With cyberattacks like WannaCry grabbing the headlines and bringing the NHS under increased scrutiny, it is now essential that healthcare organisations have their affairs in order when it comes to security and data protection
In the wake of WannaCry, the NHS announced it will pledge £150m to bolster its defences amidst warning of possible future cyber-attacks. The Health and Social Care Network (HSCN) is a new data network that will enable health organisations to reliably access and share vital electronic information. NHS Digital, the body behind the HSCN has issued a mandate for all current customers connected to the N3 broadband network to onboard to the HSCN by August 2020.
For current customers, the migration to the HSCN will deliver as much as ten times greater bandwidth than the N3 network. Yet for new private sector health and social care organisations joining, this will be their first experience of a network of this complexity.
The HSCN will provide health and social care organisations with a reliable, flexible, and efficient service. However, it does not negate the fact that joining may be a daunting prospect for new entrants to the network – especially where security is concerned.
Organisations new to the HSCN may mistake reliability of the network for security, something that it does not provide any assurance for. Therefore, it is critical that new organisations accessing the network have a clear understanding of what accessing HSCN entails from a security and data protection perspective.
What do new organisations need to do?
The HSCN should not be considered a secure network. It does offer improved protection via Network Analytics Service (NAS), that monitors the network for suspicious behavior. However, it does not offer assurance. New organisations, predominantly those from the private sector, should treat the network almost as they would the internet and ensure data is appropriately encrypted in transit.
The NHS has made it clear that all connected organisations must risk assess their connection to the HSCN and safeguard any sensitive patient data. Existing N3 customers already comply with these expectations. Implementing an audit trail that assesses what data is being sent, how it is protected and why, will be key to ensuring patient data is secure.
What does the GDPR mean for the HSCN?
The GDPR (now implemented in the UK as the Data Protection Act 2018) is now in effect. Personal data and in particular, sensitive personal data are protected by the GDPR. This means that organisations using HSCN need to ensure that they are fully aware of the requirements for compliance, to avoid the possibility of penalties.
Concerns around the impact of the GDPR play more strongly here, particularly where Wide Area Networks (WANs) like HSCN are concerned. The scale of the network means that there is more data at risk. Therefore, each individual organisation must risk assess its use of HSCN to protect both its own data, with regard to the requirements of GDPR, as well as the possibility of negative repercussions on the wider HSCN community.
This decade has seen information security in the public sector move away from a rigid ‘command and control’ approach, based on central Government-issued policies and standards. This is empowering public sector organisations to make the choices on security that are best for their data and their organisations, rather than a ‘one size fits all’ approach. However, it does mean that responsibility is increasingly shared. But as the old adage goes, this will halve the problems. Not relying on a centralised security bureaucracy means individual organisations have full control, and therefore responsibility, for the protection of data they manage – ultimately aiding in the overall safeguarding of data on the HSCN and strengthening against data breaches.
With 12,000 customers migrating from the N3 network alone, and many new health and social care organisations joining the network for the first time, the pressure is on for a smooth transition phase. Those new entrants to the network can ensure that they put their best, most secure, foot forward through thorough risk assessment, and adequate technical and policy controls.
Principle Security Architect
Editor's Recommended Articles
Must Read >> Reskilling the cyber gap in the UK