NHS primary care trusts (PCTs) have blamed the body responsible
for running the NHS's
National Programme for IT, after missing a government deadline
to secure data on mobile devices.
The
Department of Health gave trusts a deadline to encrypt data on
mobile devices, following a series of embarassing security breaches
last year. They included the
loss of 160,000 children's names and addresses by
City and Hackney Primary Care Trust last year, and HM Revenue
& Customs' loss of the details of 25 million people.
Matthew Swindells, former Department of Health CIO, wrote to
PCTs on 30 January this year asking them to encrypt data on all
mobile devices, including laptops and memory sticks, by March
31.
But PCTs contacted by Computer Weekly, said
Connecting for Health, which runs the NHS National Programme
for IT, did not release details of the McAfee Safeboot encryption
system until mid-March, leaving them little time to complete the
work. Some trusts said they did not receive the information until
April or May.
Kingston PCT said, "We did not manage to encrypt all our mobile
devices in line with the 31 March deadline, primarily because
details of the contract for the nationally procured software were
not released until mid-March."
Portsmouth PCT said that it had encrypted mobile devices that
store patient data. "However, we have yet to complete encryption
across the full range of mobile devices used by our staff. The
Connecting for Health encryption solution was not available until
late March, delaying the roll out of our local programme."
Knowsley PCT said it began the encryption software roll-out in
mid May. The full roll out-will take around six months, it
said.
Milton Keynes PCT said that it was in a position to start the
encryption project following a meeting in mid-May with its licence
supplier, Trustmarque. "As a trust we have not been in a position
to start until now as we were waiting for guidance from Connecting
for Health and additional training," it said.
Some primary care trusts, such as City and Hackney PCT, bought
their own package and implemented it by the deadline.
A spokesman for Connecting for Health said, "Trusts are required
to provide an assurance that mobile devices are encrypted. It is
understood that this process can take some time as skilled
technicians are required to complete the task."
CfH said 700,000 licences for the Safeboot encryption tool have
been purchased centrally so far, and more can be obtained.
"Strategic health authorities are responsible for ensuring that
trusts progress with encryption as swiftly as possible and the
Department of Health has advised SHAs to consider undertaking an
independent audit of their trusts' progress."