Comment: Locking down data access in the NHS

Published: 5-Sep-2017

Following the WannaCry cyber attack; Matt Lock of Varonis looks at how NHS trusts can bolster security and why hospitals must understand how users are interacting with data

Matt Lock, director of sales engineers at cyber security specialist, Varonis, explores the security risks of more-interconnected IT systems within the NHS and asks are we sacrificing security in the interests of convenience?

Since May’s WannaCry ransomware attack, there has been heightened scrutiny on the processes and security protections in place to protect the NHS’s IT systems and critical data.

Given that the NHS holds sensitive data on more than 54 million individuals – which is more than many of the largest corporate organisations – assessing and closing any data security gaps must be a priority.

It’s never been more important to take control of information assets and one of the first steps to stronger data protection is managing access controls

Sadly, cyber criminals show no signs of giving up. Most recently, NHS Lanarkshire was again hit by a ransomware attack, demonstrating the impact of such breaches on the data and systems of a critical sector.

With the implementation of the EU General Data Protection Regulation (GDPR) now less than a year away, there’s an added impetus for trusts to ensure that sensitive data – from patient records to research – is safeguarded from insider threats and cyber attacks.

It’s never been more important to take control of information assets and one of the first steps to stronger data protection is managing access controls.

NHS trusts need to verify that only the right people have access to data, remove users that no longer need access, and maintain a ‘least privilege’ model to keep data secure.

Oversubscribed data

One of the challenges facing the NHS – as with many other sectors – is the need to make data available and easily accessible.

The ongoing digital transformation across the sector means that more systems have been integrated so that data and information can flow freely. This brings clear benefits in terms of ease of administration and management from centrally controlled repositories. However, we also must ask if this approach is the safest route when it comes to protecting data.

There are security risks inherent in the shift towards greater accessibility. Balancing security protections around this data, with convenience, can mean that access to this data is often over-subscribed.

A recent report found that the NHS is using very weak passwords and one in four user accounts grant access to sensitive patient files.

Given these heightened security risks, it’s essential for trusts to have a clear picture of where their most-sensitive information lives and who has access to it

The report also found that 17% of active staff accounts had been unused in the previous 12 months.

Unfortunately, these sorts of data access control oversights are a problem across different sectors. In the 2017 Varonis Data Risk Report, we found that, similar to the NHS, 47% of organisations have at least 1,000 sensitive files open to every employee.

Of course, while many employees need to access sensitive information to do their jobs, the problem is that, over time, this sensitive information becomes exposed to more employees – and ‘permission creep’ sets in.

Access permissions can be set too broadly, often because IT and admin teams simply can’t keep up with the pace of internal changes.

However, exposing this type of data is a huge security risk. Not only can critical data and research be compromised, but personal data can be leveraged to breach more-secure systems.

The trend towards greater accessibility also means that, when an attack occurs, the attack vector is larger.

Once attackers have breached perimeter defences, and the security measures around data are not adequate, then the door is open for them to access these sensitive data assets.

The implications of this are significant. In the case of a ransomware attack, for example, if the individual that is compromised has global access rights, all the data that they can access will be encrypted.

Data protection essentials

Given these heightened security risks, it’s essential for trusts to have a clear picture of where their most-sensitive information lives and who has access to it.

To avoid falling foul of regulations and to protect against cyber attacks, trusts must first define where their data is, then examine user behaviour to understand how it’s used and who needs access to it. Then it’s about putting in place defences.

You will need to define who has access to files and develop strategies to dispose of data that isn’t needed.

To avoid falling foul of regulations and to protect against cyber attacks, trusts must first define where their data is, then examine user behaviour to understand how it’s used and who needs access to it

Maintain a least privilege model – so that only those that ‘need to know’ have access to data – and monitor file and user behaviour.

Good data protection strategies should also encompass strong processes to manage stale data and to de-activate accounts when users have left the organisation.

There’s always a balance to achieve when it comes to data accessibility and data protection. However, the trend towards data sharing and convenience means that more data is at risk when a hacker strikes.

With cyber attacks on the rise, and penalties for breaches about to get tougher next May; getting a handle on data protection and access controls must be at the top of the cyber security agenda. /

You may also like