Lancashire takes charge of USB ports

02 Oct 2008

Lancashire Care NHS Foundation Trust has taken control of its USB ports using a data protection solution from Lumension Security.

The trust, which employs 3,500 staff and provides mental health and substance misuse services across Lancashire, held a USB stick amnesty and replaced “rogue” devices with officially sanctioned memory sticks.

It then implemented the Sanctuary Data Protection solution. This allows it to assign user access rights, block unauthorised attempts to download data and encrypt all data that is downloaded.

Repeated public sector data breaches this week prompted NHS chief executive David Nicholson to write to all NHS chief executives to ask them to check they had implemented Department of Health policy on encrypting removable data.

Alan Boardman, the trust’s data security officer, told E-Health Insider that the software will also allow his team to centrally shadow and log all usage of USB memory sticks for auditing and compliance purposes, giving Lancashire Care a record of exactly what data has been downloaded to and from what USB devices.

“We were specifically looking for a centralised data protection solution that automatically enforced encryption,” he said. “We looked at alternatives, but found that they were not enforceable and couldn’t be managed centrally.”

The new USB sticks are printed with the trust’s logo, post office box number, postcode, and a personal identification number which is unique to each employee. Therefore, the trust hopes that if the device is lost, it can be returned safely.

When asked whether he believed that the devices were foolproof, Boardman said: “In my opinion there is no way of hacking into the AES256 software, so I think that the devices are perfectly safe.”

The trust, which provides mental health and substance misuse services, has purchased 1,000 memory sticks and is now looking to use similar software on its laptops.

“We wanted to add the software to our laptops in the same year, but it just wasn’t possible due to lack of time and funding,” said Boardman.

The trust is also using the solution to disable write access to floppy disks and CD/DVDs, so that data can be read from these media but not written to them. It is now planning to explore solutions for other devices such as dictaphones and digital cameras.

Link

Lumension

Simona Stankovska

Reader's Comments

Great in theory!

03 Oct 08 08:39

Sadly this will not have the desired effect, as staff will easily find a way around the system. How will the Trust prevent staff from e-mailing PID to their personal address, and then copying or distributing it as they feel they need to? Junior medical staff are the worst culprits, as they want to take case histories etc to their next appointment.

McAfee anyone?

06 Oct 08 10:18

And the reason for not using the free nationally procured, much trumpeted solution was? (he asks as if he didn’t already know the answer). Could we have bought something that doesn’t fulfil all of our requirements? Surely not.

Well done NHS!

phenry@forensicsandrecovery.com

09 Oct 08 15:35

One of the best kept secrets on the Internet today is that nearly every single high profile PI breach has had a removable media component. Removable media has quickly become our achilles heal in both network security and the protections of privacy. Network Security is all about Control & Risk Management. In implementing the technology / solution they have, NHS Lancashire have identified and managed the risk that they themselves have prioritized. Security is also about defense in depth – so as Lancashire address other aspects of risk, there are security technologies in the market that will complement the solution they have chosen to implement. One for example is Data Leakage, whereby, key words can be identified and data transfer can be controlled to specific destinations when the data contains these key words. There are secure email gateways and encrypted email solutions, which again manage identified risk. NHS Lancashire have implemented the first steps, but security is a continuous process that reduces the risk envelope down to a manageable size. Well done NHS Lancashire Care in leading the way by taking a definitive first step in dealing with this growing issue!

It always worries me when....

10 Oct 08 09:39

... I see comments like "devices are perfectly safe". "perfect" security just doesn't exist.

If only the "free issue" product did what we need it to do, had some support & didn't blue screen PCs like theres no tomorrow.