Archive | Data Security

NHSScotland’s Cloud Computing Strategy

Steve Bromham of Save9 summarises guidance on NHSScotland's cloud computing strategy and explores a comparison with NHS England's approach

It’s not difficult to imagine how - in first half of the last century - the pioneering manufacturers of motorised ambulances might have been challenged in selling their marvellous technological product to local and regional Health Boards. Attempting to convince civil ambulance services and hospitals that in order to improve patient survival rates in a medical emergency - they should procure faster, purpose-built mechanised transportation to replace their old horse-drawn carts.

It was only in the late 1940s that the National Health Service Acts made it a mandatory requirement for ambulances to be available for anyone who needed them. We take it for granted now – emergency ambulances are commonplace in our society thanks to this legislation and many of our citizens accept the benefits of this ‘technology’ without giving it a second thought.

NHSScotland's cloud computing push for digitally managing patient data & services

NHS Scotland (NHSS) Cloud Computing Strategy

Moving forward to this century - in light of internet-enabled technologies - I’ve often wondered if patients’ lives are ever put at risk when a nurse, physician or surgeon quickly needs patient MRI, CT or Ultrasound scans - or a lab operative is delayed from digitally sharing critical patient test results with another healthcare provider. Perhaps an uncompromising IG or IS policy exists in their institutions - with staff fearing legal repercussions or senior managers worrying about financial penalties should their team ever consider ‘bending the rules’ in order to quickly transfer patient data via an unauthorised cloud software service.

I’m aware of unauthorised public cloud service use in Secondary care settings – something that can be very embarrassing for the SIRO, Caldicott Guardian or IT Manager when they find out it happened on their watch; despite a well-planned and executed IG communications strategy in combination with strict network controls or firewall blocking rules.

There is an array of complex legal and professional obligations placed on healthcare workers to help prevent this sort of thing - plus many official NHS/NHSS and internal guidance or policy documents – many of which describe acceptable usage of cloud computing services. Some apply to NHS England and others to NHSScotland. However - it may not come as a surprise to you that the justification for not adopting some public cloud services as a means to improve management or sharing of patient data can be down to this type of historical abuse (i.e. unauthorised cloud tools) and the confusion surrounding official NHSS/NHS policy plus the confusing array of professional and legal obligations that exist. Here are a few key documents - from a large list that we’ve identified...

Applicable Legislation or Guidance NHS-England NHSScotland
Scottish Public Sector Cloud Computing Guidance 2015 No Yes
NHSScotland Information Security Policy Framework 2015 No Yes
NHSScotland Code of Practice on Protecting Patient Confidentiality No Yes
NHS Information Governance Toolkit Yes No
Records Management Code of Practice for Health and Social Care 2016 Yes No
Information Security Management - NHS Code of Practice 2007 Yes No
Confidentiality - NHS Code of Practice 2003 Yes No
Data Protection Act 1998 Yes Yes
Access to Health Records Act 1990 Yes Yes
General Data Protection Regulation (GDPR) May 2018 May 2018

NHSScotland IG information:
NHS England IG information:

NHSS (NHSScotland) – an evolving acceptance of cloud computing

NHSScotland's acceptance of cloud computing technologies for digitally sharing patient data securely between healthcare organisations has rapidly progressed over recent years – driven by three key policy changes affecting the Scottish public sector as a whole and more specifically within the NHSS.

March 2013
Because of a carefully worded NHSS statement published in 2013 - it seemed things might be about to change. That moment, in my opinion, was when the clock started ticking towards cloud computing acceptance across Scotland's NHS...

" is recommended that the most sensitive personal or corporate data is still not held in public cloud services until further notice".

Source: NHSScotland's Good Practice Guide for online document sharing and storage tools (

Around this time there were examples of NHSS institutions enforcing their own strict cloud computing policies - e.g. NHS Forth Valley decided to add a key statement to their 2013 IS Policy and even mentioned specific cloud software vendors...

"Staff Must Not use cloud storage providers (Dropbox, iCloud, Evernote etc)."

I happen to agree that some of the big international consumer-grade cloud computing platforms are not appropriate for storing patient identifiable data - e.g. recent allegations that DropBox lost 68 million usernames and passwords in a data breach – a worrying thought for the average NHSS Board and their SIRO if their institution had decided to rush off and deploy this type of solution. To be fair – I believe DropBox, OneDrive and GoogleDrive have better than average information security management policies and procedures. Many in the IT industry believe that because these global businesses operate very large datacentre complexes and they are also high-profile international brands - they represent more of a target and also a challenge to hackers. One small breach in a massive multi-layered infrastructure appears to be able to wreak havoc - hopefully lessons will be learned and security improved.

March 2015
Two years later - Scotland's Digital Future campaign eventually empowered the NHSS - as one of its targeted public sector institutions - with enthusiastically worded ‘top-down’ directives in the Scottish Government’s public service reform programme. NHSS could finally make a u-turn and officially approve the adoption of cloud computing technologies.

The cloud computing guidance document stated in its first principle (without prescribing or constraining any particular method of deployment, service delivery or business operation – e.g. private, hybrid, community or public deployment types)...

"Cloud based solutions will be the dominant approach for the Scottish public sector"

And the guidance goes further to outline cloud computing as a key strategic policy...

"Our overall policy position is that cloud computing is part of the strategic future of digital public services in Scotland. It has potential to fundamentally change the nature of digital public service delivery and, when appropriately utilised, can provide benefits in cost effectiveness, energy efficiency and speed of deployment."

Source: Scotland’s Digital Future: Scottish Public Sector Cloud Computing Guidance (

July 2015
Shortly after this strategic announcement promoting cloud computing adoption across Scotland's public sector the NHSScotland Information Security Policy Framework was published; replacing NHSS Information Assurance Strategy 2011-15 and the NHSS Information Security Policy 2006 in one fell swoop (

This IS policy framework is a lot less prescriptive when related to patient data-sharing technology approaches and I suspect this was a deliberate action - reflecting the aims of Scottish Government strategic policy. It shifts operational information security and information governance management onto the individual NHSS institutions and Health Boards – offering guiding principles on information security best practice aligned closely with International Standards ISO27001 and ISO27002.

"Although there should be information sharing agreements with partners/suppliers and they may share the IT network and other computing resources it would simply not be practical for the Board ISMS to cover this whole landscape."

However - it is not a free-reign, as the framework requires that plans must be made to implement the necessary policy and procedural controls incrementally to safeguard the confidentiality, integrity and availability of patient information - the classic CIA triad for modelling information security.

"Each Board shall establish its own information security policy which includes components of the NHSS Information Security Policy Framework, national controls and standards as well as specific local policies."

So if you want a simple answer - as to what public, private or hybrid cloud computing services can or cannot be deployed across Scotland’s National Health Service - it is now clearly up to the respective NHSS institutions (more specifically their Health Boards) or executive-level decision makers in other Scottish healthcare providers to now decide...

"Produce a statement of applicability that contains the necessary controls and justification for inclusions, exclusions and whether actually implemented."

Healthcare professionals – understanding how better information sharing helps them to deliver better patient care

I think it is worth highlighting that the requirement for healthcare workers to rapidly and securely share patient data across disparate healthcare organisations is nothing new – anecdotally, the level of intra-organisational PID communications seems to be on the increase in a world of mixed private and public sector healthcare provision.

The continued dispersal of patient data across information silos managed by multiple healthcare providers appears to be on the increase – in contrast to overambitious centralisation projects like NHS 24 (NHSScotland) and the NHS National Programme for IT (NHS England). Two visions of single national data and service resources - so the Scottish Government’s stance on allowing NHSS organisations and partners to deploy their own cloud computing solutions seems well-aligned to meet the real-needs of local clinicians and their administrative colleagues.

The next step?

Appointing UK-based cloud computing service providers such as Save9 (note: please see Brexit article on potential geographic limitations of NHS data storage) that offer the right-levels of Healthcare IT sector experience, IG knowledge and demonstrable ISMS good practice (e.g. ISO27001 data centre provision and Cyber Essentials) seems to be a useful starting point for selection.

Managing Cultural Change

In summary - cloud computing is now officially part of the strategic future of digital public services in Scotland. However, service roll-out may be delayed for a lot longer than the Scottish Government might expect. NHSS Boards, their SIROs, Caldicott Guardians, plus IG/IT teams will need high-levels of assurance from UK public cloud computing providers that they will have the necessary information security and information governance safeguards in place.

A cultural attitude and sensitivity towards protecting patient confidentiality is held very dearly by many of the healthcare professionals I’ve worked with over the years. I believe some Cloud MSPs will find it very difficult to sell their 'one-size-fits-all' public cloud services into NHSS or NHS institutions if they can’t align themselves to this information governance mind-set.

Because of a potential cultural misalignment between hosted IT service providers and healthcare IT/IG professionals - I’m convinced we will see more community (shared-service) deployments of private and hybrid cloud environments - versus full-on public cloud adoption across NHSScotland - or even NHS England in the coming years.

The cost-savings and operational efficiencies of Hosted IT

Reflecting on the start of this article - i.e. the accelerated adoption of motorised ambulances in our last century as a consequence of legislative change - I believe we are now witnessing a similar phase of cloud computing technology adoption across the UK public sector. This time however – economic necessity has a big part to play too. Recently announced NHSS Health Board budget deficits will focus attention on IT projects that offer significant cost-savings alongside operational efficiencies and it is encouraging to see that the Scottish government recognises hosted IT services are less costly to setup, maintain and scale-out compared to traditional in-house IT.

The Scottish government now has a formal strategy in place for deploying disruptive and innovative digital services - on the hope that the entire public sector will play its part. Patient services across the NHSS could also be dramatically improved if cloud-based information management and sharing technologies become wide-spread. This is something that secure UK-based public cloud platforms built on scalable server and network virtualisation technologies can deliver quite easily and very quickly. Arguably with better manageability and security - assuming MSP assurances can be provided - and that all the agreed IS policies and procedures are rigorously adhered to and that any cultural IG mismatches are addressed.

If you have a specific Healthcare IT or cloud computing challenge - or perhaps you would like some assistance in specifying a secure data sharing solution that exceeds your information security and information governance compliance needs then please contact Steve Bromham at Save9 via our contact form or phone number below.

Continue Reading

PCI cyber security compliance for charity retailers

PCI DSS Compliance The Payment Card Industry Data Security Standard (version 3.1) dictates that internally managed network security scanning and a log auditing process must be established by all retailers who handle major credit and debit cards. More specifically - they must perform routine systems vulnerability scans and auditing of server and network access log files - which sadly isn’t in place within many charity retail operations - probably because of the technical complexity and costs involved. This article advises charity retailers on what they can do towards maintaining PCI DSS v3.1 compliance - with the aim of safeguarding customer payment card details from unauthorised access - by finding vulnerabilities before they become a business problem. Credit Card and Hacker Image Image Attribution: Computer vector designed by Freepik Wikipedia: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. Having no PCI DSS Compliance Software in place can sometimes be down to a lack of in-house IT team knowledge (if the charity even has its own IT department), limited understanding of precise PCI DSS obligations or simply lack of time and resources. A popular misconception is “We're OK - it’s our bank’s responsibility to sort the security scan once a year” and this may be why PCI DSS obligations are not formally managed and routinely reviewed by the IT department or their senior management team - who are ultimately responsible. Verizon – a damning report on PCI DSS non-compliance in the retail sector Our view also appears to be backed up by recent research from Verizon - it found the majority of UK organisations accepting payment cards fail to maintain Payment Card Industry Data Security Standards (PCI DSS) compliance. According to the Verizon 2015 PCI Compliance report - only 9% of merchants were compliant on Requirement 11 alone (11.4 is referred to later on in this article). There are three areas on PCI DSS v3.1 compliance in this article - where Save9 hopes to help charity retailers improve upon - these are:
  • Vulnerability Scanning
  • Audit and Log Reviews
  • Incident intrusion detection and reporting
Save9 has a detailed understanding of the obligations placed on retailers by the PCI and can help charity retailers avoid non-compliance by sign-posting them to a suite of low-cost vulnerability scan and logging solutions - frequently referred to as PCI DSS Compliance Software in the industry. “Our retail shop’s card transactions are now handled in the Cloud – so I guess it’s not our problem?” You’d be guessing wrong. According to the PCI their official PCI DSS SAQ (Self-Assessment Questionnaire) applies to cloud-based payment processing platforms too and it is specifically referred to as SAQ P2PE (this needs to be verified by your respective cloud retailing system provider though). Their requirements apply to any hosted third party solution because local networks and till systems in shop LANs (Local Area Networks) need to be securely protected and routinely monitored - e.g. to detect and prevent intrusions - even though data processing and storage is handled remotely in the cloud by a third party. In theory, any cloud-connected shop till has a level of vulnerability if payment transactions are routed externally from a point of sale (including ‘secure networks’ protected by firewalls, private network links, encrypted SSL or VPNs) because data can be intercepted before it reaches the encryption stage - or the encryption process can be compromised by malware secretly residing on a retail system – additionally screen capture or data interception malware can exist on PC-based till systems, without the IT department’s knowledge. The worrying reality for most charity retailers Following discussions with a number of IT managers in the third sector - who look after their in-house IT and remote shop networks in charity retail environments - we are of the opinion (anecdotally of course) that most charitable institutions in the UK have not gone through any of the three internal processes required to meet PCI DSS requirements 6, 10, 11 & 12 (specified in version 3.1 of the PCI DSS requirements guide). Our view is that IT managers in charity retailers should proceed with caution if they believe there’s no need to take action on the advice given – i.e. to routinely deploy vulnerability scans, implement access logging measures and introduce an intrusion-detection strategy. Excerpts from the PCI DSS version 3.1 compliance document (categorised under the three processes explained above) can be found below... Vulnerability Scanning – PCI DSS Requirement 6...
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as high, medium or low)) to newly discovered security vulnerabilities.
Guidance: The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information.
Audit and Log Reviews – PCI DSS Requirement 10
10.1 Implement audit trails to link all access to system components to each individual user.
Guidance: It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user.
Incident intrusion detection and reporting – PCI DSS Requirements 11 & 12
11.4 Use intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion detection, intrusion prevention, firewalls, and file integrity monitoring systems.
What should charity retailers do next - particularly if they have limited IT resources? Save9’s recommendations are to signpost you to some low-cost but highly effective cybersecurity software solutions - with an indication of licensing costs: A. Vulnerability Management & Penetration Testing for PCI Compliance: GFI LanGuard network vulnerability scanner licences (annually renewable) - Approximately £30 + VAT per annum then £15 + VAT per annum thereafter (example - per till PC). B. Audit and Log Review for PCI Compliance (one server node): GFI EventsManager - Server log monitoring, management and archiving - Approximately £225 + VAT then £115 + VAT per annum thereafter for upgrades and maintenance. C. Incident intrusion detection and reporting for PCI Compliance Reporting: GFI EventsManager Active monitoring add-on for event log based intrusion detection and reporting - Approximately £80 + VAT then £40 + VAT per annum thereafter for upgrades and maintenance. Beyond our technology recommendations above – please make sure time is allotted for meeting and reviewing the scan results and log audits - at least every quarter. Ideally this should be performed by your retail operations management team and an IT Manager (and/or IT Security Manager). You’ll probably need a couple of hours’ needed for each session; excluding any emergency measures that need to be factored in for network breaches – which should be outlined in your in-house Incident Response document. Note: Save9 can obtain an additional 9% discount on GFI’s costs for registered UK charities. We can also help devise a PCI DSS Incident Response document, to help square-off PCI DSS compliance. Note: this response procedure also needs to be tested once per annum according to the PCI DSS v3 standard. Assurance testing is a completely separate topic all together, but I hope this article helps charity retailers implement better cybersecurity measures to safeguard customer payment card details, avoid a potentially embarrassing public relations disaster and negate those costly fines for non-compliance on PCI DSS v3.1 standards.
Continue Reading