Archive | Healthcare IT

Guidance on cyber security and data security of Dental Practice digital records

Dental Practice Magazine (Article by Steve Bromham of Save9) is aware that a number of UK practices are increasingly worried about the impact that any theft of computer equipment or loss of patient healthcare records stored on these systems might have on their business continuity. In response to this - clarifying the professional and legal obligations for safeguarding patient healthcare data is something that we understand many practice managers would find most helpful.

This article aims to help dental practices understand their legal and statutory obligations in safeguarding patient records - and it also offers guidance on implementing a simple 3-step plan for better management of the associated risks and how to devise a simple IT business continuity plan - should a disaster strike. The risk management technique explained in this article can also be applied to other non-IT operational aspects of business continuity in a dental practice.

DPM's editor recently discovered that a dental practice - based in South London - suffered an attempted break-in. Luckily the assailants appear to have been spotted by a member of the public whilst the break-in was in progress and they escaped the scene. However - what the criminals left behind was a trail of destruction - the practice's rear entrance PVC door panel had been melted away using a portable gas cylinder and blow-torch that had been left behind. Thankfully - this incident did not result in any computer equipment theft or any loss of patient healthcare data - however, the practice manage took this as a 'wake-up call' and is now putting plans in place to improve their physical security, digital security and IT business continuity.

Following the attempted break-in - a number of questions were raised by the practice management team in connection with digital security and business continuity. All were focused on what might have happened if the criminals had been successful in obtaining confidential patient records. How quickly could the practice IT systems get up and running following a fire or loss of patient management systems? What legal and financial repercussions might the practice have suffered - if PCs or servers had been stolen and confidential patient data had been compromised?

Business Continuity - from an IT perspective

Reflecting on this real-world scenario - one plausible outcome of the attempted break-in could easily have been the theft of a number of desktop PCs and perhaps a server or two. From an operational perspective - unless the practice operates an off-site backup solution or already utilises a cloud-computing based patient records system (e.g. healthcare records stored in an off-site data centre or at a main HQ site) they would have found business continuity adversely affected.

Even when automated or manual off-site backups are in place - the purchase of replacement computers, the installation of correctly licensed software, the setup of networking by an IT provider and the loading of online or tape backup data onto replacement PCs and servers can be a very time-consuming process that stops the practice from digitally managing patient bookings and accessing healthcare records - at least until the systems are fully operational.

Almost any break-in or cyber-attack that results in loss or reduced access to essential computing equipment or patient data will most likely result in patient service disruption and potentially an information governance non-compliance issue. No 'automated rapid backup and recovery' solution in the world can help you make up for the lost time and resources required to purchase replacement client computer equipment or re-instate applications and data on your network (accessing either cloud computing or on-premise servers) as your practice attempts to get back into its normal working routine. Unless of course - you have an up-to-date duplicate of every single computing device or data storage system in safe storage - plus all the oral healthcare records that reside on them safely mirrored in a separate geographical location that can be re-instated within minutes. This is technically possible - but not a luxury most can afford or even wish to entertain - when considering the risk:reward ratio investment decision required.

In summary -following a physical or virtual break-in (e.g. hacking via the internet or suffering a malware infection on practice computers) the delivery of patient care and treatments can be immediately delayed or in a worst case scenario; suspended indefinitely. The added complication of losing confidential patient data introduces a potential raft of legislative and care standard non-compliance scenarios - with intervention from the likes of the ICO, CQC and NHS Digital (formerly HSCIC) - possibly resulting in legal action against individual(s) or the organisation and the threat of financial penalties or practice closure.

So, now the scary stuff is out of the way - what can you do to improve practice business continuity and protect patient data from an IT perspective? Here's our recommended 3-step plan...

(1) Firstly, you need to understand the legal and statutory obligations that your dental practice must comply with when it comes to safeguarding the security and integrity of patient records.

(2) Then you need to assess your potential risks, their likelihood and the impact on the business; from a 'CIA' perspective; Confidentiality, Integrity and Access of patient data - all within the context of your professional obligations - confirmed in the first step above. There are lots of freely available charts and colour-coded spreadsheets that can help you discover and articulate these risks. Don't do this alone - get input from your colleagues and an IT support provider.

(3) Finally - your priorities need to be agreed with a basic plan of action devised to mitigate the higher-impact and most-likely risks as soon as possible - covering these nine generic IT areas...

  • Files & Databases
  • Email & DNS (Domain Name Service) Services
  • Software Applications
  • Cloud Computing Applications
  • Desktops, Laptops, Smartphones & Server Computers
  • Networking (Wired & Wireless)
  • Firewalls & Routers
  • Malware Protection
  • Backup & Recovery Systems

There are usually a number of lower-likelihood risks that you may decide to simply accept without any intervention at all - this is part of the risk management process, as most dental practices do not have the time, resources or ability to mitigate 100% of all IT risks; it's almost impossible to achieve.

Note: this is not an exhaustive list of IT functions - there are many digital services I've excluded (e.g. websites, phone systems, server virtualisation etc.) however what we have above is a good starting point for most practices to begin with.


Continue Reading

NHSScotland’s Cloud Computing Strategy

Steve Bromham of Save9 summarises guidance on NHSScotland's cloud computing strategy and explores a comparison with NHS England's approach

It’s not difficult to imagine how - in first half of the last century - the pioneering manufacturers of motorised ambulances might have been challenged in selling their marvellous technological product to local and regional Health Boards. Attempting to convince civil ambulance services and hospitals that in order to improve patient survival rates in a medical emergency - they should procure faster, purpose-built mechanised transportation to replace their old horse-drawn carts.

It was only in the late 1940s that the National Health Service Acts made it a mandatory requirement for ambulances to be available for anyone who needed them. We take it for granted now – emergency ambulances are commonplace in our society thanks to this legislation and many of our citizens accept the benefits of this ‘technology’ without giving it a second thought.

NHSScotland's cloud computing push for digitally managing patient data & services

NHS Scotland (NHSS) Cloud Computing Strategy

Moving forward to this century - in light of internet-enabled technologies - I’ve often wondered if patients’ lives are ever put at risk when a nurse, physician or surgeon quickly needs patient MRI, CT or Ultrasound scans - or a lab operative is delayed from digitally sharing critical patient test results with another healthcare provider. Perhaps an uncompromising IG or IS policy exists in their institutions - with staff fearing legal repercussions or senior managers worrying about financial penalties should their team ever consider ‘bending the rules’ in order to quickly transfer patient data via an unauthorised cloud software service.

I’m aware of unauthorised public cloud service use in Secondary care settings – something that can be very embarrassing for the SIRO, Caldicott Guardian or IT Manager when they find out it happened on their watch; despite a well-planned and executed IG communications strategy in combination with strict network controls or firewall blocking rules.

There is an array of complex legal and professional obligations placed on healthcare workers to help prevent this sort of thing - plus many official NHS/NHSS and internal guidance or policy documents – many of which describe acceptable usage of cloud computing services. Some apply to NHS England and others to NHSScotland. However - it may not come as a surprise to you that the justification for not adopting some public cloud services as a means to improve management or sharing of patient data can be down to this type of historical abuse (i.e. unauthorised cloud tools) and the confusion surrounding official NHSS/NHS policy plus the confusing array of professional and legal obligations that exist. Here are a few key documents - from a large list that we’ve identified...

Applicable Legislation or Guidance NHS-England NHSScotland
Scottish Public Sector Cloud Computing Guidance 2015 No Yes
NHSScotland Information Security Policy Framework 2015 No Yes
NHSScotland Code of Practice on Protecting Patient Confidentiality No Yes
NHS Information Governance Toolkit Yes No
Records Management Code of Practice for Health and Social Care 2016 Yes No
Information Security Management - NHS Code of Practice 2007 Yes No
Confidentiality - NHS Code of Practice 2003 Yes No
Data Protection Act 1998 Yes Yes
Access to Health Records Act 1990 Yes Yes
General Data Protection Regulation (GDPR) May 2018 May 2018

NHSScotland IG information:
NHS England IG information:

NHSS (NHSScotland) – an evolving acceptance of cloud computing

NHSScotland's acceptance of cloud computing technologies for digitally sharing patient data securely between healthcare organisations has rapidly progressed over recent years – driven by three key policy changes affecting the Scottish public sector as a whole and more specifically within the NHSS.

March 2013
Because of a carefully worded NHSS statement published in 2013 - it seemed things might be about to change. That moment, in my opinion, was when the clock started ticking towards cloud computing acceptance across Scotland's NHS...

" is recommended that the most sensitive personal or corporate data is still not held in public cloud services until further notice".

Source: NHSScotland's Good Practice Guide for online document sharing and storage tools (

Around this time there were examples of NHSS institutions enforcing their own strict cloud computing policies - e.g. NHS Forth Valley decided to add a key statement to their 2013 IS Policy and even mentioned specific cloud software vendors...

"Staff Must Not use cloud storage providers (Dropbox, iCloud, Evernote etc)."

I happen to agree that some of the big international consumer-grade cloud computing platforms are not appropriate for storing patient identifiable data - e.g. recent allegations that DropBox lost 68 million usernames and passwords in a data breach – a worrying thought for the average NHSS Board and their SIRO if their institution had decided to rush off and deploy this type of solution. To be fair – I believe DropBox, OneDrive and GoogleDrive have better than average information security management policies and procedures. Many in the IT industry believe that because these global businesses operate very large datacentre complexes and they are also high-profile international brands - they represent more of a target and also a challenge to hackers. One small breach in a massive multi-layered infrastructure appears to be able to wreak havoc - hopefully lessons will be learned and security improved.

March 2015
Two years later - Scotland's Digital Future campaign eventually empowered the NHSS - as one of its targeted public sector institutions - with enthusiastically worded ‘top-down’ directives in the Scottish Government’s public service reform programme. NHSS could finally make a u-turn and officially approve the adoption of cloud computing technologies.

The cloud computing guidance document stated in its first principle (without prescribing or constraining any particular method of deployment, service delivery or business operation – e.g. private, hybrid, community or public deployment types)...

"Cloud based solutions will be the dominant approach for the Scottish public sector"

And the guidance goes further to outline cloud computing as a key strategic policy...

"Our overall policy position is that cloud computing is part of the strategic future of digital public services in Scotland. It has potential to fundamentally change the nature of digital public service delivery and, when appropriately utilised, can provide benefits in cost effectiveness, energy efficiency and speed of deployment."

Source: Scotland’s Digital Future: Scottish Public Sector Cloud Computing Guidance (

July 2015
Shortly after this strategic announcement promoting cloud computing adoption across Scotland's public sector the NHSScotland Information Security Policy Framework was published; replacing NHSS Information Assurance Strategy 2011-15 and the NHSS Information Security Policy 2006 in one fell swoop (

This IS policy framework is a lot less prescriptive when related to patient data-sharing technology approaches and I suspect this was a deliberate action - reflecting the aims of Scottish Government strategic policy. It shifts operational information security and information governance management onto the individual NHSS institutions and Health Boards – offering guiding principles on information security best practice aligned closely with International Standards ISO27001 and ISO27002.

"Although there should be information sharing agreements with partners/suppliers and they may share the IT network and other computing resources it would simply not be practical for the Board ISMS to cover this whole landscape."

However - it is not a free-reign, as the framework requires that plans must be made to implement the necessary policy and procedural controls incrementally to safeguard the confidentiality, integrity and availability of patient information - the classic CIA triad for modelling information security.

"Each Board shall establish its own information security policy which includes components of the NHSS Information Security Policy Framework, national controls and standards as well as specific local policies."

So if you want a simple answer - as to what public, private or hybrid cloud computing services can or cannot be deployed across Scotland’s National Health Service - it is now clearly up to the respective NHSS institutions (more specifically their Health Boards) or executive-level decision makers in other Scottish healthcare providers to now decide...

"Produce a statement of applicability that contains the necessary controls and justification for inclusions, exclusions and whether actually implemented."

Healthcare professionals – understanding how better information sharing helps them to deliver better patient care

I think it is worth highlighting that the requirement for healthcare workers to rapidly and securely share patient data across disparate healthcare organisations is nothing new – anecdotally, the level of intra-organisational PID communications seems to be on the increase in a world of mixed private and public sector healthcare provision.

The continued dispersal of patient data across information silos managed by multiple healthcare providers appears to be on the increase – in contrast to overambitious centralisation projects like NHS 24 (NHSScotland) and the NHS National Programme for IT (NHS England). Two visions of single national data and service resources - so the Scottish Government’s stance on allowing NHSS organisations and partners to deploy their own cloud computing solutions seems well-aligned to meet the real-needs of local clinicians and their administrative colleagues.

The next step?

Appointing UK-based cloud computing service providers such as Save9 (note: please see Brexit article on potential geographic limitations of NHS data storage) that offer the right-levels of Healthcare IT sector experience, IG knowledge and demonstrable ISMS good practice (e.g. ISO27001 data centre provision and Cyber Essentials) seems to be a useful starting point for selection.

Managing Cultural Change

In summary - cloud computing is now officially part of the strategic future of digital public services in Scotland. However, service roll-out may be delayed for a lot longer than the Scottish Government might expect. NHSS Boards, their SIROs, Caldicott Guardians, plus IG/IT teams will need high-levels of assurance from UK public cloud computing providers that they will have the necessary information security and information governance safeguards in place.

A cultural attitude and sensitivity towards protecting patient confidentiality is held very dearly by many of the healthcare professionals I’ve worked with over the years. I believe some Cloud MSPs will find it very difficult to sell their 'one-size-fits-all' public cloud services into NHSS or NHS institutions if they can’t align themselves to this information governance mind-set.

Because of a potential cultural misalignment between hosted IT service providers and healthcare IT/IG professionals - I’m convinced we will see more community (shared-service) deployments of private and hybrid cloud environments - versus full-on public cloud adoption across NHSScotland - or even NHS England in the coming years.

The cost-savings and operational efficiencies of Hosted IT

Reflecting on the start of this article - i.e. the accelerated adoption of motorised ambulances in our last century as a consequence of legislative change - I believe we are now witnessing a similar phase of cloud computing technology adoption across the UK public sector. This time however – economic necessity has a big part to play too. Recently announced NHSS Health Board budget deficits will focus attention on IT projects that offer significant cost-savings alongside operational efficiencies and it is encouraging to see that the Scottish government recognises hosted IT services are less costly to setup, maintain and scale-out compared to traditional in-house IT.

The Scottish government now has a formal strategy in place for deploying disruptive and innovative digital services - on the hope that the entire public sector will play its part. Patient services across the NHSS could also be dramatically improved if cloud-based information management and sharing technologies become wide-spread. This is something that secure UK-based public cloud platforms built on scalable server and network virtualisation technologies can deliver quite easily and very quickly. Arguably with better manageability and security - assuming MSP assurances can be provided - and that all the agreed IS policies and procedures are rigorously adhered to and that any cultural IG mismatches are addressed.

If you have a specific Healthcare IT or cloud computing challenge - or perhaps you would like some assistance in specifying a secure data sharing solution that exceeds your information security and information governance compliance needs then please contact Steve Bromham at Save9 via our contact form or phone number below.

Continue Reading

Is it OK to backup NHS patient data in the cloud?

NOTE: SOME OF THE ADVICE PUBLISHED IN THIS ARTICLE IS SUPERSEDED BY NHS DIGITAL POLICY CHANGES: NHS and social care data: off-shoring and the use of public cloud services

If you've ever wondered what the official line is - from the UK's NHS (National Health Service) – on whether the NHS and its business partners can back up patient identifiable data with third party cloud computing providers over the Internet - then this Save9 article might be of use to you.

NHS Cloud Backups

In summary it is permissible to backup PID in the cloud but there are some stringent technical, information security management and information governance requirements that must be adhered to, most of which are briefly outlined below.

One of Save9's major customers is an NHS Business Partner and we were recently tasked by their Information Governance team to find out if cloud backups of PID (Patient Identifiable Data) is permitted by the NHS; from a technical, information security and information governance compliance perspective.

If this article is not detailed enough for a specific project you have in mind or you would like some assistance in specifying and deploying a cloud backup solution that meets (or exceeds) your data security and information governance compliance needs then please contact Steve Bromham at Save9 via our contact form or phone number below.

Department of Health - view on using Cloud services
The statement below was made by a representative of the Department of Health in reply to a similar query that Save9 made to the NHS - relating to the use of cloud computing: “At this point there is no DH [Department of Health] prohibition on local Trusts processing their data via Cloud services or offshore. However, there is an expectation that information assets are understood, comprehensive/rigorous risk assessment and management is documented and undertaken by the local organisation, that NHS IG [Information Governance] policies and standards are applied, that legal obligations are satisfied, and that the data involved does not originate from DHID [Department of Health Informatics Directorate] /CFH [Connecting for Health] /HSCIC [Health and Social Care Information Centre] provisioned services - as would contravene our CFH policy. It is the responsibility of the local SIRO [Senior Information Risk Owner] to accept any risks in consultation with their Board, Caldicott Guardian, assigned information asset owners and supporting IG teams.”

Note: A 'Caldicott Guardian' (named after Dame Fiona Caldicott - the UK's National Data Guardian) is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required to have a Caldicott Guardian; this is mandated for the NHS.

Note: NHS Connecting for Health ceased to exist at the end of March 2013 and HSCIC was renamed NHS Digital in July 2016.

Department of Health - Information Security and Risk Policy – view on Cloud Computing
Here is a copy of a response received from the Infrastructure Security Team and the Department of Health - Information Security and Risk Policy Lead: “Locally, Senior Information Risk Owners and Information Asset Owners are responsible for ensuring security assessment, approvals including risk acceptance, and that there is an expectation generally for compliance with NHS IG [Information Governance] policies and good practice. This essentially means perform a local risk assessment, stay within the law and the IG Assurance Framework, don't commit to anything that is not fully understood, and/or that you do not have appropriate confidence in.”

Storing PID (Patient Identifiable Data) outside of England is not permitted
A recent response from the Infrastructure Security Team made reference to the Department of Health - Information Security and Risk Policy Lead; commenting on the offshoring of data; “…a specific area to be mindful of in relation to 'cloud computing' is the potential for 'offshoring' of sensitive data to occur. This could happen for example, if utilising a 'public cloud' provider which has data centre facilities all over the world. There is the possibility that sensitive information could end up outside of England due to the way that some public providers manage data 'in the cloud'.”

For further information on 'offshoring', the Operational Security Team (OST) of NHS Digital helped Save9 clarify current NHS data storage and transmission restrictions in place - by signposting us to a specific NHS Offshore Support Requirement document.

It is quite specific:

Patient Identifiable Data should not be recorded outside of the England boundary in any format for any reason without the prior explicit written permission of the NHS.

N3 and Cloud Backups
NHS N3 Logo

The N3 is the NHS private WAN (Wide Area Network) used by NHS hospitals, organisations and their partners with connections strictly limited to authorised endpoints. All organisations wishing to make a new connection to N3 are responsible for ensuring that their connection to the WAN does not compromise the security measures already in place.

There are quite a few N3-approved data centres across the UK but there is no specific NHS requirement that backups must only be performed over an N3 WAN connection to an N3 data centre or other N3 connected site.

NHS Digital freely acknowledges that information is unencrypted when transmitted over the N3 network (unless using the VPN N3-12-4 Catalogue service which encrypts traffic across the Internet and the N3 network to a specific site) therefore confidentiality of sensitive information within N3 is not assured. N3 also faces numerous threats to security as a result of incompletely protected partner networks or connections to uncontrolled external networks such as the internet.

Use of Cryptographic Algorithms to encrypt NHS Cloud Backups over an Internet VPN (Virtual Private Network)
According to the Infrastructure Security Team at NHS Digital any Cloud Backup service should encrypt data traffic over a VPN using the IPsec protocol and in doing so may only utilise certain encryption algorithms – specifically following Good Practice Guidelines (GPG) that have an 'Approved' status.

Therefore do not use Message Digest 5 (MD5) or Secure Hash Algorithm version 1 (SHA-1) for Digital Signature Generation/Verification - due to proven collision attacks. Interestingly, the UK Communications Electronics Security Group (UK CESG) and the US National Institute of Standards and Technology (US NIST) also do not recommend the use of MD5.

NHS Informatics made it very clear that they do not endorse or recommend any specific products for use within the NHS in relation to encryption. There are a variety of encryption products available on the open market and it is for NHS organisations to determine for themselves which products best suit their needs dependent on their particular circumstances.

3DES (with a 168bit key only), AES-128 and Blowfish (with a 256bit key minimum) are all acceptable standards on existing systems currently in use within the NHS. It is recommended that for all new system deployments, AES-256 or Twofish (with a 256bit key minimum) are now used.

In terms of deploying a network layer VPN protocol – IPsec is approved by the NHS. IPsec uses cryptographic algorithms for maintaining confidentiality and integrity. However - the NHS stipulate approved algorithms for use within IPsec VPNs (typically a VPN configuration setting you can apply) such as AES-XCBC-MAC-96 for Authentication Headers (AH) and ESP Integrity plus AES-CBC for the Encapsulating Security Payload (ESP). There are a few other permitted IPsec algorithms but they are not the preferred ones, as detailed here.

NHS IG (Information Governance) Toolkit – applying it to Cloud Computing backup services
The IG Toolkit is an online system which allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards.

Requirement No. 11-308 applies to almost every type of NHS organisation or partner; “All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers” – therefore any online backup service that transmits and stores person identifiable and sensitive information will need to comply.

Similarly, IG Toolkit requirement No. 11-313 insists that ‘Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely’ – the previous section that introduced the Health and Social Care Information Centre’s Good Practice Guidelines (GPG) will certainly help (see:

When it comes to restoring data from a Cloud backup then IG Toolkit requirement No. 11-206 is likely to apply - “There are appropriate confidentiality audit procedures to monitor access to confidential personal information” – specifically if personal information is contained within any backup file stored at a Cloud Computing provider’s datacentre (of course, this would include on-site backup restores too).

Information Commissioners Office
When considering ‘cloud services’ (and especially where personal/sensitive personal data is to be stored) NHS Digital advises NHS organisations and its partners review the Information Commissioners Office guidance on the use of cloud computing. Although not NHS specific, it provides useful information on considerations which should be taken when determining whether to store or process personal or sensitive personal data ‘in the cloud’ together with any legal obligations.


The cost-benefit of Cloud Computing backup services vs. traditional on-site backups (specifically to NHS organisations and partners) is compelling. The peace-of-mind knowing your data is safely stored off-site, should disaster strike, is an attractive proposition. After all, local backups (i.e. same geographical site) can easily be damaged alongside your original data and files - from fire, flooding, theft, accidental deletion, malware or internet attacks; meaning all your data could potentially be lost forever.

Ultimately, NHS organisations and partners have a duty to record, store and transmit patient’s medical record data and sensitive information in confidence – so any deployed cloud computing backup service should come under technical scrutiny (security, scalability and reliability perspectives) whilst adhering to established information governance principles.

Compliance with NHS guidelines, the Information Governance Toolkit, internal audit processes and information security standards (e.g. ISO27001 and ISO27002) puts extra pressure on already busy IT personnel - making the process of moving backups to the cloud seem onerous and perhaps less of a priority.

However, success can be achieved by following a set of NHS guidelines and principles - as described in this article. The act of ensuring your backups are automatically transmitted off-site for added data security (via a Cloud provider or even a private link) in our view reflects a duty of care to patients and their data. In our opinion - to preserve an on-site backup regime, without exploring the potential risk-reduction benefits that NHS compliant cloud backups can bring is a blinkered view – because there are always new cloud computing technologies and services emerging designed to lower operating costs, reduce risk and improve service delivery.

Continue Reading