Trusts miss encryption deadline because of delays in finding supplier

NHS primary care trusts (PCTs) have blamed the body responsible for running the NHS's National...

NHS primary care trusts (PCTs) have blamed the body responsible for running the NHS's National Programme for IT, after missing a government deadline to secure data on mobile devices.

The Department of Health gave trusts a deadline to encrypt data on mobile devices, following a series of embarassing security breaches last year. They included the loss of 160,000 children's names and addresses by City and Hackney Primary Care Trust last year, and HM Revenue & Customs' loss of the details of 25 million people.

Matthew Swindells, former Department of Health CIO, wrote to PCTs on 30 January this year asking them to encrypt data on all mobile devices, including laptops and memory sticks, by March 31.

But PCTs contacted by Computer Weekly, said Connecting for Health, which runs the NHS National Programme for IT, did not release details of the McAfee Safeboot encryption system until mid-March, leaving them little time to complete the work. Some trusts said they did not receive the information until April or May.

Kingston PCT said, "We did not manage to encrypt all our mobile devices in line with the 31 March deadline, primarily because details of the contract for the nationally procured software were not released until mid-March."

Portsmouth PCT said that it had encrypted mobile devices that store patient data. "However, we have yet to complete encryption across the full range of mobile devices used by our staff. The Connecting for Health encryption solution was not available until late March, delaying the roll out of our local programme."

Knowsley PCT said it began the encryption software roll-out in mid May. The full roll out-will take around six months, it said.

Milton Keynes PCT said that it was in a position to start the encryption project following a meeting in mid-May with its licence supplier, Trustmarque. "As a trust we have not been in a position to start until now as we were waiting for guidance from Connecting for Health and additional training," it said.

Some primary care trusts, such as City and Hackney PCT, bought their own package and implemented it by the deadline.

A spokesman for Connecting for Health said, "Trusts are required to provide an assurance that mobile devices are encrypted. It is understood that this process can take some time as skilled technicians are required to complete the task."

CfH said 700,000 licences for the Safeboot encryption tool have been purchased centrally so far, and more can be obtained.

"Strategic health authorities are responsible for ensuring that trusts progress with encryption as swiftly as possible and the Department of Health has advised SHAs to consider undertaking an independent audit of their trusts' progress."

Read more on IT project management