As the guardian of your health information, Our Future Health takes data security incredibly seriously. “You have trusted us with your data and for that, we owe you a duty to protect it to the very best of our ability,” says Toby Foster, our Director of Information Security.  

Toby and his colleagues in our Information Security team work on the frontline of cyber security at Our Future Health. Their task is to repel any hacker or ‘bad actor’ out there who might want to gain access to our participants’ data. 

 “Think of it like this,” he says. “Imagine Our Future Health as a fortress where we store our volunteer’s de-identified data. Our job is to make sure that only approved health researchers can enter the fortress. If anyone who isn’t approved tries to enter, we have layers and layers of defences to catch them.” 

This week, our cyber defences received new certification. Following an extensive audit by LRQA, it was confirmed that Our Future Health is working to ISO27001 standards. This is an international standard of best practice for information security controls, set by the International Organisation for Standardization (ISO).

So, how do we keep data secure – and why is it so crucial to our mission?

Help from the best in the business

“A large-scale data breach would undermine the fundamental thing that we need most for this project: public trust,” says Ciaran Martin, a member of our Board of Trustees and the chair of our Data Protection and Information Security Committee. 

Ciaran is a leading figure in UK data security. He is the founding Chief Executive of the National Cyber Security Centre, part of GCHQ. He also helped create the UK government’s National Security Strategy, and is a professor at Oxford University. 

“I was excited to get involved with Our Future Health,” he says. “It was clear from the beginning that this programme involves risk and reward. You have the risk of data breaches – but the huge reward of new discoveries in healthcare. There’s such a compelling need for the research.”

“There are times in information security when you say ‘look, this project is just too dangerous to pursue’. But that wasn’t the case with Our Future Health. We knew it was an ambitious project and we could find ways of managing the risk. So, we got stuck in to find a way to do it in a sensible, risk-managed way.”

Ciaran isn’t alone in offering us guidance on how we create security measures that reflect the highest industry standards. “From early on, we made sure that our advice comes from people who are the best at what they do,” says Marko Balabanovic, our Chief Technology Officer, the man charged with creating Our Future Health’s computing systems long before the programme had launched to the public.  

Marko points to the many experts who sit on our Technology Advisory Board as an example. There’s Ian Levy, a Distinguished Engineer at Amazon and former Technical Director of the National Cyber Security Centre; and Ben Laurie, Principal Engineer, Security, at Google Research. Plus NHS data experts such as Simon Bolton and Dr Sarah Wilkinson, both former CEOs of NHS Digital, and Tomas Sanchez Lopez, Director of Technology and Data Integration at NHS England. 

You can see the full member list on our Governance page. 

“I believe we have the help of the best in the business,” he says. “They can all see the potential rewards of our programme, and they’re helping us to make it happen in the most secure way possible.”

The benefit of starting from scratch

One big advantage for Marko, Toby, and the team is that we’ve built our systems from the ground up. 

“The older a system is, the harder it can be to keep it secure,” says Toby. “Our system is very new and uses modern technologies, and that makes it easier to keep it up to date.” 

“We’ve been able to factor security into everything we do, so our systems are designed to be inherently secure. We’ve taken a layered approach, so we can position security protocols at every stage. The idea is that if one control is breached or fails, there are a lot of other controls that will keep the data safe.” 

Take Toby’s fortress example. We have layers of defences to stop unapproved people entering the fortress – but even approved researchers who are allowed in only ever get to see de-identified data. Our volunteers’ names and locations are stored elsewhere, in a completely different fortress. It significantly reduces the risk of personal data being used to identify someone. 

You can find out about some of the other defences we use by watching our video on how we make data available to approved researchers. 

24/7 vigilance

Today, the job of data security is going on even as you read this. We always have guards patrolling the fortress day and night. 

“We are highly vigilant in our monitoring,” says Toby. “We have a team of people in our Security Operations Centre who monitor our systems 24/7. They’re trained and ready to respond to any potential incident.  

“We also have highly automated, responsive security controls too. Any sign of a problem, it gets instantly locked down.” 

Another layer in our defence is what’s known as ‘penetration testing’ – a field where Toby started his career. “We ask our specialist penetration testers to pretend to be hackers, to see if they can get into our system. The idea is that they’ll reveal any weakness, so we can then take steps to proactively address it.

“We’re constantly monitoring new threats. That includes researching new techniques that bad actors are using.” 

And then there’s the ‘war-gaming’. Good cyber security experts don’t just work out how to keep hackers at bay – they make plans for the worst-case scenario. “We have to anticipate what happens if a bad actor ever gets through,” says Ciaran. “If they do, we need to detect them as quickly as possible and cauterise their ability to do damage. And we have to plan how to recover from it.”

“We are always looking out for new challenging situations that we might encounter,” adds Toby. “We discuss our possible responses and tactics to hypothetical circumstances, based on research. It means we’re already prepared for situations and know what to do.”

Above and beyond

While building our systems over the past four years, we’ve been rewarded with a series of national and international data security accreditations. For example, we’re Cyber Essentials Plus certified, which is a security framework used by the government. We also undergo an annual assessment for the NHS Data Security and Protection Toolkit, which allows us to work with NHS data. 

ISO 27001 is the latest certificate on our wall. “We’ve been working to ISO standard for a long time, so it’s great to receive the formal confirmation,” says Toby. “The standard helps you consider the risks you need to mitigate and put in place the right controls for those risks.” 

Certificates are like driving tests, says Ciaran. “They demonstrate you’ve got the capability, but they aren’t an insurance against something bad happening.  

“That’s why we must ask the same question every day. How do we make sure nothing bad happens? It’s crucial to our mission, because without the public’s trust, this powerful health research programme just wouldn’t work.”