Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security How can healthcare organisations defend themselves from cyber attacks? Presented by Dan Taylor Head of Security NHS Digital’s Data Security.

Published byMartha Boyd Modified over 7 years ago

Similar presentations

Presentation on theme: "Data Security How can healthcare organisations defend themselves from cyber attacks? Presented by Dan Taylor Head of Security NHS Digital’s Data Security."— Presentation transcript:

1 Data Security How can healthcare organisations defend themselves from cyber attacks? Presented by Dan Taylor Head of Security NHS Digital’s Data Security Centre

2 National Data Guardian Review
National Data Guardian recommendations

3 National Data Guardian Review
NDG Review can be found here Published July 6th 2016 Public Consultation through to September 2016 Key Data Security Themes: Leadership and board level ownership is key to good data security Leadership should own and be responsible for data security as they are for clinical and financial standards DH & its ALBs need to enable health and care to develop a better culture of data security 10 Data Standards have been proposed as a minimum bar for health and care

4 Leadership is Key to Delivering the Standards
Leadership Obligation 1: People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles. Enabling Standards 1-3 Leadership Obligation 2: Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses. Enabling Standards 4-7 Leadership Obligation 3: Technology: Ensure technology is secure and up-to-date. Enabling Standards 8-10

5 What are we protecting ourselves from?
Known threats and challenges in Health & Care

6 The Cyber Trap “Its all about technology…”
“It’s about our ICT department or IG Lead…” “It won’t happen to us…” Don’t make the mistake of leaving the data security of the many to the few, the IT people, the secure areas and IG Leads. It starts with leadership and personal responsibility. Own the issue at senior leadership level Empower through training and learning personal responsibility in data security

7 The threat is real and in the public domain
An iNews article on the 10th October 2016 regarding data security in health and care alleged: NHS trusts serving millions of patients have been hit by the “ransomware” attacks in the past 12 months That a minimum of nearly 30 NHS trusts in England have been the victim of ransomware attacks in the last year 31st October, BBC News reported North Lincs & Goole: Virus infected systems and services Operations. Outpatients & diagnostics cancelled for three days. Impact to organisation if this wasn’t blocked Timeline of an attack - Papworth

8 NHS Digital – Seeing the Threat & Reacting
CareCERT Broadcast Impact: In early December 2015, N3 Gateview network monitoring identified that 141 sites had been infected by Dridex malware. CareCERT broadcast a specific national threat advisory resulting in a much lower infection rate than pre-broadcast, and statistically insignificant reinfections. Using the tooling, individual infected organisations were identified and contacted directly to remove infections. CareCERT Broadcast

9 Known Data Security Challenges
Unsupported OS Browsers Inappropriate Staff Training Poor leavers, movers and changes process for staff Too many privileged system accesses Significantly reduced investment funding Limited situational awareness of cyber preparedness locally Social Engineering - Sophisticated Spear Phishing

10 Balancing data security & patient care
Availability Integrity Confidentiality Trust Safe care Timely care

11 Balancing data security & patient care
Timely care Safe care Trust

12 Balancing data security & patient care
Availability Integrity Confidentiality Confidentiality Integrity Timely care Safe care Trust Availability

13 The Role of NHS Digital And how they support the Data Security Standards

14 NHS Digital’s Role in Data Security
NHS Digital’s Data Security Centre, the services it implements to health and care, and the support and guidance it offers to the system should be: Non-regulatory; NHS Digital is not a regulator but an enabler to the 2million+ employees in the system to provide better data security A Leader in data security; the place the wider health and care system comes for advice guidance and support The gateway to the National Cyber Security Centre; distilling best practice and working with NCSC on improving UK response to cyber threat The trusted centre for threat intelligence for the system and sector wide incident management Name change – change of focus to become part of health and care

15 CareCERT Intelligence
Provides cyber security threat intelligence and guidance to appropriate professionals across health & care. Consumes threat intelligence from a number of sources, undertaking the appropriate analysis and triage, identifying threats that could impact health & care Broadcast via to key contacts and published via the CareCERT Information Sharing Portal, including up to date mitigation/remediation advice. Includes: Incident Management for System-Wide Cyber Attack Protective Monitoring of HSCIC Systems and Services

16 CareCERT Intelligence – what it does
1. Data is received into CareCERT from Various Sources BT ATI 2. Data Analysis by CareCERT Team DATA, DATA, DATA, NCSC N3 Data ALBs H&C Likelihood High Risk  Medium Risk Low Risk Impact 3. If a threat could affect H&C, it is triaged for severity 4. Broadcast Issued (Type dependent on Severity)

17 Working in Partnership with NCSC
The National Cyber Security Centre (NCSC) was launched in October 2016 Health and Ministry of Defence retain dedicated satellite operations for Data Security, the remainder has been brought into NCSC CareCERT is the front door for services and support from NCSC NCSC and CareCERT share information, guidance and intelligence to enrich health and wider government cyber response and preparedness Regular engagement and knowledge sharing sessions between staff NCSC knowledge and expertise support for health and care initiatives such as the IGT Refresh and CareCERT Knowledge New CareCERT Services are built with NCSC advice and guidance

18 NHS Digital Enabling Better Data Security
And how they support the Data Security Standards

19 Cyber Security Defence in Depth
People Technology Process E.g. Correct Security Clearances, Education, Training, Understanding Personal Responsibility and building a security culture. E.g. Access Controls/Passes, Network Technology, System Access, Patching and Encryption E.g. Adherence to robust business processes, defined security policies, incident management process

20 Something to Consider “If you want to stop a break in, Its not the colour of the burglars balaclava that matters, its whether the front door is locked and the alarm is set…”

21 Enabling Data Security in Health & Care
People CareCERT Knowledge – online data security training security and information assurance guidance data security use cases and lessons Data Security Campaign – raising awareness and engaging, driving leadership agenda but also personal responsibility. Process CareCERT React – advice and guidance for if and when the worst happens CareCERT Assure – cyber preparedness assessment at a local level Toolkit – an evolved IGT changing culture and embedding the NDG Technology CareCERT Intelligence – proactive advice and remediation on threats N3/HSCN Network Monitoring – stopping network threats as they happen Cyber Tech Fund - Investing in local and national initiatives driving preparedness

22 Defence in Depth Data Security/IG Toolkit Information Management
Proactive Data Security/IG Toolkit Information Management Training Portal Changing Culture Contractual Levers & Incentives CareCERT Assure CareCERT Intelligence Cyber Capital Fund Removing Vulnerabilities Network Monitoring Blocking Threats CareCERT React Reducing Impact Reactive CareCERT Knowledge Continually Learning & Improving

23 The Current Push Model

24 Creating a Pull Model Toolkit
The aim is to reduce burden on organisations while increasing value of the toolkit to enable organisations to deliver safer solutions and meet the NDG data security standards. This means reducing duplication and simplifying the process of maintaining the toolkit. A refreshed toolkit needs to drive regular improvement. On the leadership agenda, driving KPIs to show progress. The services offered at the centre should support the ten data standards which will be embedded in the tookit.

25 Toolkit – key dates Subject to the outcome of the Government consultation: 2016/17 Business as usual - submit evidence to the current IG toolkit website by 31 March 2017. Continued maintenance to the current BAU Toolkit First release of the new product will be available for input in April 2017 The transition plan to new product will be agreed Early adopter product available in autumn 2017 2018 Full roll out of new product by April   

26 CareCERT delivery timescales
Assure March 2017 90 organisations from discovery phase complete April 2017 Discovery phase complete and assessment model finalised March 2018 Target >90% Trusts completed* Intelligence Existing live service will continue. React November 2016 110 organisations in proof of concept July 2017 All health & care included in full roll out Knowledge March 2017 Review of all material complete July 2017 New knowledge portal launched November 2017 >95% of health & care employees completed data security training *dependant on future funding after FY 16/17

27 Learning Lessons of Programmes Past
Building services driven via user need Listening to the market and what it can support us to deliver Not afraid to fail fast, learn, evolve and deliver new and different services: CareCERT React and Assure Proof of Concepts: Constrained scope of delivery and limited investment prior to full roll out Lessons absorbed from our users, offerings potentially changed as evidence is consumed Ensures a right first time national roll out Don’t over promise and under deliver

28 One More Thing…or Four Some final advice:
Invest in people; personal responsibility in data security is key Be part of free initiatives such as CareCERT and CareCERT Assure now ( us to know more) use and benefit from the advice and guidance of CareCERT React and CareCERT Knowledge later this year. Don’t fall into the trap that Cyber Security doesn’t affect patient care or patient wellbeing, it does, and it is…as we have seen. Don’t entrust the security of the many with the few. We’re all on the hook to enhance what we do

29

Download ppt "Data Security How can healthcare organisations defend themselves from cyber attacks? Presented by Dan Taylor Head of Security NHS Digital’s Data Security."

Similar presentations

NHS Future Forum Event slidepack. The next phase for the NHS Future Forum The Prime Minister and Secretary of State for Health have announced that the.

NHS Future Forum Event slidepack. The next phase for the NHS Future Forum The Prime Minister and Secretary of State for Health have announced that the.
Derby Hospitals moving forward in the 21 st Century …. Dianne Prescott, Director of Strategy & Partnerships Future Strategy.

Derby Hospitals moving forward in the 21 st Century …. Dianne Prescott, Director of Strategy & Partnerships Future Strategy.
Changes to the Educational Landscape: an SHA perspective Tricia Ellis, Head of Knowledge Management and eLearning South West Technology Enhanced Learning.

Changes to the Educational Landscape: an SHA perspective Tricia Ellis, Head of Knowledge Management and eLearning South West Technology Enhanced Learning.
Healthier Horizons Policy and Progress Update Chris Jeffries Acting Director of Workforce and Education NHS NW.

Healthier Horizons Policy and Progress Update Chris Jeffries Acting Director of Workforce and Education NHS NW.
Monday 1 st July 2013 Health Education England Our Role & Focus on Dementia Professor David Sallah (Clinical Advisor)

Monday 1 st July 2013 Health Education England Our Role & Focus on Dementia Professor David Sallah (Clinical Advisor)
Specialist leaders of education Briefing session for potential applicants 2013.

Specialist leaders of education Briefing session for potential applicants 2013.
Talent Management Executive Summary

Talent Management Executive Summary
Benefits for using a standardised risk management framework to risk assess Infection Prevention and Control Sue Greig Senior Project Officer National.

Benefits for using a standardised risk management framework to risk assess Infection Prevention and Control Sue Greig Senior Project Officer National.
The Crown and Suppliers: A New Way of Working Ways of Working14:20 – 15:05 Data Standards Open Source ICT Asset & Service Knowledgebase Agile Q&A Session.

The Crown and Suppliers: A New Way of Working Ways of Working14:20 – 15:05 Data Standards Open Source ICT Asset & Service Knowledgebase Agile Q&A Session.
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.

The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.
Effectiveness Day : Multi-professional vision and action planning Friday 29 th November 2013 Where People Matter Most.

Effectiveness Day : Multi-professional vision and action planning Friday 29 th November 2013 Where People Matter Most.
Needs Assessment: Young People’s Drug and Alcohol Services in Edinburgh City EADP Children, Young People and Families Network Event 7 th March 2012 Joanne.

Needs Assessment: Young People’s Drug and Alcohol Services in Edinburgh City EADP Children, Young People and Families Network Event 7 th March 2012 Joanne.
The New Public Health System

The New Public Health System
Improving the IG Toolkit (IGAF 2) presented by Mark Reynolds SCCI, September 2015.

Improving the IG Toolkit (IGAF 2) presented by Mark Reynolds SCCI, September 2015.
Access to data for local authority public health AGW Public Health Network Training Event: Public Health Data, Information and Intelligence 11 th November.

Access to data for local authority public health AGW Public Health Network Training Event: Public Health Data, Information and Intelligence 11 th November.
NHS Education & Training Operating Model from April 2013 Liberating the NHS: Developing the Healthcare Workforce From Design to Delivery.

NHS Education & Training Operating Model from April 2013 Liberating the NHS: Developing the Healthcare Workforce From Design to Delivery.
Linking the learning to the National Standards for Safer Better Healthcare Joan Heffernan Inspector Manager Regulation – Healthcare Health Information.

Linking the learning to the National Standards for Safer Better Healthcare Joan Heffernan Inspector Manager Regulation – Healthcare Health Information.
© Project One Consulting Limited 2015. All rights reserved. 0 Introduction to Project One Slides.

© Project One Consulting Limited All rights reserved. 0 Introduction to Project One Slides.
Well Connected Governance Urgent Care Integrated Out of hospital care Specialised Services Future of Acute Hospital Services Future Lives Transformation.

Well Connected Governance Urgent Care Integrated Out of hospital care Specialised Services Future of Acute Hospital Services Future Lives Transformation.
Equality Standard Equality, Diversity and Inclusion Equality Standard Equality, Diversity and Inclusion Equality Delivery System (EDS2) 2015/18 Ricky Somal:

Equality Standard Equality, Diversity and Inclusion Equality Standard Equality, Diversity and Inclusion Equality Delivery System (EDS2) 2015/18 Ricky Somal:

Similar presentations

Ads by Google