How one NHS trust encrypted its data
Do businesses and the rest of the public sector have anything to learn from NHS requirements that all hospitals encrypt their data?
It was last September when NHS chief executive David Nicholson issued a national mandate that demanded all NHS trusts nationally secure personal data with encryption.
Nicholson and the NHS appreciated the importance of the security of patient data, which was often sensitive. In 2008, there had been a number of high profile data leaks from councils and other public sector agencies and was at the time a particularly hot topic.
The NHS was also trying to move data held on paper to a digital form, with organisations around the world having the same concerns.
When this mandate was passed down, there was no suggested solution. It had nothing to do with the 12.7 billion NHS IT project, which meant that all NHS trusts were required to find their own way to encrypt their data through suppliers and vendors.
The Nottingham University Hospital NHS Trust revealed to IT PRO some of the trials and tribulations that it had to go through to implement encryption, mainly concerning the use of USB sticks.
Duncan Bliss, ICT manager for the trust, said that they to look at what sort of encryption they needed to do and its own working practices.
He said: "Part of that is looking at what people do with data sticks for example. In our investigations it unearthed some poor practice where data was being taken offsite, which in some circumstances was quite sensitive."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"What it did was become a real eye-opener for us that we needed to do something about it," he added.
With the security of data sticks, there are a number of different options. Some NHS trusts went down the route of disabling all of their USB ports, standard practice in some corporate industries.
However Bliss said that because it was a teaching trust, it was difficult to implement because there was a legitimate need for people to move data, and much of it wasn't sensitive.
Bliss said: "You can go down the encrypted stick route and allowing a certain type of stick onto your network."
However, encrypted sticks were expensive, so the Trust decided to go down the route of looking at software that controlled what kind of devices were plugged into USB ports.
Bliss said: "We could automatically block things like iPods that we couldn't see a legitimate reason to be used within the NHS. Then you can start to come up with an approved list of data sticks."
In the end the trust decided to use a solution from Safend, which also had the benefit of "forcing" encryption. If a user decided to put a USB stick in, they were prompted with a choice about whether to encrypt' or to cancel'.
If the user cancelled, then they could take data off the data stick but couldn't save anything to it. If they chose to encrypt, it backed the data up and encrypted the stick, which allowed them to put data back on.
Bliss said: "We would be able to have USB sticks worth under 10 and use it as an encrypted stick. People were able to use their existing data sticks to encrypt."
The benefit included the protection of data on CDS and DVDS. No data was allowed to be burned without encryption.
Bliss said that the encryption solution, for 10,500 employees and 7,000 PCs, was implemented in around eight weeks.