Survey reveals mixed picture on device security

19 Nov 2008

NHS organisations have tightened up on mobile device security in response to the recent spate of data breaches from the public sector, an E-Health Insider survey suggests.

A year ago this week, Chancellor Alastair Darling was forced to tell Parliament that HM Revenue and Customs had put the personal details of 25m child benefit claimants onto two CDs and lost them in the post.

The widely publicised loss prompted a review of government data security, more powers for Information Commissioner Richard Thomas, and tougher penalties for data breaches.

NHS chief executive David Nicholson wrote to all chief executives in December 2007, telling them to review information governance arrangements and encrypt data in transit. The message was reinforced in a further “dear chief executive” letter in September.

EHI’s survey, sponsored by Credant and completed by 300 readers at the start of October, suggests that trusts are acting on these messages. Almost all respondents said their organisation had an IT or information security policy and 65% said this had been revised in the past year.

The survey also found that organisations are moving to ban or restrict the use of mobile devices, such as laptops, personal digital assistants and USB sticks. Six per cent of respondents said their organisation banned such devices outright and 44% said their use was restricted.

However, there was less evidence that organisations are taking steps to actively enforce their policies. Twenty six per cent of respondents said polices were given to staff, and 42% said they were published on a corporate intranet.

Only 12% said they were enforced by warnings or other network action – although 11% said they were supported by physical measures, such as USB ports being glued up or blocked.

The survey also found there is work to do in terms of providing staff with good, secure alternatives to carrying information around on potentially insecure devices. Thirty nine per cent of respondents said they used mobile devices because they needed to take data outside a secure network and 28% said they used them simply because they were “convenient and easy.”

There was also evidence of poor practice. A fifth of respondents said they used their own, rather than employer-owned devices at work, and only 36% said they were protecting data with encryption – while 29% said they used only a password and 5% said they used no security at all.

Despite this, 73% of respondents said they felt the data on their mobile devices would be safe from identity thieves, hackers and others who might use it for personal gain.

This might be because relatively few respondents said they carried patient data on mobile devices. Only 9% said they carried patient records and 6% medical images.

However, 15% said they carried security information, such as passwords, while 45% said they carried personal contact details and 61% work contact details – some of which could potentially help social engineers and hackers.

Michael Callahan, VP Global Marketing at Credant Technologies, said: “Credant’s advice would be for all healthcare IT departments to implement a data-centric information protection solution that includes policy enforcement and centralised management and reporting.

"In doing this, IT departments can significantly limit patient and other important data exposure even as it resides on personal devices.”

A similar survey was run in the US. It reinforces the impression that action to tackle high profile data breaches are having an effect in the UK. Only 4% of US respondents said mobile devices were banned and 30% said they were restricted, while 18% said they used no security at all on the data they contained.

Related article:

Left to their own devices?

Lyn Whitfield

Reader's Comments

Banned

square_route@yahoo.com

19 Nov 08 12:56

How does "Banning" the use of USB Keys stop data leakage??! That just smacks of an HR policy which says "after the horse has bolted (and if we find out it was you) we can shut the stable door (by firing you)"

Get an IT Policy and a means of controling any type removable media then you are on the right path.

all unnecessary media should be removed.

19 Nov 08 14:00

We're a little confused by square_roots comment, as the banning of usb sticks is part of controlling the unnecessary use of removable media. With the unreasonable resistance shown by many clinicians to the use of encrypted storage supplied by their organisations, banning the use of removable media is a reasonable last resort. And yes it is unreasonable, I've heard comments such as "I'm not stipid enough to leave my personal belongings behind". No, but you might get mugged, or your belongings are spread all over the pavement after you're run over. Alternatively, you might just prove to be fallible, and lose said media.

The underlying attitude of professional health carers needs to change to show they understand the consequences of one little accident, e.g. the man whose details were used to set up credit cards and purchase memberships to paedophile websites; his life was utterly destroyed by false accusations during the six months it took the police to get round to checking he had reported the initial ID theft. Or how about today's story with the BNP membership list being published, and people already receiving threats? Regardless of your opinions on the BNP, this is another case of people's livelihoods being threatened by careless or malicious release of confidential information.

Unless you absolutely cannot work without taking data out of the secure environment, find another way to work. Making life easier for yourself is not a valid reason to risk someone's livelihood. Ideally, general workstations would block writing of data to removable media, be it USB or CD/DVD, with specialised workstations which log the recording of data. Similar to the old days where hardened, standalone workstations were used to virus check media being brought into the network.

For those who feel such restrictions would make their working life difficult, please could you include the reasons in any reply.

Thoughts on the Survey

andrew.clarke@lumension.com

20 Nov 08 08:34

I was very surprised to see the attitudes reported in this survey.

"organisations are moving to ban or restrict the use of mobile devices, such as laptops, personal digital assistants and USB sticks."

So how does a ban actually work - through a policy that people don't know about or read and if they do use them what happens to them? Relying on a written policy will always result in some confusion and either deliberate or accidental actions that don't follow the policy.

The survey stated that: "less evidence that organisations are taking steps to actively enforce their policies"

It is more effective to have system enforced policy that manages and controls the use of mobile devices - then if someone is authorised to use a specific device the system will allow it and if not the system will deny it. We have read that some NHS trusts have already implemented Device Control solutions and we know that these trusts can sleep more effectively knowing that the data the hold is at last secured. Moreover a complementary solution of Application Control defines what applications can be run, so if by chance someone brings in a usb stick containing malware and plugs that into their system, the solution stops the malware executing and causing chaos.

and finally: "although 11% said they were supported by physical measures, such as USB ports being glued up or blocked."

Personally I find USB ports very useful, I connect my scanner and printer, so the glue idea is one of total deny and never use this port again. Seems extreme to me - better to control and manage these ports - define what's allowed to be connected and define what a user can do once they are connected; encrypt sensitive data and audit the use of the devices when required.

Control of the USB sticks

andrew.clarke@lumension.com

20 Nov 08 16:16

Considering how to control use of USB sticks, there are effective methods for enforcing this without impeding NHS business. Such capabilities include:

Enabling only the use of authorised USB devices on a network

Enforcing granular permissions to specific and/or groups of endpoints, ports, devices and users whether online or offline.

Placing constraints on permissible file transfers to reduce the possibility of malware introduction or data leakage

Protecting data transferred onto USB devices by enforcing 256 AES encryption

In order to ensure the effective enforcement of an NHS USB device policy, we recommend the following three key steps:

1. Quantify the risk of unmanaged USB devices on your network. A good way would be to do a device scan. Any data protection solution should have this capability.

2. Define data policy on the use of USB sticks and the data and file types transferred to these devices. Identifying what file types or desktops should automatically apply encryption would be part of this effort.

3. Enforce the policy. While you can do this through technology solutions you must also adopt a enterprise wide educational effort and ensure the buy-in of all senior management. Focused education and awareness is paramount to policy enforcement.

Standardise the solution...please

ted.yeoman@nhs.net

28 Nov 08 09:30

Continueing from Andrew's excellent answer .... One proviso the solution must be National ... part of the reason for the use of USB sticks and CDs and before that floppy discs is to move data, such as spreadsheet, powerpoints even word documents from one organisation to another in the absence of a network. The Chief Exec going to the SHA, The Director of Public health to the Local Authority, the expert speaker to a conference.. You can't always e-mail these things, you may have been workingon them on the train to the meeting ...

Great solution now let us implement it as UK plc wide standardised system.