Cancer registry testing security of computer system

The results of a ‘penetration test’ of the computer system of the National Cancer Registry Ireland (NCRI) are expected to be brought before a future NCRI board meeting.

The issue of data compliance was raised at the October meeting of the NCRI board.

The meeting was addressed by the NCRI’s data protection officer (DPO), who reported on compliance with data protection legislation.

According to the minutes, the DPO “highlighted that the personal data the registry collects do not belong to the registry, it belongs to the individual and it is the responsibility of the registry to store, anonymise, protect and appropriately use such data”.

At the same meeting, the board undertook to “consider the use of a third party to conduct a penetration test on its computer system, networks and web operations to ensure that there are no security vulnerabilities that an attacker could exploit”.

An NCRI spokesperson said the review is taking place.

“Given the nature of NCRI’s business, work is continually ongoing on the review of organisational data compliance, personal data and third-party data,” the spokesperson told the Medical Independent.

They continued: “A penetration test, also known as a ‘pen test’ or ‘ethical hacking’, is the practice of testing a computer system, network or web application to find security vulnerabilities. These vulnerabilities may be exploited by a determined attacker, or by malware spreading on the Internet.

“This is a service offered by many information security companies and again, is a necessary part of NCRI’s ongoing business to ensure security is maintained at all times.”

The results from this penetration test are expected to be raised at a future NCRI board meeting, according to the spokesperson.