Could privacy engineering have neutralised the Welsh NHS hack?

Last week names, dates of birth, National Insurance numbers and radiation doses of staff who work with X-rays of Welsh NHS staff were revealed as hackers accessed a third-party contractor’s system.

The attack is symptomatic of the proliferating threat facing the NHS, public institutions and businesses every day. It highlights how organisations are not only exposed by weaknesses in their own data storage, but also by any third party with whom they share data.

For businesses, a data breach can undermine its relationship with customers. Recent figures suggest that 23% of customers deal with a company less following a data breach, whilst 11% stop altogether.

But refusing to collect or analyse data can also be damaging – companies need data to innovate and stay ahead of their competition. To do this, sharing information with third parties is often a necessity.

>See also: Thousands of Welsh NHS employees details stolen

But when data is lost or misused, the data owner bears the brunt of the repercussions. There is, therefore, a tension between protecting the privacy of individuals, whilst enabling analytics that could drive business value or scientific innovation.

Although the details of this particular case are still becoming clear, privacy engineering techniques may have made the sensitive data less vulnerable to exploitation.

Today, leading organisations are adopting privacy engineering to limit the exposure of sensitive data in the event of a breach, protecting people’s personal information and mitigating reputational damage.

Cyber security measures, however, protect data from unauthorised access, privacy engineering tools can protect sensitive personal information at the point of access, whilst also preserving the valuable patterns and relationships in the data.

Privacy engineering tools also allow data controllers to select an acceptable level of privacy risk taking into account the trustworthiness of the stakeholders and environment involved.

>See also: The public sector and it’s approach to the cyber threat landscape

Business leaders need to understand how data is being used both within their organisation and by third parties to put the right technology, controls and processes in place to protect it.

Organisations should ensure that privacy is embedded by design into their data infrastructure by only exposing the information required for an operation in the appropriate context.

Often, identifying information is not needed for processing and these attributes can be removed or tokenised. For many analytical use cases, organisations can go even further and use anonymised data. Incoming GDPR regulations will make much of this best practice obligatory.

There are a couple of key lessons that companies and organisations need to learn to ensure a better approach to data privacy:

Protect individual privacy before sharing, by removing or obscuring the identifying data through anonymisation techniques, which can reduce the risk of an adversary identifying one or more individuals in a dataset.

Simply removing or obscuring primary identifiers in data often doesn’t go far enough. Replacing the primary identifiers with pseudonyms can help, but sometimes indirect-identifiers also need to be processed to make data resistant to linkage attacks.

Ensure staff are well trained and informed on the privacy risks involved when sharing data, and have access to the right tools to mitigate those risks.

Data is an asset but it’s also a liability. Think about what data you might need in the future, rather than gratuitously storing personal data you don’t need. Then put the right tools in place to protect personal information.

>See also: The Trojan horse: 2017 cyber security trends

Companies should be encouraged to innovate with data. However, in today’s modern business intelligence pipelines, care should be taken to embed privacy engineering techniques and protect the underlying information.

It is important to remember that whilst some data on its own may not be sufficient to identify an individual, combining it with other data may unveil identities or sensitive personal information to would-be hackers.

Organisations should therefore practice ‘privacy by design’ and embed privacy into the DNA of their businesses. Doing so correctly is the key to enabling successful, data-driven innovation whilst preserving your relationship and reputation with customers.


Sourced by Jason du Preez, CEO of Privitar

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Breach