CS Nov-Dec 2020

health monitoring
within the company itself does not make it
any less harmful. All organisations must
ensure they employ systems and procedures
to identify and prevent potential vulnerabilities
being exposed, including staff training."
LITMUS TEST
"These past few months have been
unprecedented in lots of ways, with many
new working practices thrust upon businesses
that were generally unprepared to such
sudden changes," says Steve Jackson, sales
director at Clinical DPO, one of the largest
outsource data protection officer suppliers in
the healthcare sector. "With a very challenging
economic environment ahead of us, many
are saying this is the litmus test for data
protection."
Will it be viewed as too difficult and too
restrictive in the fluid new normal business
environment, does he think? "Not necessarily.
With many businesses now capturing clinical
data about their staff and their customers, in
order to protect both from COVID-19, CDPO
has received many calls from clients now
seeing the importance of data usage in a firsthand
way and, with that, a new appreciation
to the risk to data posed by many of these
new working practices."
GDPR COMPLEXITIES
So, why has it taken such a dramatic event to
have organisations reassess their own attitude
to data and to their own risk regarding
potential brand and financial exposure?
"The answer lies in a cursory review of the
two years plus since the introduction of
GDPR," states Jackson. "This new legislation
brought a wave of products encouraging
businesses to buy a flat-packed tick-box data
protection compliance solution and today we
are still told by organisations that they have
'completed their GDPR', not appreciating that
GDPR is not a one-time project, but, much
like financial accounting requirements or
HR, data protection must be integrated into
the organisation, so it becomes part of the
company DNA and embedded into 'business
as usual'."
How exactly can this be achieved? "GDPR
introduced a mandated approach to the
appointment of a DPO for organisations
processing large-scale health data," according
to Jackson. "A glance at the ICO's public
register, however, indicates that many
organisations both large and small are still
to appoint a DPO. The single greatest reason
that we see for this lack of appetite for
change is a lack of time that business allocates
to effect this change."
Many data protection issues are not simply
data problems, he adds - they often arise
from an organisation's governance and
culture, as well as operational decisionmaking,
"whether it be understanding the
need, implementing the correct resource
or service, or, as we have seen on many
occasions as an outsourced DPO service,
taking the time to implement the processes
and support being provided by the DPO".
There are no silver bullet solutions, Jackson
concludes. "However, embedding data
protection by design is better in the long
run, but a business must engage to effect
this change. Until this is accepted and
understood, data protection will only
remain on the periphery of a business."
INADEQUATE TESTING?
The root cause of the Babylon Health breach
has never been fully disclosed, but may be
attributed to inadequate testing of the new
feature before moving it into a production
environment, suggests Rob Treacey, MD; cohead
of Xcina Consulting and Shearwater
Group DPO. "Although it seems that Babylon
Health has tried to downplay the significance
of the exposure and remediated it in a timely
manner, such breaches can have an adverse
impact on an organisation."
It remains to be seen whether Babylon
Health will experience any longer-lasting
reputational damage or if it will be able to
fully recover from such a breach, he adds.
"However, one thing is for certain: users will
be more cautious about using the App in
future or may simply refuse to use it
altogether, especially if they have an
alternative."
CONFIDENCE AND TRUST
As Treacey points out, end users need to
have absolute confidence and complete trust
in an organisation's ability to safeguard their
personal data, especially where that involves
sensitive personal data.
"As a risk management consultancy that
performs regular reviews and audits of our
clients, we see such process and control
weaknesses within the software development
lifecycle as not uncommon." These are
normally the result of:
Failure to adequately test and sign off
software updates or upgrades before
release into a production environment
Lack of oversight by organisations that
outsource their software development
to third parties
Lack of awareness by developers and
testers around the latest software security
risks and vulnerabilities, such as injection,
security misconfigurations, sensitive data
exposure and authentication
ssoftware design or architecture that is
inadequate
Cutting corners, due to the pressure to
release software updates or upgrades
against tight deadlines.
"Any organisation that experiences a data
breach, due to a software weakness or any
related software processes and controls,"
he says, "is merely putting itself in the shop
window for a future cyber-attack, not
to mention any subsequent fine from a
supervisory authority. Some organisations
may be able to minimise their reputation
damage or loss of users, but others may be
less fortunate".
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2020 computing security
9