Commenting on yesterday's story where BlockMaster CSO Anders Pettersson claimed that the security industry should come together to educate NHS trusts and other organisations on simple measures to protect data, ESET director of malware intelligence David Harley claimed that problems within the NHS are more deep-rooted with a lack of education, over a million employees and thousands of sites.
Harley claimed that the need for education is ‘fair enough, given the constant emphasis in the media on leakage incidents from the NHS and other public sector organisations', but he believed that it stems from a very simplistic perception of both the NHS and its security problems.
“There's a very English perception of the NHS either as a monolithic organisation or as a collection of loosely coupled hospitals and doctors' surgeries. Actually, it's both and neither. For a start, there are a great many people working for the NHS who don't work in hospitals and surgeries: there's an immense support system that most people are not really aware of," said Harley.
He claimed that figures such as 1.25 to 1.4 million employees, around three million network nodes and 9-10,000 sites are sometimes quoted. Educating all those people at all those end sites is not a matter of simply writing a pamphlet and holding a couple of seminars.
Although he said that he believes that the security industry does have a responsibility to make good information available and raise the general level of education, the NHS is ‘not fully-staffed with IT illiterates'.
Over the past decade, Harley claimed that it appeared to be taken as read in the corridors of power that the NHS should not be involved in hands-on security, at any rate as a central function. Instead, a model came in whereby end-site security was essentially the responsibility of end sites, responsibility for outsourced services was with the service provider, and the Information Governance team at NHS Connecting for Health would essentially concentrate on the security of central applications.
Harley said: “One of the by-products of this approach is that NHS organisations of any size are supposed to have specialised staff such as data protection officers, who would deal with the requirements of the Data Protection Act and related issues, and information governance managers who tend to be tasked with the whole range of security management.
“If some of them fail to convey messages about security and data protection to everyone they work with, is that because they're naive incompetents, or is it because they're struggling to keep up with the inconsistent demands imposed from above?”
He concluded by claiming that while most people do have a sense of morality and conscience and can come together in the public interest, people are not always impartial. He recommended looking through the AMTSO guide as a good starting point for educating its users.
”Indeed, it will work for organisations outside the UK and Europe (many European countries have similar legislation to the Data Protection Act, based on EC directive 95/46/EC) because it focuses on general principles, not on a single technical solution. That's where responsibility starts, and that's the first step towards effective security,” said Harley.