Bedford Hospital NHS Trust has deployed Symantec’s Dataloss Prevention Solution to monitor and protect confidential patient data being sent by email.
The solution is being used to highlight potential improvements which could be made to emailing confidential data and to ensure the hospital is not exposed to fiscal penalties for data loss from the Information Commissioner.
The district hospital, which serves more than 270,000 people, previously had an assortment of mail filtering tools.
Mark Austin, chief information officer at the trust, told eHealth Insider that the hospital has clear policies on what data can and cannot be stored or sent via email, but that it needed “something a bit more refined” to ensure the policies were followed.
He said there needed to be a balance between what kind of information you can transfer, how you transfer it and who you can transfer it to.
“It’s secure to use NHS mail and it’s secure to send some information within the hospital, but it’s certainly not secure to send information from the hospital to a Google account. Equally, emailing from an NHS trust account to a GP can’t be deemed totally secure. “
“The Dataloss Prevention Solution is educating people in their behaviour because it’s like Jiminy Cricket sitting on their shoulder asking ‘are you sure that’s right’ and ‘are you sure it’s going to the right place’.
“It provides warnings and reminders that they’re being monitored.”
The trust, which uses Microsoft Exchange email, has deployed the software to monitor and protect confidential patient data in an effort to comply with the Information Commissioner’s latest regulations on data protection.
Austin said: “We all have to do information governance within our service, and over the years we have become more heavily audited for it.
“In the realisation that having security policies in place explaining what ‘thou shalt not do’, there’s a realisation that the Information Commissioner was really looking for how to educate people beyond signing that you’ve read the policy.
“It’s a bit like signing up to Gmail and saying you have read the 20 pages of terms and conditions.”
The solution is the first Symantec product deployed by the trust, but it has already had several other security measures in place. These include encryption of mobile devices and enforcing that only encrypted memory sticks can be used on the hospital computers.
The trust uses Microsoft’s Active Directory, which provides a central location for network administration and secure identity management. Austin said they could tie systems back to the directory so that clinicians have a specified username and password that has a 30 day limit.
He added: “We’ve been under pressure for some time to relax it from the 30-day password aging to slightly longer to help clinicians with their memory. “