SlideShare ist ein Scribd-Unternehmen logo

Risk Assesment medical firm

Als DOCX, PDF herunterladen
M
Michael Exton BA (Hons), MSc
1 von 11
Risk Assessment - Cyber Security Capabilities – Community Paramedics 22nd November 2016 Author: Michael Exton, MSc Version: 2.0
2 Notice: This risk assessment was conducted and compiled by Michael Exton MSc on behalf of CommunityParamedics on a Pro Bono basis. Michael Exton completed his undergraduatedegreein History in 2014 from Plymouth University beforereading InternationalSecurityMSc at the University of Bristol 2015-2016. From 2014-2015Michaelworked for Lloyd’s Banking Group undertaking financial transactionsfor clients as well as conducting “KnowYour Customer” (KYC) checks, counter-fraud, and anti-moneylaundering operations. SinceSeptember 2016 Michael has worked with the Minister for the Constitution and Democratic EngagementChris SkidmoreMP.
3 CONTEXT – THEDATA PROTECTIONACT 1998 The Data ProtectionActexiststosafeguardthe informationandpersonal detailsof aBritishsubjectand controlsthe use of saidinformationbyorganisations,businesses,andthe government(Gov.uk,2016). Everyorganisation,business,orpersonwho hasaccessto sensitivepersonalinformation/datamust followthe regulations setoutinthe act (ibid). SENSITIVE PERSONAL DATA The Data ProtectionActdefinesSensitive Personal Dataasany of the following(TSO,2005: 3): A. The racial or ethnicoriginof the data subject B. The subject’spolitical opinions C. The subject’sreligiousbeliefsorotherbeliefsof asimilarnature D. Whetherthe subjectisa memberof a trade union(withinthe meaningof the Trade Unionand Labour Relations(Consolidation)Act1992) E. The subject’sphysical,mentalhealthorcondition F. The subject’ssexual life G. The commissionorallegedcommissionbythe subjectof anyoffence H. Anyproceedingsforanyoffence committedorallegedtohave beencommittedbythe subject, the disposal of such proceedingsorthe sentence of anycourtin such proceedings. While there are nopreciselydefinedpenaltiesforindividualsororganisationswhohave failedtoprotect the subject’s informationunderthe DPA 1998, failure tohave adequate protectioninplace canleadto lossof reputationaswell assevere financial penaltiesbeinglevelledagainst afirmfoundtobe inbreach of the act (DKLM, 2016) (Glenday,2013). DATA PROTECTION ACT REGULATIONS The DPA regulations mustbe strictlyadheredto.Failuretocomplywiththese regulationsmayresultina civil orcriminal lawsuitbeingfiled. The regulations are as follows: 1. All informationisusedfairlyandlawfully 2. All informationistobe usedforlimitedorspecificallystatedpurposes 3. All informationmustbe usedinawaythat is adequate,relevant,andnotexcessive 4. All informationmustbe accurate tothe bestof the subject’sandorganisationsability 5. All informationmustnotbe keptforlongerthanisabsolutelynecessary 6. All information mustbe handledaccordingtopeople’sdataprotectionrights 7. All informationmustbe keptsafe andsecure 8. All informationmust notbe transferredoutside the EuropeanEconomicAreawithoutadequate protection
4 These regulationsare applicable toall devicesusedbyanorganisationforprofessionalmeans,including hand-heldmobile devices. While the DPA doesnotrequire organisationstouse SecurityService level technologytoprotectthe information,itisstronglyrecommendedthat all devices,serversetc…are protectedbythe besttechnological servicesandencryptionthatthe companycan afford(ICO,2016). THEFIRSTPROTECTION PRINCIPLE In orderto be compliantwiththe DPA,the organisationhastoensure thatthe informationitholdsis used“fairlyandlawfully”. The ICO have confirmedthe following: “The Data ProtectionActdoesnotprohibitthe sharingof personal data [,] howeveran organisationwouldneedtocomplywithprinciple 1and satisfyaconditionforprocessingfrom Schedule 2.If the informationissensitive personal dataone conditionforprocessingwouldalso needtobe satisfiedfromSchedule3”(ICOLive chat, 2016) In layman’sterms,thismeansthat the organisation mustcomplywiththe followingregulationsif the organisationwishestodisclose clientinformation,eventothe clientthemselves (ICO,2016). The organisationmust: 1. Have legitimate groundsforcollectingandusingthe collectedpersonal data 2. Data will notbe usedinways that have unjustifiedadverseeffectsonthe individual(s) concerned 3. The organisationwill be transparentabouthow itintendstouse the dataand give individuals appropriate privacynoticeswhen collectingtheirpersonal data 4. The organisationwill handlepeople’spersonal dataonlyinwaystheywouldreasonablyexpect 5. The organisationis notdo anythingunlawful withthe data THESEVENTHPROTECTIONPRINCIPLE “The typical computernetworkisn'tlike a housewith windows,doors,and locks. It'smorelike a gauzetentencircled by a band of drunkteenagerswith lit matches”- RobertSteele,Chief Executive Officer,OpenSource Systems,FormerCIA analystandDeputyDirectorof the U.S. MarinesIntelligence Center As shownabove,the seventhmandatoryregulationlaidoutbythe DPA requiresthatall client informationmustbe keptina “safe”and “secure”environment. Thisisataskbecomingmore difficultby the hour,withmost IT and cyber-securityexpertsnow advisingthatitisimpossibletostophacking attemptsandthat effortsshouldbe divertedtocreatingasystemthat will notpreventanattackbut survive it. The formerDirectorof the FBI RobertMueller agreeswiththisprinciple and statedthatitwas an inevitabilitythatthe websitesandserversof private companieswouldbe hacked,sometimes repeatedly andthatriskmitigationwasthe onlysolution(Probasco,2015). Atthe same time,physical securitymustbe ensured.Itwouldbe a waste of valuable time,resources,andenergytodevelopa
5 state-of-the-artserversystemwithencryptionprotectionif someone inthe organisation’swork environmentcouldaccessanunlockedcomputerwhilethe employee wasabsentfromtheircomputer. In orderto mitigate risktowardsboththe organisationandclients,asdescribedbythe DPA: “Appropriate technical andorganisational measuresshall be takenagainstunauthorisedor unlawful processingof personal dataandagainstaccidental lossordestructionof,ordamage to, personal data”(DPA,2005) In layman’sterms,thismeansthatthe organisationmustdesignitssecuritymeasuresthatfitthe nature of the personal datathat isheld; ensure thatthe individual(s) responsible formaintainingsecurityknow whattheirresponsibilitiesentail;ensure thatthe correctphysical andtechnological securityisinplace back up byrobust policiesandprocedure;ensure staff are welltrainedand reliable;be readytoswiftly respondtoany securitybreach. PHYSICAL SECURITY Physical securityisanotherimportantfactorthatiscoveredbythe DPA and isjustas importantin maintainingthe securityof the organisationanditsclients. It ishighlyadvisable thatonlyauthorisedpersonscanalter,disclose,ordestroyclientand employee data; those authorisedstay withintheirremitanddonotact beyondthe scope of theirauthorityinthis regard;personal dataMUST be recoverable inthe case of loss,damage,ordestruction. The ICO stipulatesthat certainfactorsmustbe consideredandthe appropriate steps takenregardingthe physical securityof the organisation.It is,therefore, importanttoassessthe following(ICO,2016): 1. The nature and extentof the organisation’spremisesandcomputersystems 2. The numberof staff inthe organisationof workplace environment 3. The extentof accessto personal data In orderto preventphysical intrusionintothe organisation’ssystems,if passwordprotection isnot alreadyinplace,itis stronglyrecommendedthatthisisimplementedassoonaspossible.Password protectionshouldbe appliedatmultiplelevelstopreventeasyaccesstothe organisation’ssystem. If furtherprotectioncanbe appliedthisshouldbe taken(see listof recommendations). It isalso a goodideafor employeestobe aware of theirsurroundings.If anemployee noticesaperson displayingsuspiciousbehavioursoractivitieswhilepatientoremployeeinformationispresent,save the information,close the program,andpolitelyenquire whetheryoucanhelp. TECHNOLOGICAL SECURITY As well asemployeesbeingaware of theirsurroundings,technological securitymustalsobe ensured. The ICO recommendsthe following(ICO,2016): 1. Personal dataheldorusedby a thirdparty on the organisation’sbehalf (underthe Data ProtectionActyouare responsible forensuringthatanydata processoryouemployalso has appropriate security).
6 2. The organisation’scomputersecurityneedstobe appropriate tothe size anduse of the organisation’ssystems. 3. Technological developmentsshouldbe notedandconsideredhoweverthe organisation isalso entitledtoconsidercostswhendecidingwhatsecuritymeasurestotake. 4. The organisation’ssecuritymeasuresmust be appropriate toyourbusinesspractices. For example,if the organisationhave staff whoworkfromhome,measuresshouldbe in place to ensure thatthisdoesnot compromise security. 5. The measurestakenmustbe appropriate tothe nature of the personal datathe organisationholdsandtothe harm that couldresultfroma securitybreach. Note:Please be advisedthatthe greaterthe clientbase andstorage space,the more likelythat informationmaybe lost,misusedorcorrupted. THIRD PARTY DATA PROCESSORS AND SERVERS Organisationsunderthe DPA are entitledtouse thirdpartyserverstostore information.However,it shouldbe notedthatin the case of a cyber-attackor an accidentwhichresultsinthe lossor damage of personal datait isthe organisationandnotthe thirdparty thatwill be heldliable.Topreventthisfrom happeningandtodemonstrate compliancewiththe DPA The Act containsspecial provisionsthatapplyinthese circumstances.Itsays thatwhere youuse a data processor: 1. The organisationmustchoose a data processorthatprovidessufficientguaranteesaboutits securitymeasurestoprotectthe processingitwill doforthe organisation 2. Reasonable stepsmustbe takentocheckthat those securitymeasuresare beingputinto practice 3. There mustbe a writtencontractsettingoutwhat the data processorisallowedtodowiththe personal data.The contract must alsorequire the dataprocessorto take the same security measuresyouwouldhave totake if youwere processingthe datayourself. Althoughthismaybe time-consumingandfrustrating,itisvital thatacontract isdrawnup to protectthe organisationandthe serverproviderfromlegal actioninthe case of data loss. Please see belowforthe ICOapprovedmodel of thirdpartycontract. SECURITY ISSUES – DRUPAL PLATFORM Drupal has a strong and reliable reputationwithinthe ITcommunityandisgenerallyconsideredtobe a safe website platform,if notthe safest(Hubbard,2016).The platformisusedbyseveral major companiessuchas CNN,PayPal,andTwitteraswell asbeingusedbygovernmentofficesinmore than 150 countries(ibid) (Villorente,2013). As Drupal isan open-source software,unlike profit-drivencompanieswhoare compelledtohide securitybreaches,Drupal consistently workswithitsclientbase tolocate,isolate,andeliminate any vulnerabilitiesinthe site code thatmayarise.Drupal’stransparencyindealingwithsecurityissues,as
7 well asDrupal’sown in-house securityteamworkingwithDrupal users,typicallyresultsinissuesbeing fixedinamatter of hours.Drupal will thenrelease anupdate thatwill looktoprotectsitesfromthe mostrecentattack (Drupal,2016). It ishighlyadvisable thatyouupdate yoursystemwith evernew update to preventsecuritybreaches. NOTABLE BREACHES In October2014 Drupal reporteda securityissue thatwasranked“25/25” in seriousness.Thisinvolveda syndicate of hackers(currentlybelievedtobe freelance EasternEuropeancyber-criminals) beingable to exploitasingle lineof code togainentryto the platform (Burge,2014). Potentially,criminalscould completely take overanywebsite theyhadaccessto and exploitit. Thisattack was unusual asit tookthe hackersonly7 hoursto finda vulnerabilityandexploitit. Itisalso possible thatthe attackon Drupal was connectedtothe attemptedhack-attackonthe White House that occurredat the same period,withcertaindepartmentsof the USgovernmentalsousingDrupal (BBC, 2014). Owingto the technical skill of the hackers,the possibilityof Russiangovernmentinvolvement, and the rarity of such attacks happeningunderusual circumstances,itisunlikelythatattacksthisserious innature will occur ona regularbasis. More recently, inJuly2016 Drupal reportedthata breach that wasconsidered“20/25” severity was foundandwas similartothe previousattacke.g.attemptedtotake overcertainwebsites.However,the attack was swiftlyblockedandanewversion of Drupal releasedsoon afterwards. PROTOCOLSFOR A SECURITY BREACH As perthe DPA,the organisationisrequiredtohave a planinplace inorder to deal withmassdata loss. It isstronglyadvisedthatinternal issuesare dealtwithfirst, however,itisalsoexpectedthatthe appropriate people andorganisationsare informedof anybreaches,lossesetc…thatmay affectother organisations(ICO,2016). 1. Containmentandrecovery –the response tothe incidentshouldinclude arecoveryplanand, where necessary,proceduresfordamage limitation. 2. Assessingthe risks –the organisationshouldassessanyrisksassociatedwiththe breach,as these are likelytoaffecthowthe organisationproceedsonce the breachhasbeencontained.In particular, the organisation shouldassessthe potential adverse consequencesforindividuals; howseriousorsubstantial these are;andhow likelytheyare tohappen. 3. Notificationof breaches –the organisation shouldbe clearaboutwhoneedstobe notifiedand why in the eventof a breach.You should, forexample,considernotifyingthe individuals concernedsuchas the ICO; otherregulatorybodies;otherthirdpartiessuchasthe police,and the banks. 4. Evaluationandresponse –it isimportantthatthe organisation investigate the causesof the breachand alsoevaluate the effectivenessof the organisation’s responsetoit.If necessary, policiesandprocedures shouldbe updated accordingly.
8 Please see belowthe official documentationonreportingBreachManagement tothe ICOas well asa guide onhowto deal withbreachmanagement. RECOMMENDATIONS FOR FURTHER SECURITY MEASURES SmallercompaniesusingDrupal oftenfindthemselvesinaparadoxical situationwhenfacedwith securityissues.While the majorityof detectedhackerstargetlargercompaniesviaDrupal,itissmaller companiesthatare unable to buyand maintainalarge and dedicatedcyber-securityteamsthatare oftenaffected. It istherefore highlyrecommendedthatcertainsafetyprecautionsexisttopreventabreachof the companyserversor the DPA. Before readingthese recommendations,Istronglysuggestreadingthrough the official guide onthe DataProtectionActlaidout bythe ICO. 1. Reserve (Back Up) Servers:In orderto complywiththe SeventhProtectionPrincipleanydata that islost,altered,ordestroyedmustbe recoverable.Notonlywill the reserveserverensure the companyis fullycompliantwiththe DPA butwill alsopotentiallysave hundredsto thousandsof hoursre-recordingpatient/clientdetailsinthe case of massfile corruptionor deletion. 2. Consistentlyupdate systems:Hacks againstDrupal occur ona sporadicbasiswitheachnew attack resultinginanupdate beingreleasedsoonafter.Itishighlyadvisable thatyoucontinue to update yoursystemsasnewereditionsof Drupal will eliminate linesof vulnerable code that may be presentinolderversionsof the software. 3. Update passwords: It is advisable thatbothemployee andserverpasswordsare changedona regularbasis.Dependingonhowmuchthe organisationwill be affectedbyapassword transition,itwouldbe advisable tochange passwordseverymonth.If thisisnotpossible, attemptto change at the earliestopportunities 4. Improve Physical security:Owingto the nature of the storedinformationandthe “hotseat” environmentthatthe organisationisbasedin,all employeesshouldremembertolocktheir computerseverytime theyare absentfromtheircomputer,nomatterhow longthe employee will be absent 5. PhysicallySecure Passwords: A furthermethodof physical securitywouldbe investingina “Yubikey”passwordprotectiondevice.ThisdeviceisdesignedtofitintoUSBslotswitha single key programmedtomatch a single computer.Anemployee will keepthiskeyontheirperson (the device canbe attachedto a keyring) andaftertypingintheirusername andpasswordwill insertthe keyintotheircomputerandpressthe buttoninthe middle of the key.Thiswill create an encryptedandunique one time use passwordthatwill allow the employee toaccessthe system. Note: This isan advisorymeasure, subject to the organisational budget.Linkto website availablehere: https://www.yubico.com/ 6. Security MailingList: Anyone usingDrupal shouldsubscribe tothe securitymailinglist (by editingyouraccountprofile) inordertoautomaticallykeepuptodate withthe latest security advisories of all types. To subscribe tothe security mailinglist:login,goto your userprofile page andsubscribe tothe securitynewsletteronthe Edit» My newsletterstab.
9 7. Use of free EPCR (ElectronicPatient Care Record) apps and software: It is highlyrecommended againstusingfree EPCRprograms as the informationenteredwill be automaticallystoredand backedup ontothirdparty systems.These systemsmayormay not be encrypted whose administrators are undernoobligationtokeepthisinformationconfidential,whichcouldleadto patientfilesbeingsoldtoBigData companies.Thiswouldresultinthe organisationfailingto complywiththe DPA. It wouldalsobe extremelyilladvisedtoinstall theseprogramsonto personal devicesas these programsare notphysicallysecure andcouldleadtoincreasedriskof bothphysical andon-line datatheft. 8. Use of Personal Devices:Personal devicescanonlybe usedinincidenceswherepatient informationisnotsavedasa “cookie”or cached.Patient data therefore cannotbe recoverable once it issubmittedelectronically. There isaphysical riskforthe clientwhose informationis beinginput,howeverprovidednoinformationisretainedonthe phone aftersubmission,this riskis minimal. REFERENCES AND LINKS BBC, (2014) “White House ComputerNetwork‘Hacked’”,BBCNewsOnline,accessed21/11/2016, available at:http://www.bbc.co.uk/news/technology-29817644 Burge,S (2014) “8 Thingsto KnowAboutthe Drupal SecurityIssue”,accessed21/11/2016, available at: https://www.ostraining.com/blog/drupal/8-things-drupal-security/ The StationaryOffice (2005) “The Data ProtectionAct1998 – Amended2005”, accessed21/11/2016, available at:http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf Drupal SecurityTeam,(2016) “SecurityAdvisories”,Drupal,accessed21/11/2016, available at: https://www.drupal.org/documentation/is-drupal-secure DKLM Solicitors(2016) “Data ProtectionBreaches –RecentCases”,accessed21/11/2016, available at: http://www.dklm.co.uk/site/library/commercialgeneral/data_protection_breaches_recent_cases.html Glenday,J(2013) “Sonyfined£250k overData ProtectionActBreach” accessed21/11/2016, available at: http://www.thedrum.com/news/2013/01/24/sony-fined-250k-over-serious-data-protection-act- breach Gov.uk(2016) “The Data ProtectionAct”,accessed21/11/2016, available: https://www.gov.uk/data- protection/the-data-protection-act InformationCommissioner’s Office,(2016) “Guide to Data Protection –InformationSecurity(Principle 7)”, accessed21/11/2016, available at: https://ico.org.uk/for-organisations/guide-to-data- protection/principle-7-security/ Probasco,L (2015) “How Secure isYour Data inDrupal?And5 Essential SecurityTips”,accessed 21/11/2016, available at:https://pantheon.io/blog/secure-your-data-drupal Villorente,G(2013) “Why isDrupal Secure?”X-Team, accessed21/11/2016, available at: http://x- team.com/2014/02/why-is-drupal-secure/
10 dpa third party contract model.pdf ICO breach reporting.pdf APPENDICES Live Chat with an ICO advisor [1:38 PM] Michael Exton has joined the room [1:38 PM] ico_victoriap has joined the room [1:38 PM] ico_victoriap has joined the room [1:39 PM] ico_victoriap: Good Afternoon [1:40 PM] Michael Exton: Sorry about that, I was disconnected. Would it be possible to confirm that there is no differentiation between phones and computers regarding data input for the DPA 1998? [1:42 PM] ico_victoriap: Regardless of the way in which the personal data is stored it would still need to be kept secure, in line with principle 7 of the Act. It may be that different measures are taken with regards to this depending on where the data is stored. [1:43 PM] Michael Exton: Thank you for confirming that. [1:45 PM] Michael Exton: Further to that point, is there a software standard that the company must operate in order to be considered compliant? [1:45 PM] Michael Exton: We are currently using Drupal and would like to confirm this is acceptable. [1:48 PM] Michael Exton: I've been advised that in regards to your first point that none of the data that is taken on the mobile device is stored on that device; the information is sent to an encrypted server owned by the company. Is this still compliant? [1:48 PM] ico_victoriap: The Data Protection Act 1998 isn't specific with regards to this it just states Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data [1:53 PM] Michael Exton: Again, thanks for confirming. We can therefore, use any software, provided it is encrypted with a backup to prevent mass data loss without having to reach a certain technical limit. [1:56 PM] ico_victoriap: Our guidance with regards to encryption can be found on our website at the following link https://ico.org.uk/for-organisations/guide-to-data- protection/encryption/ As we are an independent regulator we do not endorse or recommend any products or services. [1:56 PM] ico_victoriap has joined the room [1:59 PM] Michael Exton: Thank you. Final query, will the company be able to give back confidential info of our client to the client (with their consent and limiting the information that we send to them e.g. if our company has provided medical services to that client, the info they will receive will only indicate that the client has received care but will not detail specifics?) [2:04 PM] ico_victoriap: The Data Protection Act does not prohibit the sharing of personal data however an organisation would need to comply with principle 1 and satisfy a condition for guidance on data security breach management.pdf Protecting Personal Data.pdf
11 processing from Schedule 2. If the information is sensitive personal data one condition for processing would also need to be satisfied from Schedule 3. Further guidance can be found on our website at the following link https://ico.org.uk/for- organisations/guide-to-data-protection/principle-1-fair-and-lawful/ [2:05 PM] Michael Exton: Thank you for confirming that. You have been most helpful. We will have a look at the links you have provided and will get back in contact if we have any more queries. [2:07 PM] ico_victoriap: Is there anything else I can help you with? [2:07 PM] Michael Exton: I think our questions have been answered for now. Thank you. [2:07 PM] Michael Exton has left the room

Empfohlen

Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...
ijtsrd
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
RSIS International
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
Davis Wright Tremaine LLP
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
Dr. Ahmed Al Zaidy
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communications
TextGuard
 
Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010
Andris Soroka
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
Dr. Ahmed Al Zaidy
 

Empfohlen

Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...
ijtsrd
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
RSIS International
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
Davis Wright Tremaine LLP
 
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
Dr. Ahmed Al Zaidy
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communications
TextGuard
 
Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010Varonis - DSS @VILNIUS 2010
Varonis - DSS @VILNIUS 2010
Andris Soroka
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
Dr. Ahmed Al Zaidy
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
IJNSA Journal
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13
Dr. Ahmed Al Zaidy
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
Secure Islands - Data Security Policy
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Varonis
 
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...
at MicroFocus Italy ❖✔
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
Dinesh O Bareja
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
IJERA Editor
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7
Dr. Ahmed Al Zaidy
 
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsDSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
Andris Soroka
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
Dr. Ahmed Al Zaidy
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Joann Davis
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
Network Intelligence India
 
Iso 27001 whitepaper
Iso 27001 whitepaperIso 27001 whitepaper
Iso 27001 whitepaper
Syzygal
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
IJNSA Journal
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
Dr. Ahmed Al Zaidy
 
Policy on ia 1st assignment
Policy on ia 1st assignmentPolicy on ia 1st assignment
Policy on ia 1st assignment
Timir Shah
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
Rapid7
 
Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)
Manpreet Singh Sidhu
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
bartholomeocoombs
 
Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?
CommLab India – Rapid eLearning Solutions
 

Weitere ähnliche Inhalte

Was ist angesagt?

WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
IJNSA Journal
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Varonis
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
IJNSA Journal
 

Was ist angesagt? (20)

WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
 
Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb? Corporate Data: A Protected Asset or a Ticking Time Bomb?
Corporate Data: A Protected Asset or a Ticking Time Bomb?
 
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7Fundamentals of Information Systems Security Chapter 7
Fundamentals of Information Systems Security Chapter 7
 
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security ThreatsDSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
DSS ITSEC Conference 2012 - Varonis Eliminating Data Security Threats
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Iso 27001 whitepaper
Iso 27001 whitepaperIso 27001 whitepaper
Iso 27001 whitepaper
 
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...
 
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
 
Policy on ia 1st assignment
Policy on ia 1st assignmentPolicy on ia 1st assignment
Policy on ia 1st assignment
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)Computer Emergency Response Team for Health Care Sector (CERT-H)
Computer Emergency Response Team for Health Care Sector (CERT-H)
 

Ähnlich wie Risk Assesment medical firm

Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
bartholomeocoombs
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
LizbethQuinonez813
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
Henry Worth
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
John Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
ijtsrd
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrpt
Market Engel SAS
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
Dr Dev Kambhampati
 

Ähnlich wie Risk Assesment medical firm (20)

Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
 
Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?Need for Data Protection Training - How E-learning Can Help?
Need for Data Protection Training - How E-learning Can Help?
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
 
Bring your own device guidance
Bring your own device guidanceBring your own device guidance
Bring your own device guidance
 
Cyber Security small
Cyber Security smallCyber Security small
Cyber Security small
 
Information security
Information securityInformation security
Information security
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
 
Internet
InternetInternet
Internet
 
Ten Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things SecurityTen Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things Security
 
expert tips
expert tipsexpert tips
expert tips
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 
Iot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrptIot report federal trade commission_150127iotrpt
Iot report federal trade commission_150127iotrpt
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process Information
 

Risk Assesment medical firm

  • 1. Risk Assessment - Cyber Security Capabilities – Community Paramedics 22nd November 2016 Author: Michael Exton, MSc Version: 2.0
  • 2. 2 Notice: This risk assessment was conducted and compiled by Michael Exton MSc on behalf of CommunityParamedics on a Pro Bono basis. Michael Exton completed his undergraduatedegreein History in 2014 from Plymouth University beforereading InternationalSecurityMSc at the University of Bristol 2015-2016. From 2014-2015Michaelworked for Lloyd’s Banking Group undertaking financial transactionsfor clients as well as conducting “KnowYour Customer” (KYC) checks, counter-fraud, and anti-moneylaundering operations. SinceSeptember 2016 Michael has worked with the Minister for the Constitution and Democratic EngagementChris SkidmoreMP.
  • 3. 3 CONTEXT – THEDATA PROTECTIONACT 1998 The Data ProtectionActexiststosafeguardthe informationandpersonal detailsof aBritishsubjectand controlsthe use of saidinformationbyorganisations,businesses,andthe government(Gov.uk,2016). Everyorganisation,business,orpersonwho hasaccessto sensitivepersonalinformation/datamust followthe regulations setoutinthe act (ibid). SENSITIVE PERSONAL DATA The Data ProtectionActdefinesSensitive Personal Dataasany of the following(TSO,2005: 3): A. The racial or ethnicoriginof the data subject B. The subject’spolitical opinions C. The subject’sreligiousbeliefsorotherbeliefsof asimilarnature D. Whetherthe subjectisa memberof a trade union(withinthe meaningof the Trade Unionand Labour Relations(Consolidation)Act1992) E. The subject’sphysical,mentalhealthorcondition F. The subject’ssexual life G. The commissionorallegedcommissionbythe subjectof anyoffence H. Anyproceedingsforanyoffence committedorallegedtohave beencommittedbythe subject, the disposal of such proceedingsorthe sentence of anycourtin such proceedings. While there are nopreciselydefinedpenaltiesforindividualsororganisationswhohave failedtoprotect the subject’s informationunderthe DPA 1998, failure tohave adequate protectioninplace canleadto lossof reputationaswell assevere financial penaltiesbeinglevelledagainst afirmfoundtobe inbreach of the act (DKLM, 2016) (Glenday,2013). DATA PROTECTION ACT REGULATIONS The DPA regulations mustbe strictlyadheredto.Failuretocomplywiththese regulationsmayresultina civil orcriminal lawsuitbeingfiled. The regulations are as follows: 1. All informationisusedfairlyandlawfully 2. All informationistobe usedforlimitedorspecificallystatedpurposes 3. All informationmustbe usedinawaythat is adequate,relevant,andnotexcessive 4. All informationmustbe accurate tothe bestof the subject’sandorganisationsability 5. All informationmustnotbe keptforlongerthanisabsolutelynecessary 6. All information mustbe handledaccordingtopeople’sdataprotectionrights 7. All informationmustbe keptsafe andsecure 8. All informationmust notbe transferredoutside the EuropeanEconomicAreawithoutadequate protection
  • 4. 4 These regulationsare applicable toall devicesusedbyanorganisationforprofessionalmeans,including hand-heldmobile devices. While the DPA doesnotrequire organisationstouse SecurityService level technologytoprotectthe information,itisstronglyrecommendedthat all devices,serversetc…are protectedbythe besttechnological servicesandencryptionthatthe companycan afford(ICO,2016). THEFIRSTPROTECTION PRINCIPLE In orderto be compliantwiththe DPA,the organisationhastoensure thatthe informationitholdsis used“fairlyandlawfully”. The ICO have confirmedthe following: “The Data ProtectionActdoesnotprohibitthe sharingof personal data [,] howeveran organisationwouldneedtocomplywithprinciple 1and satisfyaconditionforprocessingfrom Schedule 2.If the informationissensitive personal dataone conditionforprocessingwouldalso needtobe satisfiedfromSchedule3”(ICOLive chat, 2016) In layman’sterms,thismeansthat the organisation mustcomplywiththe followingregulationsif the organisationwishestodisclose clientinformation,eventothe clientthemselves (ICO,2016). The organisationmust: 1. Have legitimate groundsforcollectingandusingthe collectedpersonal data 2. Data will notbe usedinways that have unjustifiedadverseeffectsonthe individual(s) concerned 3. The organisationwill be transparentabouthow itintendstouse the dataand give individuals appropriate privacynoticeswhen collectingtheirpersonal data 4. The organisationwill handlepeople’spersonal dataonlyinwaystheywouldreasonablyexpect 5. The organisationis notdo anythingunlawful withthe data THESEVENTHPROTECTIONPRINCIPLE “The typical computernetworkisn'tlike a housewith windows,doors,and locks. It'smorelike a gauzetentencircled by a band of drunkteenagerswith lit matches”- RobertSteele,Chief Executive Officer,OpenSource Systems,FormerCIA analystandDeputyDirectorof the U.S. MarinesIntelligence Center As shownabove,the seventhmandatoryregulationlaidoutbythe DPA requiresthatall client informationmustbe keptina “safe”and “secure”environment. Thisisataskbecomingmore difficultby the hour,withmost IT and cyber-securityexpertsnow advisingthatitisimpossibletostophacking attemptsandthat effortsshouldbe divertedtocreatingasystemthat will notpreventanattackbut survive it. The formerDirectorof the FBI RobertMueller agreeswiththisprinciple and statedthatitwas an inevitabilitythatthe websitesandserversof private companieswouldbe hacked,sometimes repeatedly andthatriskmitigationwasthe onlysolution(Probasco,2015). Atthe same time,physical securitymustbe ensured.Itwouldbe a waste of valuable time,resources,andenergytodevelopa
  • 5. 5 state-of-the-artserversystemwithencryptionprotectionif someone inthe organisation’swork environmentcouldaccessanunlockedcomputerwhilethe employee wasabsentfromtheircomputer. In orderto mitigate risktowardsboththe organisationandclients,asdescribedbythe DPA: “Appropriate technical andorganisational measuresshall be takenagainstunauthorisedor unlawful processingof personal dataandagainstaccidental lossordestructionof,ordamage to, personal data”(DPA,2005) In layman’sterms,thismeansthatthe organisationmustdesignitssecuritymeasuresthatfitthe nature of the personal datathat isheld; ensure thatthe individual(s) responsible formaintainingsecurityknow whattheirresponsibilitiesentail;ensure thatthe correctphysical andtechnological securityisinplace back up byrobust policiesandprocedure;ensure staff are welltrainedand reliable;be readytoswiftly respondtoany securitybreach. PHYSICAL SECURITY Physical securityisanotherimportantfactorthatiscoveredbythe DPA and isjustas importantin maintainingthe securityof the organisationanditsclients. It ishighlyadvisable thatonlyauthorisedpersonscanalter,disclose,ordestroyclientand employee data; those authorisedstay withintheirremitanddonotact beyondthe scope of theirauthorityinthis regard;personal dataMUST be recoverable inthe case of loss,damage,ordestruction. The ICO stipulatesthat certainfactorsmustbe consideredandthe appropriate steps takenregardingthe physical securityof the organisation.It is,therefore, importanttoassessthe following(ICO,2016): 1. The nature and extentof the organisation’spremisesandcomputersystems 2. The numberof staff inthe organisationof workplace environment 3. The extentof accessto personal data In orderto preventphysical intrusionintothe organisation’ssystems,if passwordprotection isnot alreadyinplace,itis stronglyrecommendedthatthisisimplementedassoonaspossible.Password protectionshouldbe appliedatmultiplelevelstopreventeasyaccesstothe organisation’ssystem. If furtherprotectioncanbe appliedthisshouldbe taken(see listof recommendations). It isalso a goodideafor employeestobe aware of theirsurroundings.If anemployee noticesaperson displayingsuspiciousbehavioursoractivitieswhilepatientoremployeeinformationispresent,save the information,close the program,andpolitelyenquire whetheryoucanhelp. TECHNOLOGICAL SECURITY As well asemployeesbeingaware of theirsurroundings,technological securitymustalsobe ensured. The ICO recommendsthe following(ICO,2016): 1. Personal dataheldorusedby a thirdparty on the organisation’sbehalf (underthe Data ProtectionActyouare responsible forensuringthatanydata processoryouemployalso has appropriate security).
  • 6. 6 2. The organisation’scomputersecurityneedstobe appropriate tothe size anduse of the organisation’ssystems. 3. Technological developmentsshouldbe notedandconsideredhoweverthe organisation isalso entitledtoconsidercostswhendecidingwhatsecuritymeasurestotake. 4. The organisation’ssecuritymeasuresmust be appropriate toyourbusinesspractices. For example,if the organisationhave staff whoworkfromhome,measuresshouldbe in place to ensure thatthisdoesnot compromise security. 5. The measurestakenmustbe appropriate tothe nature of the personal datathe organisationholdsandtothe harm that couldresultfroma securitybreach. Note:Please be advisedthatthe greaterthe clientbase andstorage space,the more likelythat informationmaybe lost,misusedorcorrupted. THIRD PARTY DATA PROCESSORS AND SERVERS Organisationsunderthe DPA are entitledtouse thirdpartyserverstostore information.However,it shouldbe notedthatin the case of a cyber-attackor an accidentwhichresultsinthe lossor damage of personal datait isthe organisationandnotthe thirdparty thatwill be heldliable.Topreventthisfrom happeningandtodemonstrate compliancewiththe DPA The Act containsspecial provisionsthatapplyinthese circumstances.Itsays thatwhere youuse a data processor: 1. The organisationmustchoose a data processorthatprovidessufficientguaranteesaboutits securitymeasurestoprotectthe processingitwill doforthe organisation 2. Reasonable stepsmustbe takentocheckthat those securitymeasuresare beingputinto practice 3. There mustbe a writtencontractsettingoutwhat the data processorisallowedtodowiththe personal data.The contract must alsorequire the dataprocessorto take the same security measuresyouwouldhave totake if youwere processingthe datayourself. Althoughthismaybe time-consumingandfrustrating,itisvital thatacontract isdrawnup to protectthe organisationandthe serverproviderfromlegal actioninthe case of data loss. Please see belowforthe ICOapprovedmodel of thirdpartycontract. SECURITY ISSUES – DRUPAL PLATFORM Drupal has a strong and reliable reputationwithinthe ITcommunityandisgenerallyconsideredtobe a safe website platform,if notthe safest(Hubbard,2016).The platformisusedbyseveral major companiessuchas CNN,PayPal,andTwitteraswell asbeingusedbygovernmentofficesinmore than 150 countries(ibid) (Villorente,2013). As Drupal isan open-source software,unlike profit-drivencompanieswhoare compelledtohide securitybreaches,Drupal consistently workswithitsclientbase tolocate,isolate,andeliminate any vulnerabilitiesinthe site code thatmayarise.Drupal’stransparencyindealingwithsecurityissues,as
  • 7. 7 well asDrupal’sown in-house securityteamworkingwithDrupal users,typicallyresultsinissuesbeing fixedinamatter of hours.Drupal will thenrelease anupdate thatwill looktoprotectsitesfromthe mostrecentattack (Drupal,2016). It ishighlyadvisable thatyouupdate yoursystemwith evernew update to preventsecuritybreaches. NOTABLE BREACHES In October2014 Drupal reporteda securityissue thatwasranked“25/25” in seriousness.Thisinvolveda syndicate of hackers(currentlybelievedtobe freelance EasternEuropeancyber-criminals) beingable to exploitasingle lineof code togainentryto the platform (Burge,2014). Potentially,criminalscould completely take overanywebsite theyhadaccessto and exploitit. Thisattack was unusual asit tookthe hackersonly7 hoursto finda vulnerabilityandexploitit. Itisalso possible thatthe attackon Drupal was connectedtothe attemptedhack-attackonthe White House that occurredat the same period,withcertaindepartmentsof the USgovernmentalsousingDrupal (BBC, 2014). Owingto the technical skill of the hackers,the possibilityof Russiangovernmentinvolvement, and the rarity of such attacks happeningunderusual circumstances,itisunlikelythatattacksthisserious innature will occur ona regularbasis. More recently, inJuly2016 Drupal reportedthata breach that wasconsidered“20/25” severity was foundandwas similartothe previousattacke.g.attemptedtotake overcertainwebsites.However,the attack was swiftlyblockedandanewversion of Drupal releasedsoon afterwards. PROTOCOLSFOR A SECURITY BREACH As perthe DPA,the organisationisrequiredtohave a planinplace inorder to deal withmassdata loss. It isstronglyadvisedthatinternal issuesare dealtwithfirst, however,itisalsoexpectedthatthe appropriate people andorganisationsare informedof anybreaches,lossesetc…thatmay affectother organisations(ICO,2016). 1. Containmentandrecovery –the response tothe incidentshouldinclude arecoveryplanand, where necessary,proceduresfordamage limitation. 2. Assessingthe risks –the organisationshouldassessanyrisksassociatedwiththe breach,as these are likelytoaffecthowthe organisationproceedsonce the breachhasbeencontained.In particular, the organisation shouldassessthe potential adverse consequencesforindividuals; howseriousorsubstantial these are;andhow likelytheyare tohappen. 3. Notificationof breaches –the organisation shouldbe clearaboutwhoneedstobe notifiedand why in the eventof a breach.You should, forexample,considernotifyingthe individuals concernedsuchas the ICO; otherregulatorybodies;otherthirdpartiessuchasthe police,and the banks. 4. Evaluationandresponse –it isimportantthatthe organisation investigate the causesof the breachand alsoevaluate the effectivenessof the organisation’s responsetoit.If necessary, policiesandprocedures shouldbe updated accordingly.
  • 8. 8 Please see belowthe official documentationonreportingBreachManagement tothe ICOas well asa guide onhowto deal withbreachmanagement. RECOMMENDATIONS FOR FURTHER SECURITY MEASURES SmallercompaniesusingDrupal oftenfindthemselvesinaparadoxical situationwhenfacedwith securityissues.While the majorityof detectedhackerstargetlargercompaniesviaDrupal,itissmaller companiesthatare unable to buyand maintainalarge and dedicatedcyber-securityteamsthatare oftenaffected. It istherefore highlyrecommendedthatcertainsafetyprecautionsexisttopreventabreachof the companyserversor the DPA. Before readingthese recommendations,Istronglysuggestreadingthrough the official guide onthe DataProtectionActlaidout bythe ICO. 1. Reserve (Back Up) Servers:In orderto complywiththe SeventhProtectionPrincipleanydata that islost,altered,ordestroyedmustbe recoverable.Notonlywill the reserveserverensure the companyis fullycompliantwiththe DPA butwill alsopotentiallysave hundredsto thousandsof hoursre-recordingpatient/clientdetailsinthe case of massfile corruptionor deletion. 2. Consistentlyupdate systems:Hacks againstDrupal occur ona sporadicbasiswitheachnew attack resultinginanupdate beingreleasedsoonafter.Itishighlyadvisable thatyoucontinue to update yoursystemsasnewereditionsof Drupal will eliminate linesof vulnerable code that may be presentinolderversionsof the software. 3. Update passwords: It is advisable thatbothemployee andserverpasswordsare changedona regularbasis.Dependingonhowmuchthe organisationwill be affectedbyapassword transition,itwouldbe advisable tochange passwordseverymonth.If thisisnotpossible, attemptto change at the earliestopportunities 4. Improve Physical security:Owingto the nature of the storedinformationandthe “hotseat” environmentthatthe organisationisbasedin,all employeesshouldremembertolocktheir computerseverytime theyare absentfromtheircomputer,nomatterhow longthe employee will be absent 5. PhysicallySecure Passwords: A furthermethodof physical securitywouldbe investingina “Yubikey”passwordprotectiondevice.ThisdeviceisdesignedtofitintoUSBslotswitha single key programmedtomatch a single computer.Anemployee will keepthiskeyontheirperson (the device canbe attachedto a keyring) andaftertypingintheirusername andpasswordwill insertthe keyintotheircomputerandpressthe buttoninthe middle of the key.Thiswill create an encryptedandunique one time use passwordthatwill allow the employee toaccessthe system. Note: This isan advisorymeasure, subject to the organisational budget.Linkto website availablehere: https://www.yubico.com/ 6. Security MailingList: Anyone usingDrupal shouldsubscribe tothe securitymailinglist (by editingyouraccountprofile) inordertoautomaticallykeepuptodate withthe latest security advisories of all types. To subscribe tothe security mailinglist:login,goto your userprofile page andsubscribe tothe securitynewsletteronthe Edit» My newsletterstab.
  • 9. 9 7. Use of free EPCR (ElectronicPatient Care Record) apps and software: It is highlyrecommended againstusingfree EPCRprograms as the informationenteredwill be automaticallystoredand backedup ontothirdparty systems.These systemsmayormay not be encrypted whose administrators are undernoobligationtokeepthisinformationconfidential,whichcouldleadto patientfilesbeingsoldtoBigData companies.Thiswouldresultinthe organisationfailingto complywiththe DPA. It wouldalsobe extremelyilladvisedtoinstall theseprogramsonto personal devicesas these programsare notphysicallysecure andcouldleadtoincreasedriskof bothphysical andon-line datatheft. 8. Use of Personal Devices:Personal devicescanonlybe usedinincidenceswherepatient informationisnotsavedasa “cookie”or cached.Patient data therefore cannotbe recoverable once it issubmittedelectronically. There isaphysical riskforthe clientwhose informationis beinginput,howeverprovidednoinformationisretainedonthe phone aftersubmission,this riskis minimal. REFERENCES AND LINKS BBC, (2014) “White House ComputerNetwork‘Hacked’”,BBCNewsOnline,accessed21/11/2016, available at:http://www.bbc.co.uk/news/technology-29817644 Burge,S (2014) “8 Thingsto KnowAboutthe Drupal SecurityIssue”,accessed21/11/2016, available at: https://www.ostraining.com/blog/drupal/8-things-drupal-security/ The StationaryOffice (2005) “The Data ProtectionAct1998 – Amended2005”, accessed21/11/2016, available at:http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf Drupal SecurityTeam,(2016) “SecurityAdvisories”,Drupal,accessed21/11/2016, available at: https://www.drupal.org/documentation/is-drupal-secure DKLM Solicitors(2016) “Data ProtectionBreaches –RecentCases”,accessed21/11/2016, available at: http://www.dklm.co.uk/site/library/commercialgeneral/data_protection_breaches_recent_cases.html Glenday,J(2013) “Sonyfined£250k overData ProtectionActBreach” accessed21/11/2016, available at: http://www.thedrum.com/news/2013/01/24/sony-fined-250k-over-serious-data-protection-act- breach Gov.uk(2016) “The Data ProtectionAct”,accessed21/11/2016, available: https://www.gov.uk/data- protection/the-data-protection-act InformationCommissioner’s Office,(2016) “Guide to Data Protection –InformationSecurity(Principle 7)”, accessed21/11/2016, available at: https://ico.org.uk/for-organisations/guide-to-data- protection/principle-7-security/ Probasco,L (2015) “How Secure isYour Data inDrupal?And5 Essential SecurityTips”,accessed 21/11/2016, available at:https://pantheon.io/blog/secure-your-data-drupal Villorente,G(2013) “Why isDrupal Secure?”X-Team, accessed21/11/2016, available at: http://x- team.com/2014/02/why-is-drupal-secure/
  • 10. 10 dpa third party contract model.pdf ICO breach reporting.pdf APPENDICES Live Chat with an ICO advisor [1:38 PM] Michael Exton has joined the room [1:38 PM] ico_victoriap has joined the room [1:38 PM] ico_victoriap has joined the room [1:39 PM] ico_victoriap: Good Afternoon [1:40 PM] Michael Exton: Sorry about that, I was disconnected. Would it be possible to confirm that there is no differentiation between phones and computers regarding data input for the DPA 1998? [1:42 PM] ico_victoriap: Regardless of the way in which the personal data is stored it would still need to be kept secure, in line with principle 7 of the Act. It may be that different measures are taken with regards to this depending on where the data is stored. [1:43 PM] Michael Exton: Thank you for confirming that. [1:45 PM] Michael Exton: Further to that point, is there a software standard that the company must operate in order to be considered compliant? [1:45 PM] Michael Exton: We are currently using Drupal and would like to confirm this is acceptable. [1:48 PM] Michael Exton: I've been advised that in regards to your first point that none of the data that is taken on the mobile device is stored on that device; the information is sent to an encrypted server owned by the company. Is this still compliant? [1:48 PM] ico_victoriap: The Data Protection Act 1998 isn't specific with regards to this it just states Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data [1:53 PM] Michael Exton: Again, thanks for confirming. We can therefore, use any software, provided it is encrypted with a backup to prevent mass data loss without having to reach a certain technical limit. [1:56 PM] ico_victoriap: Our guidance with regards to encryption can be found on our website at the following link https://ico.org.uk/for-organisations/guide-to-data- protection/encryption/ As we are an independent regulator we do not endorse or recommend any products or services. [1:56 PM] ico_victoriap has joined the room [1:59 PM] Michael Exton: Thank you. Final query, will the company be able to give back confidential info of our client to the client (with their consent and limiting the information that we send to them e.g. if our company has provided medical services to that client, the info they will receive will only indicate that the client has received care but will not detail specifics?) [2:04 PM] ico_victoriap: The Data Protection Act does not prohibit the sharing of personal data however an organisation would need to comply with principle 1 and satisfy a condition for guidance on data security breach management.pdf Protecting Personal Data.pdf
  • 11. 11 processing from Schedule 2. If the information is sensitive personal data one condition for processing would also need to be satisfied from Schedule 3. Further guidance can be found on our website at the following link https://ico.org.uk/for- organisations/guide-to-data-protection/principle-1-fair-and-lawful/ [2:05 PM] Michael Exton: Thank you for confirming that. You have been most helpful. We will have a look at the links you have provided and will get back in contact if we have any more queries. [2:07 PM] ico_victoriap: Is there anything else I can help you with? [2:07 PM] Michael Exton: I think our questions have been answered for now. Thank you. [2:07 PM] Michael Exton has left the room