You are here  IT Management Risk Management

Hackney NHS trust encrypts IT equipment following loss of child data

Rebecca Thomson
Thursday 05 June 2008 12:58

City and Hackney Teaching Primary Care Trust (CHTPCT) hasencryptedits laptops, desktops and memory sticks in the wake of a security blunder that led to theloss of personal details of 160,000 children.

Discs containing children's names and addresses went missing after local service provider BT sent them via courier to an East London hospital in November last year.

CHTPCT has installed encryption software on about 1,400 computers and 400 memory sticks, and is considering plans to encrypt other devices, such as digital cameras, in the wake of the incident.

"We identified a major security issue," said the trust's head of ICT, Tim Wilson. "With hindsight, this should have been done across the health service many years ago."

Wilson said the lost discs were "heavily encrypted", but an investigation found a need for all mobile devices and desktop PCs to be more secure.

The trust hired Egress to roll out Check Point software to PCs and laptops. It gave staff encrypted memory cards with the NHS logo on them as part of the £132,000 project. Only these specific cards will work on the trust's computers.

Health service staff are using more mobile technology in their day-to-day work, which means the need for better security is more pressing, said Wilson.

"Five years ago everything was PC based, but in the future a district nurse going to see a patient will be carrying computer equipment."

The project follows a government directive to trusts encrypt all IT equipment by 31 March this year.

The trust decided to encrypt every device, instead of working out which devices contained sensitive data and removing it.

"We did not have the time to go to every machine and make sure data was taken off. Even if you delete a file off the hard drive, the data can still be read. We decided to encrypt everything because it is easier," said Wilson.

IT chiefs across the NHS are more security aware following high-profile data losses last year, Wilson said.

"They are tightening up on how things are done," he said.

But he said it was the mistake of an individual, rather than a faulty security system, that led to Hackney's data loss.

"The courier was given very clear instructions on who to take the discs to, including names, addresses and mobile numbers. But he still handed the package to a white male named "David" who was standing on the public side of a reception desk. In our case it was an individual's stupidity."