Real life security in the NHS revealed

Speaking at the Mobile and Wireless Healthcare conference in Birmingham last week, Andrew - head of information security and compliance with Berkshire Shared Services - told attendees that one of the biggest problems facing IT security managers in the NHS is distilling a security guide down to the point where staff will read it from start to finish.

"Our first Infosec policy guide was 110 pages. And no-one read it. Now it's 15 pages, which includes a number of workflow pages, and is actually around the nine page mark in terms of text", he said.

"Training is the biggest issue. Whilst you can expect a number of NHS staff to understand how a computer works, we often find ourselves having to explain how the keyboard's function keys work", he added.

Even with such basic hurdles, Andrew - who has been in the NHS for six years - says he likes information security to be as secure as humanly possible.

"We have learned to work with NHS professionals and control the data, and so make life easier for staff to deal with IT. People often think that security is a barrier to the NHS. It isn't", he said.

"It's actually more about a balance. You're talking about confidentiality, integrity and availability of data. And then, of course, there's the physical security of the IT to worry about" he added.

According to Andrew, his primary ITsec model comes down to the CIA terminology - confidentiality, information and availability.

And where patient data is involved, he explained, there is a distinct need for only the member of staff to be able to see and use the information at their fingertips.

The security systems used within the NHS, he says, need to be easy to use, and reliable - even if they cost more than, say, normal laptops in the first place.

"We have 300 laptops and 300 Blackberries (in my own trust) to protect. That's a lot of units. We've ruled out netbooks, despite their being cheaper, as they have no integral smartcard reader. We also use digipens and RAS VPN systems to great effect", he said.

What about mobile connections? Andrew said that WiFi is in widespread use in offices and wards, using encryption and secure authentication, or 3G mobile broadband with VPN facilities for out of premises connections.

In total, across all three NHS trusts, he told his audience, he and his team have more than 1,100 laptops to defend. Over 20% of these use mobile broadband and COWS plus WOWS are his biggest headache.

COWS - computers on wards - and WOWS - wireless on wards - is an amazingly powerful proposition, but you have to engender security from the ground up, he noted.

"This entails installing 12 slot filing cabinets in wards and offices and, at the end of the shift, the laptop goes into a secure storage cabinet. If the security staff find an unsecured laptop on a desk overnight, the place into its designated cabinet and leave a note for the owner", he said.

"In the morning they come in, find the note, leave a donation to charity - that's a must - and retrieve the notebook. The system works and works well. It's simple", he added.

 

What’s hot on Infosecurity Magazine?