A Glimpse into the Future of Data Compliance

Data protection laws do not stand still. As the volume of personal and sensitive data held by corporations and public sector agencies continues to increase, the associated risks to that information will grow accordingly. These threats come from external attackers, such as online fraudsters, internal causes, including rogue employees, and even the carelessness of those with legitimate access to this information.

It’s no surprise, then, that new data protection laws constantly arrive to guard against new threats. Compliance with these laws can be a major headache for the organisations that are subject to them; however, doing nothing is never an option. Refusal to comply with these laws will leave organisations open to fines and prosecution. Failure to adequately protect data puts businesses at risk of losing personal information, which will have a devastating impact on their reputation and, ultimately, their bottom line.

Electronic Patient Records – Security as a Matter of Life and Death

Perhaps the biggest security and compliance issue facing organisations working in the UK health sector is the introduction of electronic patient medical records. This is the latest part of the National Health Service’s (NHS) National Partnership for IT (NPfIT) project and the biggest civilian IT project in history.

Last month, the Department of Health gave the project the green light, signalling the beginning of the centralisation of electronic medical records for all NHS patients in England.

The aim is to reduce bureaucracy and time wasted in transferring vital medical information between NHS professionals and to improve the quality of patient care. These records will contain basic medical information such as medication, allergies, adverse reactions and, as such, will contain highly sensitive information.

Because of the confidential nature of this data, every healthcare organisation that has contact with electronic patient records (EPRs) will have a duty to ensure access to all health-related information is strictly controlled, and that the data itself is protected through robust encryption. Failing to do so will lead to serious consequences, potentially including civil and criminal charges, fines and mountains of bad publicity.

Any organisation dealing with these records – be they hospitals, clinics, private healthcare providers or pharmaceutical firms – will be required to have appropriate safeguards in place. These requirements are likely to correspond to those required under US legislation, such as the Health Insurance Portability and Accountability Act (HIPAA).

The good news is that the experience of HIPAA, which has been in force since the 1990s, has led to the development of technologies that are specifically designed to protect sensitive medical data. Chief among these is the ability to encrypt all data on a given device, so a lost laptop, tablet or smartphone will not compromise sensitive personally identifiable information (PII).

Beyond encrypting the hard drive, IT managers in medical organisations will also be required to implement strong authentication methods when accessing devices and networks, to ensure legitimate authority. A wide range of strong authentication exists, from complex passwords to tokens, smart cards or biometrics.

Given that speed and ease-of-use are the prime raisons d’être of the electronic patient records system, IT departments may be wary of relying on complex, easily-forgotten passwords or tokens which can almost be guaranteed to be misplaced at the most inopportune moment. Biometric authentication technology, with its inherent portability and security, is likely to be one of the most commonly used factors in access security systems. Whatever authentication method or methods are chosen, they will also need to be implemented on all applications and networks that contain sensitive data.

One obvious problem with robust authentication is that it relies on the human factor – the right person must be present in order to access necessary electronic health information. When that member of staff is off-duty, sick or otherwise unavailable, there is a considerable risk of delays in getting to crucial medical data, such as adverse reactions to certain medications. It is no exaggeration to suggest that in the medical world, this could literally be the difference between life and death. It’s vital, then, that organisations have the ability to recover access to managed computers and systems, even if they are protected by the deepest, most secure security systems.

Electronic patient records have the potential to bring much greater efficiencies and reduced costs to the NHS, enabling staff to access information at the touch of a button, instead of requiring them to request paper copies to be sent from remote surgeries. As with every migration to electronic data, however, it will also bring new information security challenges that must be guarded against from the very beginning. The good news for organisations in the health sector is that reliable and proven technology already exists; the choice is therefore down to usability, security and value-for-money over the whole lifecycle.

A Tougher Data Protection Regime for Law Enforcement Agencies

It is a founding principle of modern democratic states that nobody is above the law, and especially not the law enforcement agencies or judiciary of the state. Yet in the UK, government agencies have increasingly run foul of data protection regulations, whether it is councils abusing the Regulation of Investigatory Powers Act (RIPA) to snoop on residents, government departments losing unencrypted personal records, or police forces re-using private sector data.

This problem is not one that is restricted to the UK alone, however, a fact recognised by European data commissioners at their conference this April. The conference, which comprises the heads of each country’s data protection authority including the UK’s information commissioner, Christopher Graham, called for data protection laws to be implemented for law enforcement in the same way that they are currently applied to business and civil matters.

Many will be surprised that these laws are not already implemented or complied with by law enforcement. Putting judgement aside for the moment, the main implication of a tougher data protection regime will be the requirement for police and law enforcement agencies to implement new security standards to make citizens’ information protected against unauthorised access.

Effectively, this means giving police records the same level of access protection and disk encryption that are implemented by large enterprises. However, there are two key issues that law enforcement agencies must take into account: mobility and cost.

Since the 2010 Comprehensive Spending Review, UK government policy in all areas has been focused on paring back expenditure as much as possible, while also seeking new ways to make the public sector workforce more efficient. In order to make workers more productive, the government is increasingly enabling employees, including the police, to access data remotely.

Law enforcement agencies must therefore ensure that strong authentication is used every time a user accesses sensitive information from a mobile device or from outside the main office, such as via a Virtual Private Network (VPN) connection. Given the extremely sensitive and confidential nature of the data police access, mobile or remote authentication needs to be at least as robust as enterprise-grade systems. Furthermore, it must be highly reliable and must not be cumbersome or time-consuming for officers to use in the field, suggesting that biometrics-based authentication may hold an advantage over technologies that require officers to remember complex strong passwords, or constantly carry around security tokens.

The second issue, cost, will also govern which security technologies law enforcement agencies implement to protect data. Even in a climate of government budget cuts, the increasing pressure from the EU’s data commissioners, coupled with the public’s rising concern over the use of their personal data, make it unlikely that law enforcement agencies will be able to continue without implementing proper protection practices.

Preparing for EU Data Breach Laws

The European Union (EU) already has a broad suite of data protection laws with which member states must comply. Two of the most wide-ranging pieces of legislation in recent years have been the European Data Protection Directive and the subsequent ePrivacy Directive, which dictate how organisations must protect the sensitive data that they hold or transmit.

Data protection in the EU is, as in most jurisdictions, a constantly evolving process, so it’s important that organisations prepare for the latest addition to European data laws. The most likely new addition to the canon of EU data law is the introduction of mandatory data breach notification laws, a law championed by no less than the European Commission’s (EC) data protection supervisor Peter Hustinx.

Hustinx argues that strengthening citizens’ rights over their personal data requires a new framework that must include incentives for data controllers in all organisations proactively to include data protection into their business processes.

While such a law is not yet on the statute books, it is a likelihood for which organisations would do well to prepare: not only will it give them time to implement the best systems to ensure compliance, but it will also ensure they are protected against from the fallout – both legal and financial – of losing sensitive or personal information.

The business case alone should be enough to convince organisations to implement robust protection of their data. In 2011 a study of US companies by the Ponemon Institute found the average organisational cost of a data breach was US$7.2m, costing companies an average of US$214 per compromised record, an increase of 5% over the previous year’s study.

Any organisation holding large volumes of sensitive information is at risk of a serious and costly data breach, either from external attacks, insider theft or simply through the carelessness of employees. All that is necessary for data to be breached is a single person with the wrong access privileges and intent. This threat has increased the importance of strong authentication, which replaces simple passwords with extra measures of protection to prevent unauthorised people from accessing information.

While strong authentication will help to achieve compliance with the proposed EU data breach law, it can bring its own problems to organisations that implement it, not least the impact that it has on employees and everyday operations. Most strong authentication methods, such as complex passwords and tokens, suffer from a variety of drawbacks that can add significantly to technology spend, and sometimes detract from the overall effectiveness of IT security. Tokens, for example, can be lost; complex passwords are more likely to be written down; and help desks get burdened by password resets, token or card inventorying and re-provisioning.

This is in no way intended to paint strong authentication as an evil. The inconvenience caused by implementing robust authentication far outweighs the potential costs of a serious data breach. What is more, biometric technology such as fingerprint readers has matured to the extent that it is a reliable and increasingly affordable method of strong authentication that negates most, if not all, of the traditional problems associated with passwords and tokens.

Whatever the method chosen, organisations that prepare for Hustinx’s proposed data breach law, and indeed for any future data protection legislation, will find themselves in a strong position if they begin assessing and selecting their authentication technology now, and ensure that they are both compliant and protected.


Related reading