The medical profession is built on patient confidentiality. When patient records go missing or are accidentally exposed to the wrong people, it is a serious matter.
To avoid being one of the unfortunate statistics (see sidebar), the Lancashire Teaching Hospitals NHS Foundation Trust (LHT) is concluding a two-year programme that will provide personal data protection, both in transit over the Internet and at rest on laptops or USB sticks.
Project manager Saeed Umar started looking at email security almost two years ago in order to protect those messages that went outside the NHS and over the Internet, to patients, for example. The NHS mail system provides a closed environment where staff can email each other without fear of data going missing, but when they have to send messages to outside people or bodies via the Internet, there is potential for data falling into the wrong hands.
Two years ago, Umar says he looked at several products to help provide message encryption, but wanted to avoid too much administration or user training. "I was very keen that there should be no change for the end user. With most products at the time, you had to authenticate and get credentials, and get some technical help to install certificates."
He eventually decided to run a pilot project using the SecureMail system from Voltage Security Inc., which acts as a plug-in to Outlook and allows users to encrypt messages just by hitting a 'Send Secure' button on their Outlook client. The management of all encryption keys is handled as a managed service, which Umar says made it the perfect product for his needs.
The pilot project presented no problems, and so Umar decided to go for what he calls a "big-bang approach," bringing all 4,500 users on to the systems at once. "It was fantastic. We had maybe two or three calls to the service desk, but it just went in and ran," he said, adding that certificates did not need to be set up.
"We deployed the Outlook agent across all our PCs in the hospital. … It requires no training. You treat [a message] like any other email, except that you use the 'Send Secure' button when you have a message you need to encrypt," Umar said.
Of course, any encrypted message has to be decrypted at the other end. The recipient of an encrypted message from LTH receives a message with a Web link to the Voltage system. If this is the first time a user received such a message, he or she must connect to the Voltage system, set up a login, password and personal reminder (such as a mother's maiden name) so that person can receive the unencrypted mail.
In any further communications, recipients log on via Voltage, similar to accessing a banking website. Any messages they send back to LTH will also be encrypted without them having to take any special action or know about encryption keys.
"If they reply back from within the email, that goes back encrypted without them having to do anything," Umar said. "That was another benefit for us. It allows users to engage in a two-way secure conversation with anybody in the world without the recipient having to install an agent on their PC."
The Voltage system can also filter messages at the email gateway to check for 'trigger' words or phrases that would alert management to certain information leaking out, encrypted or unencrypted. But so far, LTH is not making use of that function and is relying on people to apply the 'Send Secure' button when they think it is needed.
Umar currently is not using the gateway filtering feature, and he mainly uses the reporting feature to identify traffic leaving the hospital.
Locking down laptop security and USB sticks
With email security nailed down, Umar has now turned his attention to data at rest. With antimalware vendor McAfee Inc. mandated by the NHS as a security supplier, Umar is now in the process of installing SafeBoot technology (now part of McAfee) on all laptops to apply full-disk encryption and to enable control of USB ports.
The aim is not to block off the USB ports completely, but the trust needs to gain control over how information is used on pen drives. Using SafeBoot, it will be able to force encryption and limit what devices are plugged into a USB drive.
Umar is examining a couple of possible USB pen drives that support encryption, and says a decision on this will be made very soon. "The plan is to allow only the use of approved token devices on USB ports," he said. "We have a lot of different types of users, but we wanted to go for a single encrypted pen drive that we can manage centrally."
He considered a variety of authentication mechanisms for the pen drive, but opted for using a password. "Our users may be wearing gloves, or they may have gel on their hands, so that rules out fingerprint recognition. I'm a big fan of keeping everything simple. The end users shouldn't really have to change the way they work."
Find more news and resources for laptop security