Happy Data Privacy Day 2019!

It’s Data Privacy Day (@StaySafeOnline) and the National Cyber Security Alliance celebrates this with its annual symposium in San Francisco today.  It marks an opportunity to raise awareness and remind organisations about the importance of safeguarding data, respecting the privacy of individuals, enabling trust and encouraging a culture of cyber security.

Last week, IBM’s CEO Ginni Rometty speaking from Davos in Switzerland at the World Economic Forum, commented that one of the biggest issues for every government right now is privacy of consumer data but that a barrage of regulations could destroy the digital economy.

“Every government is itching to regulate, and the risk we all have is that there’s a great overreaction. The casualty is the whole digital economy.  We have to protect consumer privacy with precision regulation: consent, opt out, ability to delete”.

Rometty added that privacy is sacrosanct. “We (IBM) exist because clients trust us with data. So I think every company now has to do that, when everyone’s looking to benefit from it. If you’re gonna benefit from it, you have to live by those rules,” she said.

Amicus ITS Sales Director Les Keen added, “This is true for all responsible data guardians and a view that Amicus ITS endorses.  As an IT Managed Service Provider we are trusted and relied upon by our customers to manage their data safely.  Today’s event is a great reminder that we all have to keep on our toes to stay safe online and education will always remain at the heart of this – connecting the technologies, processes and people. Happy DPD!”

Any organisation wishing to discuss data protection issues in confidence can contact the Amicus ITS sales team by calling + 44 2380 429429.

 

Leeds first city to launch fully integrated NHS GP Electronic Patient Records service through GP Connect

NHS Digital have announced the launch this week of the first fully integrated GP Electronic Patient Records system to go live in the City of Leeds.  Leeds is the second largest city in England with a population approaching 785,000 so a decent test for working practice results.

This digital transformation has been facilitated by the NHS GP Connect programme service which works with various GP clinical system providers to develop Application Programming Interfaces (APIs) to make data from clinical systems available in standard form, so that it can be used across different systems.  In the case of Leeds, TPP (SystmOne) joined forces with EMIS Health to create this vital, secure backlink to GP practices.

The new system unlocks the digital records of all patients across the City to hospital clinicians, connecting primary and secondary care providers 24×7. It will enable authorised clinical staff to view GP records digitally and have source GP patient information to hand to better inform their care of patients.  The move reduces the burden on GP practices having to share  information via traditional unsecured routes like fax.  This is the first in a sea change of healthcare updates for the City, as plans are made to add more benefits in 2019.  These include secure access to structured medications (to optimise use of medicines), provision of allergies information, a more efficient appointment management system between practices and the integration of social care and mental health care records.

Richard Corbridge, Chief Digital & Information Officer at Leeds Teaching Hospital Trust said: “GP Connect connectivity improves the way data can be used as information in clinical practice throughout the city.  Delivering integrated care for the population is the key goal for every healthcare system and why the investment in digital is so intrinsic to the success of healthcare as a system rather than as silos of excellence.  In Leeds we can now plan to have a fully integrated primary care, social care, hospital care and mental health care record in place throughout the city in 2019, a giant leap and a unique proposition for the NHS.”

Dr John Parry, Clinical Director at TPP said; “This is a very important step to ensuring that patients benefit from having their medical records available for those caring for them , wherever they are receiving care”.

Dr Shaun O’Hanlon, chief medical officer at EMIS Group said: “We are delighted that connectivity via GP Connect is available right across Leeds. This important partnership with NHS Digital is part of our company’s wider commitment to providing the tools for system interoperability using open NHS standards across the UK, and helping clinicians drive up standards of joined up patient care.”

This marks a significant chapter for the NHS in contrast to the dismal days of NPfIT (National Programme for IT ), the NHS IT programme started in 2002 and scrapped after 9 years by the then coalition government and a public bill of £10 billion.  The journey to transformation in the NHS deploying Electronic Patient Records (EPR) has been slow and painful, but now with a number of vendors rolling out EPR services across the country (including: Cerner, Epic, Emis, Rose, eCare, Intersystems and System C), the pace is quickening for standardised data platforms to make an integrated healthcare service a reality rather than a dream.

French regulators throw the first big GDPR punch at Google with £44m fine

Google has fallen foul of the French data regulators with the announcement yesterday of an impressive £44m fine against the global search engine giant.  In a move that has sent the tech industry chattering, this marks the first major European penalty since the rollout of GDPR on 27th May 2018.  It was going to happen sooner or later, it was just a matter of who first?

Google’s blunder was their covert process of gathering data to personalise ads without ‘sufficiently’ informing user, burying the detail in terms and conditions and using pre-ticked boxes (contrary to new legislation).

CNIL, the French equivalent of the UK’s Information Commissioner’s Office filed two complaints as soon as GDPR came into effect.

Commenting on the severity of the fine, CNIL advised that the action was “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.

The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data.

The fine announced on Monday is far lower than the maximum penalty under the European privacy law, which is 4% of global revenue. For Google, that would be more than $4 billion!

The response has been largely welcomed in the wider MSP community as a prompt to improve better marketing processes, echoed by Amicus ITS.  Like many others today, Amicus ITS uses Account Based Marketing, so the lawful consent required is applied directly with the customer.

The news is a salutary reminder for vigilance with firms to ensure they comply with GDPR and offer flexibility in providing services through different marketing channels that create the variety and correct routes for data capture through websites and other means (which these days is translated as the increase in companies offering AI chatbots when communicating services or offering information with 3rd parties).

Are you surprised by the fine?  Who do you think is going to be next up for punishment?  Give us your thoughts.

Beware Santa’s horses bearing gifts

Tis the season to be crafty!   Just as Amicus ITS was reaping the results of its own competition for staff to design a winning Christmas e-card for 2018 incentivised with online gift card vouchers for prizes, came the news report issued last Monday by security firm Barracuda Networks that Santa’s gone a bit phishy in a Gremlins kind of way in the run up to Christmas.

The increasing sophistication of social engineering has created a new cyber security workplace scam targeting receptionists, office managers and executive assistants.   The report states: “These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals”. 

Here, hackers will pretend to be the CEO or senior managers, using tactics like implied urgency and directed emails asking specifically say, for Google Play gift cards.  Phishing emails can also include a ‘signature’ implying it was sent from a mobile device.  Alternatively, the scam can be built around a secret ‘reward’ for employees.  There are no malicious payload links, or suspicious file attachments and they are often sent from trusted email domains.

Spokesman for Barracuda Networks, Asaf Cidon commented: “When sending social engineering-based attacks, attackers have always used context and timing to their advantage – and the Christmas season has opened the door wide to a lot of cleverly designed executive impersonation”.

What can you do about it?
Organisations should have the relevant anti-malware, spyware and adware in place.  Other security tools can include more advanced spybot software and AI-based security solutions to detect anomalies in email addresses that the CEO would not use, or behaviours which would recognised be uncharacteristic.  But alongside all of these technical competencies, it comes back to having an educated and informed workforce across the board, vigilant and trained to spot attack efforts and know the right remedial steps to take:

• Use HR to work with IT to help with employee messaging to avoid falling for these scams and to understand what technology is needed to ward off the attacks.
• Awareness spread through the employee network should reduce the time between attack and detection and prevent more extensive damage.
• If a gift card email scam hits your organisation, why not set a procedure in place for employees to be required to gain direct management approval to verify any financial requests.

Have you experienced this type of attack?  How did you react.  Anyone seeking advice on security measures around their IT systems can contact Sales on 02380 429429.

‘Orangeworm’ the new superworm hacking group that’s targeting healthcare

Hacking activity targeting the healthcare sector continues to rise.  New security research just released by Symantec has identified a global hacking group called ‘Orangeworm’.  Though its targeted victims accounted for a small number of organisations in 2016 and 2017 (mostly in the USA and Asia), some were identified as being based in Europe.  Analysis by industry has revealed that the healthcare sector is Orangeworm’s primary target, with 39% of hacking outcomes manifesting themselves in this data rich sector which includes hospitals and pharmacies.

Symantec said, “Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack”.

Orangeworm’s wormable trojan, named ‘Kwampirs’ is able to vet the data to determine if the computer is used for research, or contains high value data targets eg. patient information.  The Kwampirs then create a backdoor on compromised computers, enabling the hackers to remotely access equipment and steal sensitive data – and Orangeworm survives reboots.

The trojan worm has a penchant for machine software on critical hospital equipment which includes kit like x-ray machines and MRI scanners, as well as machines used to assist patients in completing consent forms.  If the ‘victim’ computer is of interest, the malware then “aggressively” spreads itself across open network shares to infect other computers within the same organisation and uses built-in commands to grab data. This includes “any information pertaining to recently accessed computers, network adapter information, available network shares, mapped drives, and files present on the compromised computer.”

The supply chain is a key part of this vulnerability funnel, with targets including manufacturers providing medical devices and technology companies offering services to clinics, plus logistics firms delivering healthcare products.

Director of Technology, Security & Governance, JP Norman advises:  “Ensure your anti-malware provider can detect Kwampirs activity and to prevent and detect an infection, ensure that:

•        A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
•        All operating systems, anti-virus and other security products are kept up-to-date.
•        All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
•        Strong password policies are in place and password reuse is discouraged.
•        Network, proxy and firewall logs should be monitored for suspicious activity.
•        User accounts accessed from affected devices should be reset on a clean computer.”

Sales Director, Les Keen added, “Where there is the option for healthcare / supply chain organisations to prioritise IT funding, updating the Operating Systems is a primary, as is ensuring a strong and regular policy on Patch Management.  Our Sales and Security teams  are always on hand to review and audit organisational IT infrastructure and offer holistic remediation advice as part of our security readiness programmes.  Just call us on +44 2380 429429”.

 

Warning to UK Public Sector about leaky Amazon Web Services

Amazon Web Services (AWS) are currently in the news for all the wrong reasons.  Their Simple Storage Servers (S3) – known as ‘buckets’ – have been successfully targeted by hackers.  The AWS servers have been found to be alarmingly leaky, enabling the new Buckhacker search engine tool to readily access unsecured sensitive data.

AWS, as one of the UK Government’s chosen cloud service providers (GOV.UK PaaS) runs from AWS in Ireland (a UK-based hosting centre is planned for 2018) and is accredited for handling personal and confidential information classified at ‘Official’ level.

Users are able to search either by ‘bucket’ name, which may typically include the name of the company or organisation using the server, or by filename. The service collects bucket names, grabs the bucket’s index page, analyses the results and stores it in a database for others to search.  There are other tools like AWSBucketDump and according to the hackers exposed buckets can also be trawled for rich pickings with a specific Google Search.

Created by anonymous hackers, a Buckhacker developer commented:  “The purpose of the project is to increase the awareness on bucket security, too many companies were [sic] hit for having wrong permissions on buckets in the last years”.

Clearly, it is in the public sector’s interests not to risk exposure of any sensitive data (theirs or the public’s) and thus a prime consideration for any public sector organisation is to scrutinise the credentials, security performance and sovereignty badge protections of their chosen cloud provider.  Public sector organisations struggle to find funding in already tight IT budgets to defend against cyber attack, but with so many different lines of attack facing them, IT managers are having to take a risk-based approach to identify where to allocate their limited funds.

Amicus ITS Director of Technology, Security & Governance JP Norman commented:   It is worth remembering that the security of the data, no matter where it resides is the responsibility of the Data Controller in each organisation. There are ways to provide security assurance in the cloud layer that conform to the basics of Cyber Essentials. Furthermore, the right partner organisation, such as Amicus ITS, can act as a cloud broker providing proven security assurance recommendations and actions to mitigate such risks.

At Amicus ITS, we are happy to challenge the status quo as we brand ourselves are the safe pair of hands for our customers.  So with any digital transformation journey we will ensure intelligent, joined up thinking to ensure our Security and Governance views chime with those of our technical architects and sales professionals.

GDPR (EU data protection) from an HR perspective

The GDPR will replace the mixed blend of 28 different EU Member States’ laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU.   Its main objectives are threefold:

1. The GDPR increases the rights for individuals.
2. It strengthens the obligations for companies.
3. The GDPR dramatically increases fines in case of non-compliance, up to €20m(£17m) – or up to 4% of total
worldwide annual turnover.

What important changes should be on your HR team’s radar?

1             Consent – Under GDPR an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable” Further it is important that the employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that the employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in contracts of employment and policies will suffice.

2            Subject Access Requests – The right of employees to request information about the personal data processed by the employer remains broadly the same. However, under GDPR the starting position will be that the employer must respond to a request without undue delay. The current 40 days will be replaced by 30 days. The £10 fee some companies levy for making the request will be abolished.

3             New (and enhanced) Rights – GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with a suite of so-called “delete it, freeze it, correct it rights” which are aimed at giving them more control ( in certain circumstances) over how their personal data is processed.

4              Data Breach Notification – In the UK employers must notify personal data breaches to the Information Commissioner’s Office (ICO) with 72 hours of becoming aware of it.  The term ‘personal data breach’ covers a plethora of common workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It is important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.

5             Routine CRB Checks – Enhanced DBS checks will still be permitted, however if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.  Although standard and enhanced DBS (Disclosure and Barring Service) checks will still be permitted under GDPR, employers (as it currently stands) will not be able to conduct routine basic DBS checks on all employees (unless their role requires them to be security cleared).

GDPR has already started to appear in CJEU’s (Court of Justice European Union) soft case law (AG Opinion in Manni)
The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case law:

• The court clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
• The court clarifies that the individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds.

Organisations should be checking that all their HR staff are fully engaged on GDPR to ensure there is a comprehensive grasp of the responsibilities and actions required ahead of implementation.  How ready is your HR department?   Let us know.