NHS trust moves to protect data in emails, laptops and USB sticks

By Ron Condon, U.K. Bureau Chief 04 Feb 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

NHS trusts making security improvements  After an embarrassing breach that occurred last July, NHS Lothian has implemented encrypted USB pen drives that must be used to carry personal data. Basildon and Thurrock University Hospitals NHS Foundation Trust had success adding in one particular vendor's endpoint security products.

To avoid being one of the unfortunate statistics (see sidebar), the Lancashire Teaching Hospitals NHS Foundation Trust (LHT) is concluding a two-year programme that will provide protection for personal data, both in transit over the Internet and at rest on laptops or USB sticks.

Project manager Saeed Umar started looking at email security almost two years ago in order to protect those messages that went outside the NHS and over the Internet, to patients, for example. The NHS mail system provides a closed environment where staff can email each other without fear of data going missing, but when they have to send messages to outside people or bodies via the Internet, there is potential for data failing into the wrong hands.

Two years ago, Umar says he looked at several products to help provide message encryption, but wanted to avoid too much administration or user training. "I was very keen that there should be no change for the end user. With most products at the time, you had to authenticate and get credentials, and get some technical help to install certificates."

He eventually decided to run a pilot project using the SecureMail system from Voltage Security Inc., which acts as a plug-in to Outlook and allows users to encrypt messages just by hitting a 'Send Secure' button on their Outlook client. The management of all encryption keys is handled as a managed service, which Umar says made it the perfect product for his needs.

The pilot project presented no problems, and so Umar decided to go for what he calls a "big-bang approach," bringing all 4,500 users on to the systems at once. "It was fantastic. We had maybe two or three calls to the service desk, but it just went in and ran," he said, adding that certificates did not need to be set up.

"We deployed the Outlook agent across all our PCs in the hospital. … It requires no training. You treat [a message] like any other email, except that you use the 'Send Secure' button when you have a message you need to encrypt," Umar said.

Of course, any encrypted message has to be decrypted at the other end. The recipient of an encrypted message from LTH receives a message with a Web link to the Voltage system. If this is the first time a user received such a message, he or she must connect to the Voltage system, set up a login, password and personal reminder (such as a mother's maiden name) so that person can receive the unencrypted mail.

NHS litany of lost data January 2009 - Abertawe Bro Morgannwg University NHS Trust in South Wales suffered the theft of a laptop holding the unencrypted medical records of about 5,000 patients. The computer was taken from an unlocked office.   September 2008 – A member of the public finds a memory stick holding the records of 200 mental health patients. The stick belonged to a member of staff at the Tees, Esk and Wear Valleys NHS Foundation Trust.   June 2008 – Six laptops were stolen from the St George's Healthcare NHS Trust in Tooting, South London, containing information on around 20,000 patients. The machines were taken from a locked cupboard. June 2008 – A Freedom of Information enquiry reveals that more than 522 laptops were stolen or lost across 110 NHS trusts in England in the previous three years.   January 2008 - An NHS laptop holding information on 5,123 patients was stolen from the outpatient department at Russells Hall Hospital in Dudley. The laptop was not encrypted but required a log and password.

In any further communications, recipients log on via Voltage, similar to accessing a banking website. Any messages they send back to LTH will also be encrypted without them having to take any special action or know about encryption keys.

"If they reply back from within the email, that goes back encrypted without them having to do anything," Umar said. "That was another benefit for us. It allows users to engage in a two-way secure conversation with anybody in the world without the recipient having to install an agent on their PC."

The Voltage system can also filter messages at the email gateway to check for 'trigger' words or phrases that would alert management to certain information leaking out, encrypted or unencrypted. But so far, LTH is not making use of that function and is relying on people to apply the 'Send Secure' button when they think it is needed.

Umar currently is not using the gateway filtering feature, and he mainly uses the reporting feature to identify traffic leaving the hospital.

Locking down laptops and USB sticks
With email nailed down, Umar has now turned his attention to data at rest. With antimalware vendor McAfee Inc. mandated by the NHS as a security supplier, Umar is now in the process of installing SafeBoot technology (now part of McAfee) on all laptops to apply full-disk encryption and to enable control of USB ports.

The aim is not to block off the USB ports completely, but the trust needs to gain control over how information is used on pen drives. Using SafeBoot, it will be able to force encryption and limit what devices are plugged into a USB drive.

Umar is examining a couple of possible USB pen drives that support encryption, and says a decision on this will be made very soon. "The plan is to allow only the use of approved token devices on USB ports," he said. "We have a lot of different types of users, but we wanted to go for a single encrypted pen drive that we can manage centrally."

He considered a variety of authentication mechanisms for the pen drive, but opted for using a password. "Our users may be wearing gloves, or they may have gel on their hands, so that rules out fingerprint recognition. I'm a big fan of keeping everything simple. The end users shouldn't really have to change the way they work."

Tags: Email and Instant Messaging Security,  Data Protection Solutions and Strategy,  Secure User Authentication and Authorization,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Instant Messaging Security Websense integrated security system aims to simplify security management Preventing phishing attacks: Enterprise best practices Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Understand role-based access control in Microsoft Exchange 2010 Yahoo login credentials at risk to hijacking attack Top spammer gets four years in jail for stock fraud scheme M86 buys Web security gateway vendor Finjan Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary