COI Report – Part VII Page 363 of 425 learn how patient safety concerns were dealt with and disruption to provision of medical services minimised. 44.4 Measures should be considered to secure data-at-rest 1053. In the Cyber Attack, the attacker was able to view the full details of the medical records stored in the SCM database, once he had gained access. This was so as there were no measures in place to secure the data-at-rest in the database. 1054. Data-at-rest refers to information stored in databases in filesharing servers, in backup tapes etc, and generally includes any data that is not being transmitted through a network (which is known as data-in-motion). 1055. The amount of data that is being generated daily continues to increase exponentially. Given the rapid pace of development of cyber attacks, data-centric security measures must be deployed. These measures include safeguarding the data itself as it resides in repositories such as databases. 1056. In general, mechanisms to protect data involve coding data in such away that access to the data is restricted. This process can generally be referred to as “masking” 96 and can occur at the central record repository. Techniques used to mask information in a patient’s medical record include data encryption and tokenisation. a) Encrypting data-at-rest prevents unauthorised access by anyone who defeats normal system access controls. It alters the content of the data and stores it in encrypted form. This makes health data unreadable unless an individual has the necessary key or code to decrypt it. This would ensure that unauthorised individuals are notable to seethe data in its original form. Dr Lim has recommended encrypting all data-at-rest, where possible, to protect against both Data masking is the process of hiding original data with random characters or data.
