Official guidance issued in England warns over security risks of tablet devices and says that NHS staff must not use tablet devices, such as iPads, 'out of the box' or to store patient data (2). NHS Connecting for Health (CfH) has issued a „good practice guidance“ document, noting that the use of tablet devices in commercial organisations is increasing, and that there is pressure for NHS organisations to follow suit. The CfH guidance, however, tells staff that these devices are “inherently less secure” than more traditional technology (1).
A Department of Health (DH) spokesman is quoted as saying that the interim guidance states that tablet devices “should therefore not be used to store sensitive patient data and should, as with all mobile devices, be encrypted. Further guidance will be updated as necessary” (2). Given the numbers of losses of devices, such as laptops, USB sticks, etc. in the UK that have contained patient information, the guidance notes that tablets may be even more risky “because of tablets' desirability, ease of concealment and ease of access to content once stolen” (Hitchcock, 2012). CfH recommends that NHS staff should consider using the built-in GPS functionality of many tablets, to enable the location of a device to be tracked, especially in the event of it being lost or stolen.
The guidance notes that, as many tablet devices are set to automatically back-up their contents to Cloud services by default, there are potential issues in that data could be uploaded to remote servers without the user being aware of it. The servers, it is noted, “may be out of the jurisdiction of the organisation responsible for that data” (Crispin, 2012). Among further issues covered, the risks due to lack of consistent policy control of allowing the introduction of personal portable devices to NHS settings are addressed. This can result in sensitive data being copied to insecure devices or locations, while portable tablet devices additionally do not encourage audit logs, and introducing large numbers of such devices could cause problems for trusts from a management perspective (1).
At the time of writing, this report relies on media reports of the guidance, as it does not appear to be publicly available on the CfH or Department of health websites. This lack of public availability has also been noted by several readers on the EHI website in discussion of the article (see comments on [1]).
Sources
- Crispin, S (2012, Jan. 13) CfH issues tablets safety warning. E-Health Insider. Available online at
http://www.ehi.co.uk/news/acute-care/7452/cfh-issues-tablets-safety-warning - Hitchcock, G (2012, Jan. 14) NHS warns staff over tablet security risks. The Guardian. Available online at http://www.guardian.co.uk/government-computing-network/2012/jan/13/nhs-tablet-security-warning
