Several reasons have been put forward for the failure to appoint a senior security director for the project, including a lack of available talent from appropriately skilled specialists, and the potential shortfall in the salary on offer. However, given the high-profile nature of this particular project, and the ongoing concerns/problems thus far, one key reason could be that it would be a very brave (and some might say reckless) security professional that would be prepared to take on this particular poisoned chalice, or indeed to view it as a great career-making opportunity.
The UK National Health Service (NHS) National Programme for IT, with its current ticket price of a little over GBP12 billion, is certainly the biggest, and potentially the most high-profile and problematic technology undertaking that the public sector has ever embarked upon. From the very beginning of the project, serious security concerns about information storage, data protection, and user access rights have been highlighted as major issues of concern.
As recently as the end of August, The British Computer Society (BCS) was said to be supporting calls for a further technical review of the program, and casting more doubts on the wisdom of the project’s centralized, hub-and-spine-based approach to records management and service delivery.
However, the BCS’s main concerns appear to focus on how well, or otherwise, a centralized, single-source system can be expected to support the extremely complex and diverse requirements of the NHS and its users. All of which comes back to the key security issue of how you protect and manage the massive volumes of constantly available patient information when the data itself is seen as extremely sensitive, personally private, but at the same time must be instantly available to health professionals who may be asked to make life-saving decisions.
The previous statement, of course, focuses upon the extremes of data protection and information accessibility, but the new NHS system will be expected to support the diverse information access requirements of around 30,000 GPs, and 300 or so major hospitals. In itself, this represents a massive control and security issue.
However, on the positive side, all access requirements are known, all are controllable, throughput requirements are also known and measurable. Therefore, from a systems protection and security perspective, it is all manageable within the service deliverables of existing technology systems.
On the negative side, whether or not the new NHS access-control security systems work well, everyone who knows anything about IT security expects the NHS system to leak information on a regular basis. The headlines that will be made each time information breaches occur will all be disapproving. Yet when the appointment of a senior security director is finally made, that person will be playing catch-up on a partially completed project, and will have to react to situations over which they may have had no original input, all of which makes the likelihood of finding the right candidate even more problematic.
Providing new technology for the NHS is not just about central record-keeping for in excess of 50 million UK citizens. It is ultimately about delivering a secure, good quality service. Centrally automating the access rights and the required record updating services adds to the overall value of the solution, but the job of effectively securing these services on a this-day and every-day basis should come with its own government health warning.
Source: OpinionWire by Butler Group (www.butlergroup.com)
