How one NHS trust encrypted its data

gallery

It was last September when NHS chief executive David Nicholson issued a national mandate that demanded all NHS trusts nationally secure personal data with encryption.

Nicholson and the NHS appreciated the importance of the security of patient data, which was often sensitive. In 2008, there had been a number of high profile data leaks from councils and other public sector agencies and was at the time a particularly hot topic.

The NHS was also trying to move data held on paper to a digital form, with organisations around the world having the same concerns.

When this mandate was passed down, there was no suggested solution. It had nothing to do with the £12.7 billion NHS IT project, which meant that all NHS trusts were required to find their own way to encrypt their data through suppliers and vendors.

The Nottingham University Hospital NHS Trust revealed to IT PRO some of the trials and tribulations that it had to go through to implement encryption, mainly concerning the use of USB sticks.

Duncan Bliss, ICT manager for the trust, said that they to look at what sort of encryption they needed to do and its own working practices.

He said: “Part of that is looking at what people do with data sticks for example. In our investigations it unearthed some poor practice where data was being taken offsite, which in some circumstances was quite sensitive.”

“What it did was become a real eye-opener for us that we needed to do something about it,” he added.

With the security of data sticks, there are a number of different options. Some NHS trusts went down the route of disabling all of their USB ports, standard practice in some corporate industries.

However Bliss said that because it was a teaching trust, it was difficult to implement because there was a legitimate need for people to move data, and much of it wasn’t sensitive.

Bliss said: “You can go down the encrypted stick route and allowing a certain type of stick onto your network.”

However, encrypted sticks were expensive, so the Trust decided to go down the route of looking at software that controlled what kind of devices were plugged into USB ports.

Bliss said: “We could automatically block things like iPods that we couldn’t see a legitimate reason to be used within the NHS. Then you can start to come up with an approved list of data sticks.”

In the end the trust decided to use a solution from Safend, which also had the benefit of “forcing” encryption. If a user decided to put a USB stick in, they were prompted with a choice about whether to ‘encrypt’ or to ‘cancel’.

Email to a friend

Print this page