ssystems,if passwordprotection isnot
alreadyinplace,itis stronglyrecommendedthatthisisimplementedassoonaspossible.Password
protectionshouldbe appliedatmultiplelevelstopreventeasyaccesstothe organisation’ssystem. If
furtherprotectioncanbe appliedthisshouldbe taken(see listof recommendations).
It isalso a goodideafor employeestobe aware of theirsurroundings.If anemployee noticesaperson
displayingsuspiciousbehavioursoractivitieswhilepatientoremployeeinformationispresent,save the
information,close the program,andpolitelyenquire whetheryoucanhelp.
TECHNOLOGICAL SECURITY
As well asemployeesbeingaware of theirsurroundings,technological securitymustalsobe ensured.
The ICO recommendsthe following(ICO,2016):
1. Personal dataheldorusedby a thirdparty on the organisation’sbehalf (underthe Data
ProtectionActyouare responsible forensuringthatanydata processoryouemployalso
has appropriate security).
6. 6
2. The organisation’scomputersecurityneedstobe appropriate tothe size anduse of the
organisation’ssystems.
3. Technological developmentsshouldbe notedandconsideredhoweverthe organisation
isalso entitledtoconsidercostswhendecidingwhatsecuritymeasurestotake.
4. The organisation’ssecuritymeasuresmust be appropriate toyourbusinesspractices.
For example,if the organisationhave staff whoworkfromhome,measuresshouldbe in
place to ensure thatthisdoesnot compromise security.
5. The measurestakenmustbe appropriate tothe nature of the personal datathe
organisationholdsandtothe harm that couldresultfroma securitybreach.
Note:Please be advisedthatthe greaterthe clientbase andstorage space,the more likelythat
informationmaybe lost,misusedorcorrupted.
THIRD PARTY DATA PROCESSORS AND SERVERS
Organisationsunderthe DPA are entitledtouse thirdpartyserverstostore information.However,it
shouldbe notedthatin the case of a cyber-attackor an accidentwhichresultsinthe lossor damage of
personal datait isthe organisationandnotthe thirdparty thatwill be heldliable.Topreventthisfrom
happeningandtodemonstrate compliancewiththe DPA
The Act containsspecial provisionsthatapplyinthese circumstances.Itsays thatwhere youuse a data
processor:
1. The organisationmustchoose a data processorthatprovidessufficientguaranteesaboutits
securitymeasurestoprotectthe processingitwill doforthe organisation
2. Reasonable stepsmustbe takentocheckthat those securitymeasuresare beingputinto
practice
3. There mustbe a writtencontractsettingoutwhat the data processorisallowedtodowiththe
personal data.The contract must alsorequire the dataprocessorto take the same security
measuresyouwouldhave totake if youwere processingthe datayourself.
Althoughthismaybe time-consumingandfrustrating,itisvital thatacontract isdrawnup to
protectthe organisationandthe serverproviderfromlegal actioninthe case of data loss.
Please see belowforthe ICOapprovedmodel of thirdpartycontract.
SECURITY ISSUES – DRUPAL PLATFORM
Drupal has a strong and reliable reputationwithinthe ITcommunityandisgenerallyconsideredtobe a
safe website platform,if notthe safest(Hubbard,2016).The platformisusedbyseveral major
companiessuchas CNN,PayPal,andTwitteraswell asbeingusedbygovernmentofficesinmore than
150 countries(ibid) (Villorente,2013).
As Drupal isan open-source software,unlike profit-drivencompanieswhoare compelledtohide
securitybreaches,Drupal consistently workswithitsclientbase tolocate,isolate,andeliminate any
vulnerabilitiesinthe site code thatmayarise.Drupal’stransparencyindealingwithsecurityissues,as
7. 7
well asDrupal’sown in-house securityteamworkingwithDrupal users,typicallyresultsinissuesbeing
fixedinamatter of hours.Drupal will thenrelease anupdate thatwill looktoprotectsitesfromthe
mostrecentattack (Drupal,2016). It ishighlyadvisable thatyouupdate yoursystemwith evernew
update to preventsecuritybreaches.
NOTABLE BREACHES
In October2014 Drupal reporteda securityissue thatwasranked“25/25” in seriousness.Thisinvolveda
syndicate of hackers(currentlybelievedtobe freelance EasternEuropeancyber-criminals) beingable to
exploitasingle lineof code togainentryto the platform (Burge,2014). Potentially,criminalscould
completely take overanywebsite theyhadaccessto and exploitit.
Thisattack was unusual asit tookthe hackersonly7 hoursto finda vulnerabilityandexploitit. Itisalso
possible thatthe attackon Drupal was connectedtothe attemptedhack-attackonthe White House that
occurredat the same period,withcertaindepartmentsof the USgovernmentalsousingDrupal (BBC,
2014). Owingto the technical skill of the hackers,the possibilityof Russiangovernmentinvolvement,
and the rarity of such attacks happeningunderusual circumstances,itisunlikelythatattacksthisserious
innature will occur ona regularbasis.
More recently, inJuly2016 Drupal reportedthata breach that wasconsidered“20/25” severity was
foundandwas similartothe previousattacke.g.attemptedtotake overcertainwebsites.However,the
attack was swiftlyblockedandanewversion of Drupal releasedsoon afterwards.
PROTOCOLSFOR A SECURITY BREACH
As perthe DPA,the organisationisrequiredtohave a planinplace inorder to deal withmassdata loss.
It isstronglyadvisedthatinternal issuesare dealtwithfirst, however,itisalsoexpectedthatthe
appropriate people andorganisationsare informedof anybreaches,lossesetc…thatmay affectother
organisations(ICO,2016).
1. Containmentandrecovery –the response tothe incidentshouldinclude arecoveryplanand,
where necessary,proceduresfordamage limitation.
2. Assessingthe risks –the organisationshouldassessanyrisksassociatedwiththe breach,as
these are likelytoaffecthowthe organisationproceedsonce the breachhasbeencontained.In
particular, the organisation shouldassessthe potential adverse consequencesforindividuals;
howseriousorsubstantial these are;andhow likelytheyare tohappen.
3. Notificationof breaches –the organisation shouldbe clearaboutwhoneedstobe notifiedand
why in the eventof a breach.You should, forexample,considernotifyingthe individuals
concernedsuchas the ICO; otherregulatorybodies;otherthirdpartiessuchasthe police,and
the banks.
4. Evaluationandresponse –it isimportantthatthe organisation investigate the causesof the
breachand alsoevaluate the effectivenessof the organisation’s responsetoit.If necessary,
policiesandprocedures shouldbe updated accordingly.
8. 8
Please see belowthe official documentationonreportingBreachManagement tothe ICOas well asa
guide onhowto deal withbreachmanagement.
RECOMMENDATIONS FOR FURTHER SECURITY MEASURES
SmallercompaniesusingDrupal oftenfindthemselvesinaparadoxical situationwhenfacedwith
securityissues.While the majorityof detectedhackerstargetlargercompaniesviaDrupal,itissmaller
companiesthatare unable to buyand maintainalarge and dedicatedcyber-securityteamsthatare
oftenaffected.
It istherefore highlyrecommendedthatcertainsafetyprecautionsexisttopreventabreachof the
companyserversor the DPA. Before readingthese recommendations,Istronglysuggestreadingthrough
the official guide onthe DataProtectionActlaidout bythe ICO.
1. Reserve (Back Up) Servers:In orderto complywiththe SeventhProtectionPrincipleanydata
that islost,altered,ordestroyedmustbe recoverable.Notonlywill the reserveserverensure
the companyis fullycompliantwiththe DPA butwill alsopotentiallysave hundredsto
thousandsof hoursre-recordingpatient/clientdetailsinthe case of massfile corruptionor
deletion.
2. Consistentlyupdate systems:Hacks againstDrupal occur ona sporadicbasiswitheachnew
attack resultinginanupdate beingreleasedsoonafter.Itishighlyadvisable thatyoucontinue
to update yoursystemsasnewereditionsof Drupal will eliminate linesof vulnerable code that
may be presentinolderversionsof the software.
3. Update passwords: It is advisable thatbothemployee andserverpasswordsare changedona
regularbasis.Dependingonhowmuchthe organisationwill be affectedbyapassword
transition,itwouldbe advisable tochange passwordseverymonth.If thisisnotpossible,
attemptto change at the earliestopportunities
4. Improve Physical security:Owingto the nature of the storedinformationandthe “hotseat”
environmentthatthe organisationisbasedin,all employeesshouldremembertolocktheir
computerseverytime theyare absentfromtheircomputer,nomatterhow longthe employee
will be absent
5. PhysicallySecure Passwords: A furthermethodof physical securitywouldbe investingina
“Yubikey”passwordprotectiondevice.ThisdeviceisdesignedtofitintoUSBslotswitha single
key programmedtomatch a single computer.Anemployee will keepthiskeyontheirperson
(the device canbe attachedto a keyring) andaftertypingintheirusername andpasswordwill
insertthe keyintotheircomputerandpressthe buttoninthe middle of the key.Thiswill create
an encryptedandunique one time use passwordthatwill allow the employee toaccessthe
system.
Note: This isan advisorymeasure, subject to the organisational budget.Linkto website
availablehere: https://www.yubico.com/
6. Security MailingList: Anyone usingDrupal shouldsubscribe tothe securitymailinglist (by
editingyouraccountprofile) inordertoautomaticallykeepuptodate withthe latest security
advisories of all types.
To subscribe tothe security mailinglist:login,goto your userprofile page andsubscribe tothe
securitynewsletteronthe Edit» My newsletterstab.
9. 9
7. Use of free EPCR (ElectronicPatient Care Record) apps and software: It is highlyrecommended
againstusingfree EPCRprograms as the informationenteredwill be automaticallystoredand
backedup ontothirdparty systems.These systemsmayormay not be encrypted whose
administrators are undernoobligationtokeepthisinformationconfidential,whichcouldleadto
patientfilesbeingsoldtoBigData companies.Thiswouldresultinthe organisationfailingto
complywiththe DPA. It wouldalsobe extremelyilladvisedtoinstall theseprogramsonto
personal devicesas these programsare notphysicallysecure andcouldleadtoincreasedriskof
bothphysical andon-line datatheft.
8. Use of Personal Devices:Personal devicescanonlybe usedinincidenceswherepatient
informationisnotsavedasa “cookie”or cached.Patient data therefore cannotbe recoverable
once it issubmittedelectronically. There isaphysical riskforthe clientwhose informationis
beinginput,howeverprovidednoinformationisretainedonthe phone aftersubmission,this
riskis minimal.
REFERENCES AND LINKS
BBC, (2014) “White House ComputerNetwork‘Hacked’”,BBCNewsOnline,accessed21/11/2016,
available at:http://www.bbc.co.uk/news/technology-29817644
Burge,S (2014) “8 Thingsto KnowAboutthe Drupal SecurityIssue”,accessed21/11/2016, available at:
https://www.ostraining.com/blog/drupal/8-things-drupal-security/
The StationaryOffice (2005) “The Data ProtectionAct1998 – Amended2005”, accessed21/11/2016,
available at:http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf
Drupal SecurityTeam,(2016) “SecurityAdvisories”,Drupal,accessed21/11/2016, available at:
https://www.drupal.org/documentation/is-drupal-secure
DKLM Solicitors(2016) “Data ProtectionBreaches –RecentCases”,accessed21/11/2016, available at:
http://www.dklm.co.uk/site/library/commercialgeneral/data_protection_breaches_recent_cases.html
Glenday,J(2013) “Sonyfined£250k overData ProtectionActBreach” accessed21/11/2016, available
at: http://www.thedrum.com/news/2013/01/24/sony-fined-250k-over-serious-data-protection-act-
breach
Gov.uk(2016) “The Data ProtectionAct”,accessed21/11/2016, available: https://www.gov.uk/data-
protection/the-data-protection-act
InformationCommissioner’s Office,(2016) “Guide to Data Protection –InformationSecurity(Principle
7)”, accessed21/11/2016, available at: https://ico.org.uk/for-organisations/guide-to-data-
protection/principle-7-security/
Probasco,L (2015) “How Secure isYour Data inDrupal?And5 Essential SecurityTips”,accessed
21/11/2016, available at:https://pantheon.io/blog/secure-your-data-drupal
Villorente,G(2013) “Why isDrupal Secure?”X-Team, accessed21/11/2016, available at: http://x-
team.com/2014/02/why-is-drupal-secure/
10. 10
dpa third party contract model.pdf ICO breach reporting.pdf
APPENDICES
Live Chat with an ICO advisor
[1:38 PM] Michael Exton has joined the room
[1:38 PM] ico_victoriap has joined the room
[1:38 PM] ico_victoriap has joined the room
[1:39 PM] ico_victoriap: Good Afternoon
[1:40 PM] Michael Exton: Sorry about that, I was disconnected. Would it be possible to confirm that there is no
differentiation between phones and computers regarding data input for the DPA
1998?
[1:42 PM] ico_victoriap: Regardless of the way in which the personal data is stored it would still need to be
kept secure, in line with principle 7 of the Act. It may be that different measures are
taken with regards to this depending on where the data is stored.
[1:43 PM] Michael Exton: Thank you for confirming that.
[1:45 PM] Michael Exton: Further to that point, is there a software standard that the company must operate in
order to be considered compliant?
[1:45 PM] Michael Exton: We are currently using Drupal and would like to confirm this is acceptable.
[1:48 PM] Michael Exton: I've been advised that in regards to your first point that none of the data that is taken
on the mobile device is stored on that device; the information is sent to an encrypted
server owned by the company. Is this still compliant?
[1:48 PM] ico_victoriap: The Data Protection Act 1998 isn't specific with regards to this it just states
Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data
[1:53 PM] Michael Exton: Again, thanks for confirming. We can therefore, use any software, provided it is
encrypted with a backup to prevent mass data loss without having to reach a certain
technical limit.
[1:56 PM] ico_victoriap: Our guidance with regards to encryption can be found on our website at the
following link https://ico.org.uk/for-organisations/guide-to-data-
protection/encryption/ As we are an independent regulator we do not endorse or
recommend any products or services.
[1:56 PM] ico_victoriap has joined the room
[1:59 PM] Michael Exton: Thank you. Final query, will the company be able to give back confidential info of
our client to the client (with their consent and limiting the information that we send to
them e.g. if our company has provided medical services to that client, the info they
will receive will only indicate that the client has received care but will not detail
specifics?)
[2:04 PM] ico_victoriap:
The Data Protection Act does not prohibit the sharing of personal data however an
organisation would need to comply with principle 1 and satisfy a condition for
guidance on data security breach management.pdf
Protecting Personal Data.pdf
11. 11
processing from Schedule 2. If the information is sensitive personal data one
condition for processing would also need to be satisfied from Schedule 3. Further
guidance can be found on our website at the following link https://ico.org.uk/for-
organisations/guide-to-data-protection/principle-1-fair-and-lawful/
[2:05 PM] Michael Exton: Thank you for confirming that. You have been most helpful. We will have a look at
the links you have provided and will get back in contact if we have any more
queries.
[2:07 PM] ico_victoriap: Is there anything else I can help you with?
[2:07 PM] Michael Exton: I think our questions have been answered for now. Thank you.
[2:07 PM] Michael Exton has left the room