This week, the NHS reported a data leak incident to the Information Commissioner’s Office, which puts third-party contractor cybersecurity risks in the spotlight.
What happened?
A former employee of PSL Print Management, a consultancy used by the NHS, requested all emails and text messages regarding his employment at the company. PSL obliged, but sent him a USB stick that seemingly contained the company’s entire email server contents, including thousands of patient letters that contained the PII of these patients.
According to sources, the confidential files included hospital appointment letters for women who had suffered miscarriages, test results of cervical screening exams and letters to parents of children needing urgent surgery at Alder Hey Children’s Hospital in Liverpool.
Some of the information dated back to 2015. This is despite data protection laws requiring that medical data be deleted as soon as it is no longer needed.
The ICO announced this week that it has launched an investigation.
The IT Security Guru asked a selection of experts for their opinions on the matter:
Roger A. Grimes, data-driven security evangelist at KnowBe4:
“It appears [the contractors] were sending out too much information in addition to the requested information… it was possibly all emails from an email server. It’s a pretty bad mistake. With that said, it isn’t known if this is a one-time mistake or was it done more times? Mistakes happen. Or was it a procedural error that was accidentally done over and over. Was it ever sent to someone who then took unauthorised advantage of the information? Not all data breaches are equal. You have to look at the intent of the parties involved with the breach. If all involved parties had good faith and didn’t spread the information beyond the initial incident, then the overall harm was very low. This isn’t a classical breach in the sense that a malicious actor broke into a network and stole information to do bad things. This was a well-intentioned person accidentally sent too much information. And instead of using the information in an unauthorised way, they reported the breach. All things considered, if this is a one-time event, it’s not the worst thing I’ve read about. Even if it happened more than once…as long as the information was not used in an unauthorised manner beyond the unintentional data leak. The vendor should absolutely investigate how it was allowed to happen and put in policy, tools, and education to make sure it doesn’t happen again.”
Robert Byrne, field strategist at One Identity:
“There was a failure of Data Governance and oversight procedures here. Encryption for mail and attachments is common, so the main issue here seems to have been a failure to separate operational level access and data level access. In other words, a privileged operations user was able to export mail and content in clear and export it to a USB stick, all without appropriate oversight. Normal procedure would be to separate those privileges or at least ensure that the relevant data owner approved the data transfer. Clear separation of duties, especially for privileged administrative staff, combined with periodic data access reviews have been shown to significantly reduce the risk of data leaks such as this.”
Martin Jartelius, CSO at Outpost24:
“We have several problems to address that contributed to the massive NHS leak. Firstly, evidentially patient data is sent unencrypted via email between employees. This is not an acceptable practice. Secondly, those emails are then retained on the personal accounts for a very long duration even though they contain this sensitive data. Thirdly, the emails are clearly retained beyond the end of employment in an accessible format, otherwise it would not have been possible to accidentally include other individuals emails. Fourthly, when extracting those emails on the former employee’s request, the information retained in the emails has not been reviewed for patient confidentiality. There are likely more issues here, but those are the most apparent ones, taking the available information at face value.”
Felix Rosbach, product manager at comforte AG:
“The shocking data breach affecting the tens of thousands of NHS patients might make you question whether healthcare providers are serious about data privacy and security. This report should trigger alarm bells within the healthcare sector. After all, it is difficult to grasp a situation in which thousands of subjects have had their most personal and sensitive health information compromised.
“The more these types of data breaches occur, the more the general public understands that protecting borders and perimeters around sensitive data isn’t enough—effective data security needs to be applied directly to sensitive information in the form of data-centric security, including methods such as tokenisation or format-preserving encryption. By tokenizing patient information as soon as it enters the data ecosystem, these organisations can continue to work with sensitive data in its protected state due to data format preservation. Better yet, if (or when) threat actors gain access to tokenised data, they cannot comprehend it or leverage it for personal gain or other nefarious purposes. If a healthcare organisation isn’t actively assuming the worst and exploring data-centric security to protect patient data, the long-term prognosis doesn’t look good.”