Table 4.3: (continued)
Security Issues Security Recommendations
Security Training Establish and execute security training programs by following the security standards.
Step 3: Map the lessons learned to the goal structure.
Similar to VA 2006 and VA 2007 data leakage incident, the lessons learned identi- fied from the Shenzhen case can be mapped to different levels of security requirements in the Chinese security standard GB/T22239.
Step 4: Elaborate the Context and Strategy.
As we are moving into the healthcare organisation in a different country, the strat- egy and context used are different. The strategy we used for justifying the decompo- sition is stated as “Argument over GB/T22239”. We have explained the “GB/T22239”
in the strategy notation and the context is stated as “Security Standard China”.
Figure 4.3 presents the instance of the Generic Security Template built for Shen- zhen 2008 data leakage incident. Five main lessons learned are identified. We have found three lessons learned are similar to the VA data leakage incidents, which are the issues “Sensitive Information”, “Position Description”, “Security Training”, but the recommendations are different. The recommendations in China seems more rigor- ously relying on the security standards. This can be justified by the immaturity of the healthcare information security management. The China healthcare organisation has just stated using the electronic healthcare record since 2008 and is relatively immature in information security management. Organisations tend to rely on the security stan- dards as a starting point for shaping information security management strategy [59].
4.4 NHS Surrey IT Asset Disposal Incident 2013
4.4.1 Case description
“The Information Commissioner’s Office (ICO) has issued NHS Surrey with a mone- tary penalty of £200,000 after more than 3,000 patient records were found on a second hand computer bought through an online auction site. The sensitive information was inadvertently left on the computer and sold by a data destruction company employed
4.4. NHS SURREY IT ASSET DISPOSAL INCIDENT 2013 62
7.2: Management requirements are addressed.
Healthcare System (HS) is acceptably secure 7.1: Technical requirements are addressed. Security Audit: Establish and conduct security audit plan according to the security standards.
Security Policy: Establish and enforce security policy according to the security standards.
Security Training: Establish and execute security training programs by following the security standard.
7.1.2: Internet Security Control is addressed.7.2.2: Security management structure is addressed. 7.2.2.5: Audit and assessment (G4) are addressed.Network Security: Ensure network security by following the security standards.
Argument over GB/T22239
Healthcare System of Shenzhenl Hospital Chinese Security Standard 7.2.3.4 Security education and awareness training (G4) is addressed
7.2.3 Human recourse security management is addressed 7.2.1.1 Management policy (G4) is addressed.
7.2.1 Security management policy is addressed.
Argument over All Missing Security Recommendations. (Standard non-existent): Sensitive Information: Defined the information sensitive level.
Figure 4.3: Instance of the Generic Security Template - Shenzhen 2008 data leakage incident
4.4. NHS SURREY IT ASSET DISPOSAL INCIDENT 2013 63
by NHS Surrey since March 2010 to wipe and destroy their old computer equipment.
The company carried out the service for free, with an agreement that they could sell any salvageable materials after the hard drives had been securely destroyed. The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.” [12].
4.4.2 Instance of the Generic Security Template
Step 1: Prepare the goal structure.
The Information Commissioner’s Office (ICO) has provided the guideline [170]
for IT asset disposal. This is part of a series of guidance, which goes into details than the main provision of the Data Protection Act (DPA) in the guide to data protection.
It aims to help the data controller fully understand their obligations and promote good practices. It explains to the data controller what they need to consider when disposing of electronic equipment that may contain personal data. We have used this guideline as the goal structure of this security incident.
Step 2: Identify the lessons learned.
Similar to VA 2006, VA 2007 and Shenzhen 2008 data leakage incident, the pro- cess of identification of the lessons learned (security issue and recommendation) is by looking for the learning points in the security incident report. The identified security issues and recommendations can be found in Table 4.4.
Table 4.4: NHS Surrey IT Asset Disposal Incident 2013
Security Issues Security Recommendations
Risk Management Carry out a risk assessment when using a data proces- sor to dispose of the hard drives.
Personal Data Wipe medical information and confidential sensitive data before recycling.
Contract Have a written contract with the company processing the IT Asset.
4.4. NHS SURREY IT ASSET DISPOSAL INCIDENT 2013 64
Table 4.4: (continued)
Security Issues Security Recommendations
Disposal Monitoring Monitor the destruction process and maintain audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the de- struction certificates for each individual drive.
Remedial Action Take remedial action which includes developing a new policy framework to address the internal re-use of information and appliances and disposal process for redundant equipment.
Step 3: Map the lessons learned to the goal structure.
The lessons learned can have different levels of details to be mapped to different levels of security requirements in the security guideline, as in the previous case studies.
Step 4: Elaborate the Context and Strategy.
As we are moving into the healthcare organisation in UK, the strategy and con- text used are different. The strategy we used for justifying the decomposition is stated as “Argument over IT Asset Disposal Guidance”. We have explained the “IT Asset Disposal Guidance” in the strategy notation and the context is stated as “An IT Asset Disposal guidance proposed by Information Commissioner’s Office according to Data Protection Act”.
As is different from the previous cases happened in the US and China. This case study focuses on the IT asset disposal in the UK. Figure 4.4 presents the instance of the Generic Security Template built for NHS Surrey 2013 IT Asset Disposal Incident. Five main lessons learned are identified, that are related to the issue “Risk Management”,
“Personal Data”, “Contract”, “Disposal Monitoring”, and “Remedial Action”. Among them, “Remedial Action” can not be mapped to an appropriate security requirement, which indicates a probably missing aspect of the the IT Asset Disposal guidance. The rest of them were mapped to different levels of security requirements of the IT Asset Disposal Guidance.
4.4. NHS SURREY IT ASSET DISPOSAL INCIDENT 2013 65
An IT asset disposal company has been selected.
Healthcare System (HS) is acceptably Secure. An asset disposal strategy has been created. The devices containing personal data has been identified. Personal Data: Wipe medical information and confidential sensitive data before recycling. Argument over IT Asset Disposal Guidance.
Healthcare System of NHS Surrey An IT Asset Disposal guidance proposed by Information Commissioner Office according to Data Protection Act A risk management of the disposal process has been conducted. Risk Management: Carry out a risk assessment when using a data processor to dispose of the hard drives.
A contract with the data processor has been drawn up. Contract: Have a written contract with the company processing the IT Asset.
Disposal Monitoring: Monitor the destruction process and maintain audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the destruction certificates for each individual drive.
Remedial Action: Take remedial action which includes developing a new policy framework to address the internal re-use of information and appliances and disposal process for redundant equipment.
The Asset disposal process and data processors have been managed.
Argument over All Missing Security Recommendations. (Guideline non-existent): Remedial action has been taken for the disposal process for redundant equipment.
Figure 4.4: Instance of the Generic Security Template - NHS Surrey IT Asset Disposing