The Trust said it was one of the first to implement a mandate from the Department of Health that all mobile data must be encrypted, and it followed this process and met the required standard for data encryption of mobile devices, as well as all laptop hard drives and USB storage devices.
“We were proactive in being one of the first Trusts to implement the Department of Health’s mobile data encryption mandate but wanted to go a step further in implementing encryption technology that would protect sophisticated hardware and eradicate the need for devices to be wiped,” said Alex Fildes, system and networking technician at the Trust.
Initially the Trust selected McAfee Endpoint, but Fildes told Computing that this proved unreliable.
“It was unreliable with the hardware it was being used on, when there was an issue the data was not recoverable with the recovery tools available from McAfee,” he said.
The Trust encountered problems with some of its hardware, where the disk encryption failed and devices had to be wiped. The most common problem experienced, according to the Trust, was when a new laptop was acquired it would contain a new chipset or new hard drive design that would not work reliably, meaning that laptops that were configured, encrypted and given to users had to be returned within a matter of weeks, or even days.
The organisation went through a tender process and looked at two options: Safend Encryptor and Check Point Full Disk encryption.
“While Check Point was a very good product, it did not fit the way laptops are used at the hospitals within the Trust. NHS Bolton chose Safend Encryptor as the IT team was confident that it would provide secure encryption of users’ data, while leaving the operation system in a robust and recoverable state in the event of a disaster recovery situation,” Fildes said.
“It was the best option for us as it required minimal administration, reducing the impact on staff productivity; there was also no need for them to be retrained to use it as it was simple yet secure,” he added.
The team researched and tested several hacking and data recovery tools in an attempt to break Safend Encryptor but were not able to do so.
The implementation is currently in progress on an ad hoc basis, but it has been deployed on over 400 machines using Microsoft’s System Center Configuration Manager. Since the installation, which took place in October 2012, the machines that previously had problems with disk encryption software have shown no issues using Safend Encryptor, the Trust said.
The Trust’s work in ensuring its data is protected comes after Computing questioned the willingness of the Information Commissioner’s Office to levy fines against negligent organisations in the NHS. A week after Computing‘s questions, the ICO issued its first data protection fine for £70,000 against the Aneurin Bevan Local Health Board in Pontypool, South Wales.
The biggest fine to date from the ICO to an NHS body is £375,000 in a case against Brighton and Sussex University Hospitals NHS Trust. The fine, which is being contested by the Trust, comes after a batch of hard-disk drives that should have been destroyed by a contractor were sold on auction website eBay.