Vets should update their software now or risk GDPR fines
Remember when the NHS almost shut down in 2017 because they hadn’t updated the software on their ageing PCs? Have you heard about the Meltdown and Spectre flaws that were revealed on 3 January 2018? The news at the time focussed on Apple devices but it actually affected nearly everyone. Do you ever get those software update pop-ups or those anti-virus software warnings saying your subscription is out of date?
Well, the Information Commissioner’s Office (ICO) has warned that not keeping software up to date could lead to veterinary practices being punished when the EU General Data Protection Regulation (GDPR) is enforced on 25th May 2018.
The ICO has actually said that organisations, who may be found to be in breach some point down the line, but who fail to identify and patch vulnerabilities today, could face lengthy disciplinary measures and even be fined.
Although the ICO has stated that fines will be a last resort (and financial punishments of any scale will be mainly reserved for flagrant violations), any disciplinary action will more likely be costly in terms of reputation and hassle, as much as any fine the ICO might trouble you with.
If your practice does suffer a breach, and it’s discovered that the breach was down to simply not updating existing software, then the ICO will probably take enforcement actions including deeper investigations into the organisation’s practices. It’s also likely that the ICO will exercise their option to address any aspects that fall short of the GDPR’s requirements. That’s long hand for a probably lengthy and definitely time consuming investigation process.
In short practice owners and directors could be held liable for a breach of security that relates to measures, such as updating software, that should have been taken previously. Not patching existing software is a factor that the ICO will take into account when determining whether a breach of the seventh principle of the Data Protection Act – Accountability - is serious enough to warrant a fine.
Retroactive punishment
Whilst new law, like the GDPR, is not normally applied to retrospective activity (or lack of activity), the ICO has emphasised how important keeping your software up to date is and reinforced the importance of the broader requirement of maintaining effective information security management systems. For instance the ICO specifically listed ‘poor patch management’ as a reason for fining organisations, as was the case in the 2017 case where Carphone Warehouse suffered a £400k fine for a 2015 breach.
It’s not rocket science
The irony is that keeping your software up to date is one of the simplest ways of maintaining your cyber security.
The advice that Connected Vet offers in our Self-Serve route to compliance is that any organisation concerned about its software update policy should consider certifying to Cyber Essentials, a government-backed scheme that offers a really simple route to good basic cyber security.
Cyber Essentials includes five controls that we cover in our free Overview of GDPR for vets. When implemented correctly, the five system security controls we highlight, are thought to prevent up to 85% of cyber attacks. The controls we mention in our overview are:
- Patch management
- Physical security
- Boundary firewalls and Internet gateway security
- Password controls
- Malware protection
So, if you’d like to see where Cyber Essentials fits into our Managed or Self-Serve routes to compliance, please check out the options we’ve just launched in the new Connected Vet Academy, where you’ll find practical routes and advice that will help your practice become and remain compliant with the new GDPR regulations.