Data Security Is More Important Than Ever: Our Response To The Third Caldicott Report

Authors: David Houlding, Chris Horner

Those following the healthcare news, especially in the U.K., will have heard about the release of the much-anticipated Caldicott Report on 6th July. This Review of Data Security, Consent and Opt-Outs is the third report from Dame Fiona Caldicott in her role as the National Data Guardian, and like its predecessors it makes recommendations “aimed at strengthening the safeguards for keeping health and care information secure and ensuring the public can make informed choices about how their data is used.”

At Intel we welcome the findings of the report. We have long worked with the NHS to improve data security in all areas, but we’re also aware that there is still much work to be done, as the report makes clear. According to the Information Commissioner's Office, the healthcare sector had the nation’s worst record for data breaches, with 184 reported in the final quarter of 2015 alone. Already this year, Chelsea and Westminster Hospital NHS Foundation Trust has been fined £180,000 for accidentally leaking the email addresses of HIV patients, and Walsall Healthcare NHS Trust has come under fire for a similar mistake. We see ransomware as a growing threat, too. In a survey we conducted in April this year, 50 percent of U.S. hospitals had been targeted in the past year. For further reading, this blog from our own Johan Linden has more about how hospitals in the Nordic countries are taking action against ransomware.

The Caldicott report makes it clear that it is “about trust.” Indeed, it found that: “There is a high degree of public trust in the NHS to safeguard people’s data. People want reassurance about security when data is being moved outside the NHS, and some want harsher sanctions for or malicious breaches.” The report itself recommends stronger sanctions to protect anonymised data, to include “criminal penalties for deliberate and negligent re-identification of individuals.” And with the introduction of the general data protection regulation by the EU in April, and the maximum penalty for serious infringements will rise to €20 million, or 4 percent of an organization’s turnover—whichever is higher. Experts predict the NHS will have to fall in line with this, regardless of Britain’s future relationship with the EU.

It therefore establishes three “Obligations” for NHS leaders, along with a set of Data Security Standards to ensure that improvements can be made: people, processes and technology. The third is particularly relevant to readers of this blog.

Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date.

Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the IT estate.

Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.

We’re pleased to say that we’re already working with several NHS trusts across the country to improve their security, with very positive results so far. The first step for any trust is to take part in one of our free, confidential Healthcare Breach Security Assessments. Our security experts will meet with you for a one-hour workshop to assess your organization’s breach security and benchmark it against the healthcare industry. A comprehensive report from this assessment shows your maturity, priorities and capabilities and how they compare with other NHS Trusts and the rest of the industry. This report highlights where you may be over- or under-prioritizing various breach types, and opportunities for improvement. It also includes an action plan to help you improve your security posture and reduce risk of breaches, and implement the necessary procedures and technologies to do that. For example, there are still thousands of PCs across the NHS running unsupported operating systems and browsers like Windows XP. It’s important to remember that Microsoft no longer provides patches for this operating system. It was also simply not built with today’s constantly evolving and ever increasing threat landscape in mind. Numerous security holes have been discovered in Windows XP since Microsoft stopped supporting it.

We’re also making our hardware more secure. The 6th generation Intel® Core™ processors have hardware-level security features like Intel® Software Guard Extensions (SGX)—a set of new CPU instructions that can be used by applications to set aside private regions of code and data. This forms part of our end-to-end approach to hardware-enhanced security. We aim to:

  • Improve usability by accelerating encryption and putting more authentication into hardware like fingerprint sensors, for example. These are now part of a laptop rather than a peripheral, making laptops more mobile.
  • Making hardware and software more resilient to the sophisticated cyber-attacks of today and tomorrow.
  • Reduce the cost of security by embedding more security features and capabilities in the hardware and consolidating, integrating, and automating processes.

Cover the entire compute continuum. Security is about making sure there are no weak links. If your data is secure on a laptop, an attacker will target your server. Intel spans the whole environment from the Internet of Things (IoT) to the cloud to secure all links of the compute continuum.

If the latest Caldicott report has prompted you to reconsider how you look at data security, please get in touch. Or to learn more about your breach security maturity, priorities, and capabilities and how they compare with other NHS trusts and the broader healthcare industry, see Intel.com/BreachSecurity or contact us at BreachSecurity@Intel.com for your free, confidential, one hour workshop.