British Standard for information security must be made a priority within NHS warns Nexor

September 2002

Slow adoption of BS 7799, part of the NHS Plan and associated eGovernment policy, threatens NHS agencies’ and trusts’ goal of secure communications

Nottingham, UK, 11 September 2002 – Nexor, a leading provider of high-tolerance messaging and directory solutions, is warning NHS Agencies and Trusts that BS 7799 accreditation, a standard for information security management, should be treated as a priority within the Health Service’s eBusiness strategy. Although NHS organisations were asked to complete an initial ISO 17799 analysis (the precursor to the BS accreditation for information security) by June 2001, only one agency and two trusts have since been formally accredited.

'Better care for patients and improved health services rely strongly on the availability of information, controlled in a secure and managed way,' explains Humphrey Browning, Head of Technical Consultancy at Nexor. 'BS 7799 is a perfect mechanism to achieve this and provides a complete, cost-effective level of security around both physical and electronic information stored and transmitted by the NHS. It is therefore vital that senior executives provide the necessary support for such accreditation and that they understand the background, nature and purpose of standards such as BS 7799.'

The warning comes after a recently published DTI survey highlighted that only 15 per cent of those responsible for IT security across all UK private and public sectors were aware of the British Standard’s requirements, suggesting widespread complacency and a trend to focus on security hardware rather than usage policies and the protection of information. BS 7799 is intended to serve as a single reference point for the security of both physical and electronic information used within industry and commerce. The standard defines several areas of importance, from access control (preventing unauthorised access of confidential information) through to the implementation of security policies and asset classification.

'In a sector such as healthcare, where the confidentiality of certain data including patient records is of paramount importance, a single security breach could be catastrophic. As BS 7799 is considered to be of key importance by both the NHS and the UK Government, it is vital that agencies and trusts follow guidelines and prioritise compliance audits using the locally designated BS 7799 lead, the individual responsible for compliance within each Health Authority,' adds Browning.

 

Nexor’s own S/MIME Security solution, which acts as a plug-in for Microsoft Outlook 2000, uses security labelling to enable organisations to better classify the importance of emails and assign the appropriate level of security. Traditionally used within military messaging infrastructures to classify the level of security assigned to a particular communication, Nexor now offers security labelling to all private and public sectors, allowing organisations to treat information as a tangible asset and consider its relative value.

 

In line with BS 7799 requirements, Nexor S/MIME Security enables organisations to distinguish between low-level communications, such as staff memos, and high-value communications such as medical records. By tagging the email with a security label in Microsoft Outlook, Nexor S/MIME Security is then able to apply the relevant security policies automatically, including access control rights, digital signatures and encryption.

 

More information about BS 7799, and how accreditation can be achieved, is available from the BSI website. Information about the role of BS 7799 in the NHS is available from the Department of Health website.

For further information, please info [at] nexor [dot] com (subject: Nexor%20Press%20Release) (contact Wendy Draper )