Safend Endpoint Security : Heathcare Case study

Wave Systems Corp. | Site Map | Contact Us | Partner's Portal Login

Case Study: Frimley Hospital NHS

Deploys Safend Encryptor and Protector to lock down data on the move

About Frimley Park NHS Trust
Frimley Park Hospital is a 720 bed NHS Foundation Trust employing approximately 3,500 staff and serving a catchment population of over 400,000. The Trust is a single-site organisation for in-patient activity and also provides out-patient facilities at three satellite sites in the local health community in Aldershot, Farnham and Fleet. Incorporating a Ministry of Defence Hospital Unit, the Trust provides a full range of district general hospital services and has invested in additional services since becoming a Foundation Trust, including a modern eye unit, a specialist cardiac centre, extended critical care facilities and consultant-led front-line services.

The Challenge
In 2008, following a number of high profile data breaches within the public sector, the Department of Health wrote to all Chief Executives in the NHS mandating that all mobile data be secured. The risk to the Trust from failing to provide adequate security measures for mobile data was extremely serious. The Government’s Information Commissioner has the power to investigate and fine organisations up to £500,000 for failure to comply with the latest directives.
Frimley Park NHS Foundation Trust required a solution, which could be deployed within the short timeframes required by the new mandates, which was easy to manage and deploy and would not impact on the productivity of medical staff and administrators. It was considered that the problem of data security would get worse over time because of the proliferation of mobile devices such as laptops - which now number more than 280 - and removable media storage devices such as USBs and CDs used within the Trust. Many consultants visit each of the different hospital satellites, such as those at Aldershot and Farnham, and will connect to the central networks remotely using their laptops and mobile devices.
Jonathan Spinks, Head of IT at the Trust comments: “Maintaining the protection of sensitive information is at the heart of our operations and ensuring that the patients, clinicians and the public at large have absolute confidence in the integrity of data is of paramount importance. We needed to find a comprehensive, strategic security solution which would enable us to meet all of the requirements of the mandate, without requiring huge changes to working practices or placing an additional management burden on the IT department .“
The task of meeting the requirements of the mandate fell to the IT Department and the Information Governance Manager, which had responsibility for providing the Trust Board with full assurance that a cost-effective solution was being put in place that would not only address the mandate from the Department of Health but which would also have minimal impact on the organisation and its staff, both administrative and clinical.

The Solution
Having evaluated a number of solutions, including one from McAfee/SafeBoot, (which at the time was centrally procured by the NHS), the Trust decided that the Safend solution was the best fit in terms of manageability and performance.
Jonathan comments “Safend was chosen because of its comprehensive integrated suite of endpoint security tools, including reporting, port control and disk and media encryption. The other major criterion for the selection was the need for a centralised solution with minimal management overheads and the need for a system that was largely transparent to the user.”

To this end, Frimley Park Hospital deployed Safend Encryptor and Safend Protector which form part of Safend’s Endpoint Data Protection Suite (DPS). Safend Encryptor transparently encrypts the Trust’s PCs and laptops so that sensitive data cannot be read by unauthorised users in the case of loss or theft. To minimise the risk of operating system failure, and reduce performance impact, the solution encrypts data files, while avoiding unnecessary encryption of the operating system and program files. The Trust has also deployed Safend Protector which provides centrally enforced removable media encryption for storage devices, external hard drives, CDs and DVDs, as well as comprehensive port and device control. This offers reliable, tamper-proof endpoint monitoring as well as device identification and blocking based on administrator-defined policies.
The system was installed on a virtual server and clients pushed out to all PCs on the network. The system was then left in discovery mode to assess what devices were being connected to the network endpoints. Meanwhile all laptop computers were recalled, configured with the Safend client and the hard disks encrypted, an automatic process, which was transparent to the end user.

Following an evaluation of the endpoint reports, a set of machine and user policies were developed which are being rolled out on a department by department basis. The phased roll-out ensures that the common policies are appropriate for each individual department, taking into consideration their unique business requirements.

The Benefits
The initial roll-out began in December 2009 and the Trust is already beginning to see the benefits of its encryption solution. Jonathan comments: “ We have been particularly impressed with the early successes, such as the encryption of all Trust laptop computer hard drives. This was an early mandatory requirement and we were under considerable pressure to deliver a quick solution, which could be managed centrally. We’ve also been pleased with the ease of endpoint monitoring and reporting. The centralised management console has benefited the IT Department and will not require any additional resources to manage the system once the project is completed. “
The end result is that the Trust has an endpoint and mobile data security system that is largely invisible to the user but which provides full assurance that it has satisfied its obligations in securing mobile data.
There have been some additional benefits in terms of the Trusts working practices and wider security measures, as Jonathan comments: “There have been some unexpected benefits to the roll-out; we now have the ability to identify where unusual medical devices, such as Pathology analysers, Endoscopy equipment, cameras and other specialist equipment, have been connected to Trust PCs, sometimes inappropriately. We also now have the ability to identify previously unknown data flows within the organisation. These flows are now being mapped and documented as part of the Trust’s records management policy development work. It has also enhanced the anti-virus and anti-malware systems already in place as we can now block the “auto-run” feature on USB memory sticks, which was known to provide an easy entry point for the notorious “Conficker” worm. “
That’s not to say the project wasn’t without its challenges. The change to a more controlled environment for the use of removable media and forced encryption had a significant impact on staff and clinicians, and brought changes in working practices and data management. In order to make this transition as straightforward as possible, the Trust has now issued a clear policy so that all users are aware of the processes which have been introduced.

The IT department also needed to incorporate differing requirements across different areas of the business where unusual or complex medical devices are in use. This issue was overcome by the flexibility and granularity of the Safend solution, with a phased roll-out of the policies on a ‘by department’ basis. This ensured that a consistent machine-based policy could be implemented on most PCs with the occasional custom machine-based policy for unusual medical equipment and custom user-based policies layered on top to address individual needs.

The Future
Such has been the success of the initial deployment that Frimley Park now plans to make further use of Safend solutions to enhance its data security processes. Every PC now has a Safend client installed and the Trust plans to leverage its investment in Safend by exploring the additional tools available for mapping, filtering and classifying sensitive data stored across the network and on organisational endpoints. It is expected that these tools will help the Trust achieve further success in its drive for improved Information Governance and data security.