Securing mobile devices is just one of the things that NHS IT managers have to worry about. Yet every lost laptop and USB stick containing patient data is liable to turn up in the pages of the local or national press.
E-Health Insider recently ran a survey on the security of mobile devices, sponsored by Credant, which revealed both good and bad news for managers and headline writers. Stephen Pritchard reports.
It is exactly a year since HM Revenue and Customs was forced to admit that it had put the details of 25m child benefit claimants on two CDs and lost them in the post.
Information Commissioner Richard Thomas recently dubbed it a “year of data breaches.” Since the HMRC fiasco, his office has received notification of 277 serious data breaches, 75 of them from the NHS.
Although only 18 of the NHS breaches related to the loss or theft of portable media, there is something particularly potent about laptops and USB sticks full of patient data being stolen from cars or dropped in High Streets.
Every story of this kind that hits the papers undermines confidence in the health service’s ability to keep sensitive, confidential information safe; which is why E-Health Insider recently ran a survey on mobile device security, sponsored by Credant.
The survey suggests repeated data breaches and government action to try and stop them have had an impact. It also found examples of good, less good and bad practice when it come to securing information on mobile devices.
And it suggested that one of the challenges facing the health service is to provide alternatives to using them, particularly when data needs to travel between sites and across sectors.
Plenty of policies
NHS chief executive David Nicholson wrote to all chief executives in December 2007, telling them to review information governance arrangements and encrypt data in transit. The message was reinforced in a further “dear chief executive” letter in September.
The survey suggests this has had an impact. Very nearly all of the 300 respondents to the survey said their organisation had an IT/information security policy, and 65% said that it had been updated in the past year.
Concerns remain, though, about whether trusts are doing enough to communicate policies to staff. Forty two per cent of respondents said policies were simply posted on an Intranet and 23% said they were given to staff – only 23% said they were supported by network security controls or warnings, or physical measures such as blocking USB ports.
Anecdotal evidence from respondents who agreed to be interviewed by EHI suggests that devices are often issued with little in the way of guidance or user training. In some cases, devices with built-in security, such as PDAs, are issued with their security features turned off – so users have to work out how to activate them.
One hospital doctor said: “There is general Internet and Intranet usage guidance, which our attention is drawn to. But I don’t think it is enough to leave it up to me to find the guidance and plough through pages of legal language to find out whether or not to encrypt my mobile device.”
Dr Ant Allan, a research vice president at IT research firm Gartner, says such issues are by no means unique to the NHS. But budget constraints, and difficulties in changing tried and tested working practices, can make security measures harder to implement.
“In health, it is often the case that you have to work in a certain way, so organisations have to look at how they protect data in those use cases,” he says. “Businesses have the choice to restrict the way they work, in order to protect the data. The NHS doesn’t always have that freedom.”
Investing in security
Peter Curry, clinical lead for eHealth at NHS Fife, and a consultant anaesthetist, points out that the ability to view x-rays on a laptop just five minutes after they were taken brings enormous benefits in terms of patient care, especially as his organisation covers an area that is 70 miles long and 110 miles wide.
“A colleague in St Andrews can look at the same x-ray, at the same time, as I can,” he says. But to get these benefits securely, NHS Fife has invested heavily in remote access technologies.
Staff log in to systems using tokens, they are authenticated using a Radius server and traffic is carried over secure virtual private networks. Access technology, using Citrix virtual clients, means that no trust information is left behind on the local device at the end of a session.
In addition, the organisation limits access. “Not every doctor has remote access, only those who need to use it,” Curry says. This both controls costs – access is limited to employer-owned devices – and it ensures a greater level of security.
The survey suggests that other parts of the health service are adopting less sophisticated responses. Indeed, it suggests that one area in which the NHS has work to do is providing staff with good, secure alternatives to carrying information around on potentially insecure devices.
Thirty nine per cent of respondents said they used mobile devices because they needed to take data outside a secure network – on patient visits, for example – although 28% said they used them simply because they were “convenient and easy.”
The challenges of keeping mobile data mobile
Although 50% of respondents said their organisation banned (6%) or restricted the use of mobile devices, the survey found evidence of variable practice in terms of securing the information on them.
A fifth of respondents said they used their own, rather than employer-owned devices at work, and only 36% said they were protecting data with encryption. Twenty nine per cent said they used only a password and 5% said they used no security at all.
The follow up interviews, however, demonstrated that device security is a complex area. Different healthcare sectors may have different practices: and these may cause problems when information has to travel between them.
“I run the PCs for my practice, and the machines in the surgery are encrypted,” says Dr John Williamson, a GP based in Nottinghamshire, who also encrypts flash memory devices and uses an encrypted, Palm PDA.
He cautions that proprietary encryption systems might not be as secure as they could be, and raise issues of compatibility. “If I encrypt email, it is filtered out by the NHS firewall system because it can’t look inside the message – but that’s the point of encryption,” he says.
Ted Yeoman, COPD project manager for Cambridgeshire NHS, also points out that incompatibilities between security systems can stand in the way of efficient practice, even when the information at stake is not particularly confidential.
His role involves running training courses at several hospitals. Yet he finds that measures designed to protect patient data can also block the use of thumb drives containing nothing more sensitive than a PowerPoint presentation.
Meanwhile, Yeoman points out that some of the data losses that have made the news in the past year have involved paper records. And while “there is a culture in which it is still frowned upon to send anything to do with a patient by email” the most common alternative – the fax – is hardly secure.
“I would like to be able to create a web site that would host all the documents that my project board needs to see,” he says. “There are no names on those files apart from mine. But that would mean a step change in the way IT is organised.”
How confidential is confidential?
The survey also found that most respondents were carrying corporate rather than patient data on their mobile devices. Fifty four per cent said they carried corporate data: just 9% said they carried patient records and 6% medical images.
More worryingly, 61% used them to store work contact details, 45% to carry personal contact details and 15% to store passwords and other security data – a potential security weakness that might be explained by the fact that some NHS staff need to keep passwords for over 40 separate systems.
So, although data security is – and is set to remain – a key issue for all parts of the health service, organisations need to balance adequate security measures with the practicalities of working life and patient care. This may not be news to many IT directors. But Gartner’s Allan says trusts need to avoid creating a culture where “the man from security says no.”
“There is a balance that all organisations have to find. It is a question of a high level risk assessment and analysing the operational impact. It is about setting the risk of preventing certain activities against the security risk of exposing certain kinds of data.”