After HMRC: Microsoft’s Intelligent Application Gateway and information governance

Recent, well publicised losses of data by public bodies have focused attention on information governance. A number of NHS trusts are now using Microsoft’s Intelligent Application Gateway to give mobile and remote workers secure, context based access to their systems. Sally Whittle reports. 

While new technologies have enabled NHS workers to be more efficient than ever before, they have also opened up new risks and created new responsibilities. Making information digital and allowing employees to access it in new ways, such as over the Internet, means it can potentially be lost or accessed without proper authority.

HM Revenue and Customs (HMRC) learned this the hard way, when it lost two computer disks containing the confidential details of over 25 million child benefit recipients in the post. The breach, in November 2007, is widely seen as the worst to ever to have occurred in the UK, and has heightened awareness of information governance as an issue for the public sector. " “Ultimately, we will have 3,000 people using the IAG as a single sign on technology, and it will be a good deal more cost-effective than the alternatives.."

“Definitely, since some of the data breaches have become public, information security and governance is becoming much more important,” says Yusuf Mangera, server manager at Imperial College Healthcare trust.

“There is heightened awareness of the issue at a senior level. While it’s always been an issue for the IT department, demonstrating information governance and appropriate policies are now a major issue for directors and the Department of Health.”

Improving information governance

East London Foundation trust is actively working on improving its information governance, says Jonathan Buchan, its network development manager. In recent months, the trust has been working closely with partners and the DH to audit and upgrade its information security policies.

“We’re making a lot of changes to secure data and to protect information in transit,” adds Mr Buchan. For example, the trust is rolling out encryption for portable data sticks and laptops, to protect data outside the hospital environment, and has updated the password policy to prompt users to change their passwords more frequently.

One of the key changes that East London Foundation trust has made has been to engage IT solutions provider Eurodata Systems to help it to deploy Microsoft’s Intelligent Application Gateway (IAG) for secure remote access to its network and data. The IAG sits on the “edge” of a corporate network and uses the secure socket layer of a web browser to give mobile or remote workers secure access to devices and applications within it.

The IAG can be used to manage access from applications and resources from any Internet-connected device, anywhere in the world. This means it provides a highly flexible solution. Unlike other remote access technologies, it also provides “contextual based access” – in other words, it works with other software to enforce identity and access policies.

New access for mobile and remote workers

Last month, East London Foundation trust launched a pilot programme, providing 20 employees with secure remote access to its network, through the IAG. “These are people who work in the community or from home, and wouldn’t have this access without IAG,” says Mr Buchan. “If someone tries to access an application, but their antivirus software hasn’t been updated for more than 14 days, then the IAG won’t let them access the system.”

“Previously, they would have had to come in to a trust site to check email, which means they’re spending less time with patients, or don’t have access to up to date information.” Trusts are increasingly looking to provide this kind of remote access to workers who might otherwise need to constantly return to a hospital-based office.

“We want to deliver care closer to patients in the community, and we also have lots of people who want to work more flexibly, or work from home,” says Mr Mangera at Imperial College Healthcare trust.

It is also using Microsoft’s IAG to provide secure, remote access for radiology consultants who often access PACS [digital radiology] images from a number of sites, including home.

“Consultants may work across multiple sites, and they often work from home reviewing images,” explains Mr Mangera. Since deploying IAG, the trust has extended its use to other departments, including clinicians and third party consultancies.

Meeting security standards

When the trust researched remote access technologies in 2005, the IAG was the only product on the market to offer the level of security demanded by NHS Connecting for Health, the agency in charge of NHS IT, says Mr Mangera. “It offered a lot of security features that weren’t available anywhere else at that time,” he says.

Any solution of this kind must comply with government and NHS guidelines on connectivity and security and Microsoft IAG meets the standards set by the NHS Code of Connection. It has also received a CCT (CSIA claims tested) mark from the Central Sponsor for Information Assurance (CSIA), a unit of the Cabinet Office set up to safeguard IT and telecommunications.

Meanwhile, trusts are also making use of the contextual based access it enables. The platform will assess each access request based on the identity of the user, the device they are using, and the application or data being accessed.

“If someone tries to access an application, but their antivirus software hasn’t been updated for more than 14 days, then IAG won’t let them access the system,” says Mr Mangera. “It also means we can specify different levels of access to the same application based on a person’s role and responsibilities.”

If a remote worker accesses data through IAG, the platform uses “screen scraping” to ensure that no data remains on a worker’s laptop or handheld device when they log off from the network. This means if the device is lost or stolen, no confidential patient data can be compromised. “The platform uses “screen scraping” to ensure that no data remains on a worker’s laptop or handheld device when they log off from the network [...] if it is lost or stolen, no confidential patient data can be compromised.”

It also means if workers access patient records on a ward, once they leave the ward, the data will be wiped. “For us, that was a very important factor, because it means that patient-identifiable data is never compromised,” says Mr Mangera.

Working with smart cards

Another key benefit of IAG is that it is highly scalable and can be integrated with a wide range of applications. Bedford Hospital trust has also recently deployed the IAG for secure remote access. It was extremely impressed by the platform’s ability to integrate with other applications and has just decided to roll out the product to 100 users following a successful pilot project.

“We were the third hospital in the country to roll out smart cards for staff authentication, and IAG was able to integrate easily with our smart card authentication system, improving overall information security,” says Oliver Chandler, network manager at the trust. “Security and integration were definitely important factors for us.”

Staff at the trust are issued with smart cards to access any trust applications, and PCs and laptops are all fitted with smart card readers. At present, a third party application authenticates the smart cards but ultimately, Mr Chandler hopes to configure the system so that cards are authenticated against the IAG itself.

“Ultimately, we will have 3,000 people using the IAG as a single sign on technology, and it will be a good deal more cost-effective than the alternatives,” he says. “There are other products on the market but what this offers is a solution combining hardware and software, so we get world-class security without worrying about sourcing servers or managing multiple operating systems and platforms.”

About Eurodata Systems

Established in 1990, Eurodata Systems is a London-based business consultancy specialising in systems integration. By focusing on medium to large enterprises, it cost-effectively plans, executes and delivers high-quality services and allows its customers to take advantage of the latest technologies.

In addition to being a Microsoft Gold Certified Partner, Eurodata also has a preferred partner status with organisations such as Whale Communications, HP and IBM. It has won a number of awards.

Current clients include Britain's top public, private sector and commercial institutions, including The Financial Times, AMEC, Superdrug, London Borough of Hackney and a number of NHS trusts.

For more information about Eurodata, please visit www.eurodatasystems.com

Related Articles

• After HMRC: information governance in the NHS
• Find out more about Microsoft's Intelligent Application Gateway
• Case Study: Microsoft’s IAG solution at Essex Rivers Healthcare trust