In late 2006, Bupa engaged Red Island Consulting (now part of Gemserv) to design and implement its information security programme. A core fundamental of the programme was to meet all the compliance requirements stipulated by the National Health Service (NHS) for participation in the Choose and Book scheme. This was to be achieved by the operation of a certified ISO/IEC27001 Information Security Management System (ISMS) and compliance with the NHS Information Governance toolkit (based on ISO27002).
Gemserv provided a dedicated consultancy resource to work full time with Bupa to achieve a very constrained deadline of June 2007 to have met all NHS requirements. During the initial phase of the engagement, the Gemserv consultant conducted a scoping exercise leading to a multi-phase rollout of the ISMS.
Phase one of the design involved achieving ISO27001 certification for the primary in-house Bupa Data Centre and Bupa’s IT Operations function encompassing networks, storage and service management. Gemserv conducted an asset identification of all information assets within the data centre, the IT department and dependencies. These assets were then risk assessed and an aggressive Risk Treatment Plan (RTP) developed to ensure Bupa’s risk management strategy was achieved within the NHS deadline.
Bupa successfully achieved certification for the data centre scope in May 2007, and successfully met all requirements for participation in the Choose and Book scheme.
Having successfully completed the requirements for Choose and Book, Gemserv then continued with further development of the information security programme within Bupa. This involved the creation of a separate ISO27001 certified ISMS for the newly created Spire Healthcare, in addition to the expansion of the scope of the existing Bupa ISMS to include the secondary data centre in the north of England. In parallel to this activity Gemserv performed an information security gap analysis across Bupa operations in the UK, Europe and Australia.
Completion of this phase of the project assisted the Bupa Risk and Governance team in demonstrating Bupa’s commitment to information security whilst also allowing for the planning of the next stages of the information security programme.
In 2009, Gemserv commenced the next stage of Bupa’s information security programme. This involved the design and implementation of a separate ISMS covering a Bupa subsidiary, Bupa Health Dialog. The scope for this ISMS covered operations in Cambridge, UK and in Manchester, New Hampshire, USA. For this implementation Gemserv faced two very different challenges from the previous UK scope in that the scope had to satisfy both the Information Commissioners Office and the NHS that patient data transferred to the subsidiary was suitably protected. This involved the design of technical and administrative controls including the use of pseudonymisation. The second challenge was integrating policy, process and procedures with the existing HIPAA compliance regime operated in the US.
Bupa Health Dialog attained certification for the UK operation in December 2009 and for the US in October 2010.
Following the success of the Bupa Health Dialog project Gemserv were engaged to conduct further expansion of Bupa’s information security programme. This included the creation of a standalone certified ISMS to cover the operation of the Bupa Cromwell Hospital in London. Here Gemserv assisted in designing controls to mitigate risks inherent with patient identification and confidentiality as the hospital treated international patients including many high net-worth individuals. Bupa Cromwell achieved certification in 2012. In parallel Gemserv created a suite of global Group information security policies which were then locally customised to each international region. This helped Bupa maintain consistency in its compliance operations across all operating regions.