Southend secures email with Proofpoint

Tags: A Audit encryption Foundation Trust Information iS Microsoft NHSmail Security Solution Strategic US

20 Mar 2009

Southend University Hospital NHS Foundation Trust is rolling out a secure email solution from Proofpoint across its 2,500 PCs.

The move follows a review of IT in May 2008, which showed the trust needed to improve its email security to meet Department of Health guidelines introduced as a result of data leaks in the NHS.

At the time, Southend had taken a strategic decision not to use NHSmail, because it had already invested heavily in a Microsoft Exchange 2003 environment. It was also concerned about the amount of administrative work involved in setting up and running NHSmail accounts.

However, it needed an email encryption solution that would work with its existing set up. Konrad Hutchins, acting 3rd line team leader said: “The key benefits had to be that it was invisible to the end user and easy to deploy as well as being simple for the user and recipient to use.”

The trust organised a 30-day proof of concept trial on outbound mail to assess how much sensitive information could potentially leak. The Proofpoint appliance highlighted more than 1,000 instances of unsecured outbound mail containing information that should have been encrypted.

“The audit provided the means of tracking data when liaising with other trusts and third parties such as external GPs, social services and other organisations,” said Hutchins. “Users could send an email that was automatically encrypted and the recipient had to come to us to retrieve the information securely.”

Proofpoint offers end-point security while providing anti-spam and anti-virus protection all within one system. Hutchins continued: “We’re now able to control our data and track where it is going. We’ve deployed a secure mail system, which is simple and easy to use for everyone.”

Link: Proofpoint

Sarah Bruce

Readers Comments

business case

20 Mar 09 10:20

"At the time, Southend had taken a strategic decision not to use NHSmail, because it had already invested heavily in a Microsoft Exchange 2003 environment. It was also concerned about the amount of administrative work involved in setting up and running NHSmail accounts."

- It would be interesting to see the business case Southend have used to implement their local mail system and proofpoint appliances given that NHSmail is certified for transmission of patient data, is secure, now uses Microsft Exchange 2007 and is free!! NHSmail also has a connectors facility which allows organisations to have a hands free facility for account administration.

Central myopia

20 Mar 09 23:17

We're also encrypting local mail across a health and social care community (with different products). The problem with NHSMail is the inability to seamlessly encrypt messages beyond the centralised security blanket. We need to communicate patient (and staff) identifiable information actively to councils, voluntary organisations, companies and patients.

We also need to protect busy clinical staff from their propensity to tale short cuts and avoid anything that is not easy and simple to use. Appliance based solutions that include encryption of messages to anywhere provide superior protection to that offered by NHSMail.

We are also significant users of Blackberries. Currently not supported by NHSMail.

Nothing is free, and the NHS pays very heavily for the assumed perfection of these centralised systems that don't deliver all their promises, whilst their business cases fail to recognise any value in local work.

20:20

23 Mar 09 14:10

NHSmail is certified for trasmission of PID to Govenment Orgs (including councils) using the GCSx network (http://www.govconnect.gov.uk/index.php and http://www.govconnect.gov.uk/gc-mail.php). Voluntary Orgs and Companies can sign up for NHSmail access using the 3rd Party application (http://www.connectingforhealth.nhs.uk/systemsandservices/nhsmail/signup ).

Do you really want to promote the sending of PID to external non-accredited mail accounts over which you have no control? There are other methods of securely communicating with patients such as Healthspace.

NHSmail is very simple to use! Even the web version now looks like Outlook.

So the local appliances encrypt the data in transmission, but are the mail databases secure? are the mail servers housed in GSi accredited resilient data centres? Does the local system have Restricted accreditation? etc etc etc.

There is now a solution for Blackberries and NHSmail (www.nhs.NotifySync.co.uk)

Yes, the NHS pay a lot of money for these centrailised systems. Having local systems which seek to provide the same service only burdens the NHS (and ultimately we the tax payers) with a greater bill. There is value in local work, but that is work which would be best spent elsewhere other than trying to replicate national systems which are far more resilient, secure and cost effective.

The odds still look to be stacked in favour of NHSmail!

20:0 vision

24 Mar 09 19:16

The idea that voluntary groups, companies and patients will be queueing up to get an NHS mail account is in my humble view farcical.

I don't care about GSi accreditation. I care about enabling clinicians to email securely with each other and their patients, to work in a world connected with the real world, not just between those within the security blanket.

But then I support front line users, not conversations between DoH, NHS, and those aiming to make lots of money running datacentres.

The feedback I am getting is that users don't like the 'improved security' of the updated NHS Mail, and are walking away from using it.

Dispair

gillsr@iee.org

25 Mar 09 09:08

I dispair, I asked the IA many years ago when we would have a national NHS Certificate Authority so they could issue organisations with certs to allow us to implement SMIME and securely communicate with other hospitals and actually encrypt the content of the messages we send to verifiable recipients. (as many Law firms do and there is great supplier support for)

But instead we have a walled-garden OWA that only encrypts the transport of messages and causes us much pain when trying to explain to users (even with OWA2007) the lengthy steps to open shared mailboxes, move organisations, reset passwords etc. It doesn't even trust forwarding to .nhs.uk mail accounts (used in health organisations).

The connectors have been down for the last month or so while they migrate and are not due up till later this month - no NHS org has been able to sync their new users and they have had to be entered manually.

@3, all these 3rd parties that can sign up for nhsmail we have no control over either once they have downloaded the attachments no matter what the method it gets there. only a robust Doc Rights Mgmt would fix that. and have you used the new NHSMail? it is good, but I have experienced a number of wobblies waiting over a minute to open messages for whole mornings, yes hopefully it will get better, but the old NHSmail was good at the start too. (even in the user admin tool has been unusable for extended periods of time and we have had to tell users to phone back tomorrow to get their password reset, as of course the national helpdesk says to contact me.

Local organisations are trying to give their users with our limited budgets the best experience they can (without overloading them with pointless process) and to that ends I think we will check out proofpoint too...

2 Week Free Proofpoint Audit

ehab@ntsuk.co.uk

27 Apr 09 09:09

I am the Security consultant who implimented the Proofpoint Solution into Southend and many other Hospitals. I see we are discussing the business case here and it is really easy to prove whether there is a problem or not. What we do is provide a free 2 week audit using the Proofpoint Solution in Audit mode. At the end of the 2 weeks we will provide you with a report which will show what is leaving your organisation. What we have found is that the biggest problem is staff sending sensitive information to Yahoo/hotmail type email addresses and NHS mail cannot protect against this.

If anyone is interested in the audit or would like more information you can contact me on ehab@ntsuk.co.uk

Ehab Ahmed