CfH issues tablets safety warning
- 13 January 2012
NHS Connecting for Health has warned trusts about the risks of using tablet devices – saying they are much more likely to be stolen and to be used to inadvertently share patient information than other technology.
The ‘good practice guidelines’ say the use of tablets in commercial organisations is increasing and there is “pressure for NHS organisations to follow suit.”
But it warns: “These devices present a number of issues that are not necessarily found in more traditional technology solutions.”
The document states tablet devices are “inherently less secure” than traditional IT equipment and that this means they are not necessarily suitable for accessing sensitive and patient identifiable data.
It advises trusts that the devices should not be used to store such data and those that can be used to access information remotely should have any information that is temporarily stored on them erased after use.
Many tablet devices are set to automatically back-up their contents to Cloud services by default. The CfH guidance says that means data could be uploaded to remote servers without the user even being aware of it.
“These servers may be anywhere in the world and may be out of the jurisdiction of the organisation responsible for that data.”
To avoid such situations, unnecessary services should be removed or disabled and the ability to re-enable or reinstall them restricted or blocked completely.
Many trusts have also reported using tablet devices and connecting to systems through wi-fi, Bluetooth or mobile phone networks.
CfH says this presents multiple ways for the devices to be compromised, including the potential to give network carriers access to information.
It recommends that trusts should only allow connections to wi-fi through secure virtual private networks and that corporate devices should not be given access to mobile networks or have Bluetooth enabled.
The guidance states tablet devices are an attractive target for theft because of their highly portable design.
“As well as the financial cost, the risk of loss of data may be higher with these devices than other portable solutions due to their desirability, ease of concealment and ease of access to device content once it has been stolen.”
To avoid such thefts trusts are encouraged to implement strong encryption and also allow for the remote wiping of information.
Consideration should also be given to the use of built-in GPS functionality so the device can be tracked.
“Users should also be required to ensure security of the device by keeping it at hand at all times, locking it away when not in use, and reporting loss of theft of the device immediately,” the document reads.
Allowing the introduction of personal portable devices to NHS settings presents another risk, as there can be a lack of consistent policy control which can result in sensitive data being copied to insecure devices or locations.
The document also says portable tablet devices do not encourage audit logs, and introducing large numbers of such devices could cause problems for trusts from a management perspective.
The best devices to use in the NHS are being debated in the ‘Kindle potential in healthcare discussion’ in the new EHI Mobile group.
