I was delighted to be joined by one of our ISO Support Plan clients, Optimum on the ISO show this week. Optimum is part of Totally Group Plc and an important player in the healthcare sector in the UK.
Huge volumes of sensitive data are processed in the healthcare sector. As Information Governance Lead and a qualified Physiotherapist at Optimum, David Angove explains about keeping one step ahead in his role in relation to information security.
David described how Optimum’s ISMS should be like a well-fitted suit rather than a straight-jacket. This all stems from the robust Risk Assessment which considers all risks to your business, including managing the integrity of data. The ISMS helped to put a continual improvement plan in place to mitigate risk. He explains about preventing access to private information through documenting controls and applying them to all 20 Optimum clinics. Examples include physical security controls i.e. locking screens to protect patient data. Other controls relating to personnel security include having a starters and leavers process to ensure access rights are granted correctly, and that access rights are revoked when an employee leaves the organisation.
ISO 27001 also helped with preparation for GDPR compliance, particularly with investigating all aspects of where and how data is stored within the company. When I asked what top tips he’d give to a company looking to implement ISO 27001 David recommended getting assistance from a consultancy such as Blackmores (we hadn’t paid him to say that, I promise!), including support with the assessment, as the consultant will ‘know the standards inside-out’.
David also recommends a gripping read, ‘Ghost in the wire’s: My adventures as the words most wanted hacker’ by author Kevin Mitnik which covers how he hacked into some of the country’s most powerful – and seemingly impenetrable – agencies and companies using social engineering and other methods. This acts as a good reminder about the value of Penetration Testing, to test how good the security of your business is and to understand that everyone is aware of your systems.
He mentioned that you can have the fanciest encryption systems and the best passwords, but if the people answering the phones or processing data aren’t aware of them, then its only as good as the weakest link.
And for services in this area – check out – ISO Steps to success, or if your ISMS is like a straight-jacket rather than a well-fitted suit, our ISO support Plan will help you into an Armani equivalent ISMS for your business.
To help out the ISO Show:
Special thanks to David Angove from Optimum for joining me this week. Until next time!