Ravi Pather, senior vice president of eperi has written an in-depth commentary on the significance of Data Protection in light of the recent NHS cyber attack. If you would like to speak to Ravi further, or have any questions, please feel free to get in touch.

“While the world focuses on what happened to the NHS and seeks answers to questions about Ransomware, the age of its IT systems, whether or not the NHS had the correct Anti-Virus and Intrusion Detection technology or if there were adequate back-ups so they can re-store the data; even whether or not it should pay the ransoms – the real questions have yet to be asked.

“The NHS, like any other enterprise, is subject to UK and European Data Protection Laws and has to abide by those laws.  We have a Data Protection Authority in the UK called the ICO (Information Commissionaire Office). Going forward, we need to ask what action they will take on the NHS that, as custodians of UK and European Citizens PII (Personal Identifiable Data) and sensitive PII data, will be subject to the laws of the UK and European for Data Protection.

“Global enterprises and the NHS alike are deploying cloud-based architectures.  NHS employees are leveraging mobile, smartphone and distributed cloud architectures and cloud applications.   This modern day cloud based architecture presents significant challenges to protect the PII and Sensitive PII data.

“Was this data protected?

“The UK are going through a much needed new focus on the protection of PII and sensitive data being driven by a pre-Brexit European Regulation (not a directive) know as GDPR (General Data Protection Regulation) which will become law by May 25, 2018.  Even post- Brexit, the raised standards of GDPR will mean it will be fully implemented in the UK in order to do business in Europe.   The UK ICO has said so.

“Instructions for GDPR were issued over a year ago and organisations were given two years to implement it by 25 May, 2018.  This means that organisations – also known as data Controllers under GDPR – have to be in full flight now to be live by the deadline date.

“Where was the NHS on this journey to address GDPR and protect PII data and sensitive PII data?

“Has the NHS appointed a DPO (Data Processing Officer)?

“How will the ICO now respond towards the NHS towards it loosing PII and sensitive PII data?

“NCC Group reviewed recent ICO fines for UK based companies who lost PII and sensitive PII data.  It then applied the rules for GDPR fines and concluded that Talk Talk’s fine would have gone from £880,500 to £59m!

“What should the NHS fine be now and what would it be under GDPR?

“The point is that in modern data cloud architectures with a distributed workforce that leverages the productivity of using smartphones, you can not protect against such attacks and compromises.  It is an ever moving target.  The focus can only be on protecting the data -wherever it is.  This renders it useless in the case of criminals tying to steal it or hold it to ransom.

“Under GDPR, it refers to this as Pseudonymising and Anonymising of PII and Sensitive data.

“Eperi has solved the biggest challenge that first generation encryption solutions cannot address and that is to make the protected data useable to the organisation (or data controller) without compromising the strength of the encryption.

“Eperi CDP solutions allow enterprise to protect PII and Sensitive data and still make it useable and under full control of the organisation, a key requirement for GDPR. This means even if data, such as seen in this latest cyber attack on the NHS, had been compromised, then it would be unusable to cyber criminals. We’re left with a situation now where we don’t have an issue with useless information being encrypted in order to hold us to ransom.”

 

Tags: , , , , , , , , , , ,