How to avoid the front-pages of the tabloids: the IAG at Microsoft’s security summit

Data security is at the top of the to-do lists of most NHS IT managers, following a spate of stories about lost CDs, laptops and USB sticks. Trusts are looking to deploy secure access solutions that enable staff to use their systems without compromising privacy or security.

Microsoft’s Intelligent Application Gateway not only fits the bill, it opens up new ways of working. Solution specialist Bill Orme will be talking about the IAG at Microsoft’s forthcoming security summit. He gives a flavour of his presentation to freelance journalist Stephen Pritchard.


Balancing the need for flexible working patterns and the requirement for data security is a challenge in any large organisation. But few organisations face as great a challenge as those in the NHS.

The move over the last decade to a more digital environment, through the spread of administrative and clinical systems including digital imaging, has brought about some significant changes in both administration and clinical practice.

A growing number of administrative tasks can potentially be done by staff working offsite or from home; helping to overcome staff shortages, improve retention rates and encourage NHS employees to return to work after career breaks. “Security measures need to be robust, but not to interfere with the tasks carried out by NHS staff, sometimes under extreme pressure.”

At the same time, clinical staff can increasingly work in teams. A registrar, for example, can call on a second opinion, even if the consultant is elsewhere in the hospital. But none of this can be done, unless security is addressed from the outset.

It’s not just about security

An added complication is that trusts typically run a myriad of IT systems. These systems, in turn, are largely operated by staff, who although experts in their fields, are not experts in IT. Security measures need to take account of that. They need to be robust, but not to interfere with the tasks carried out by NHS staff, sometimes under extreme pressure.

Fortunately, IT also provides some of the answers. Microsoft’s Intelligent Application Gateway, for example, allows trusts to control who uses an application, when and where. This, in turn, allows IT managers to open up applications and databases to remote staff, or trusted third parties.

Bill Orme, solution specialist for the IAG at Microsoft UK, says there are three main drivers for deploying the technology: improving the use of resources; extending the reach of trust applications and data; and improving work-life balance for NHS staff under the Improving Working Life standard.

But, as is often the case with such projects, a deployment that starts out with one objective in mind tends to finds a wider role. “Essex Rivers Healthcare NHS Trust put in the IAG as a step to meeting the IWL standard,” says Mr Orme. “But it found that once it had installed the IAG in front of its applications, all sorts of possibilities opened up.”

He adds: “A GP could, for example, pick up test results by remote access. A consultant could view CT scans of a car crash victim in a browser, without having to come in to the hospital.” “The IAG does not expect non-IT people to behave like IT experts. It allows NHS staff to work in the right way.”

The IAG, he says, has gone a long way to improving patient care in a number of trusts by improving access to expertise and speeding up routine processes. It has also opened up access to third parties such as GPs, pharmacists and care workers, without putting security or privacy at risk.

But IAG delivers contextual access: and learns as it goes along

The IAG has to work with a range of operating systems, applications, and client devices. It has to be secure. And to be accepted, it has to be at least no less intuitive to use than the systems it protects.

“If a trust has 2,000 GPs in its area, they are not trust employees with trust credentials, but self-employed professionals,” Orme points out. “The IAG can broker identities.

“If the IAG picks up a national programme smart card as an ID, the trust can set policies for what it allows that doctor, for example, to do. It might allow them access to some parts of the trust’s systems, but not others. It might give them more limited access if they are not using an NHS owned device or working from within the network.”

The IAG, in other words, allows trust IT departments a great deal of control in how they manage access to applications. This so-called “contextual access” allows them to set polices based on the application, the device being used, the user and their location.

In addition, the IAG learns “normal” behaviour and will trigger an alert if something out of the ordinary happens. In this way, it might allow a pharmacist to access a few patient records at a time, but would trigger an alert if someone in that pharmacy suddenly tried to download dozens of files. Finally, the IAG applies a further level of security; no data remains on the remote device at the end of a session.

“The IAG does not expect non-IT people to behave like IT experts. It allows NHS staff to work in the right way,” says Mr Orme. “IT directors recognise that people need to access data to do their jobs. They want to guarantee that the data is removed from the machine, and doesn’t end up on the front pages of the tabloids.”

Bill Orme will be presenting on the topic, “Information Protection - moving from need-to-know to need-to-share securely” at Microsoft’s Security Summit Tiuesday 23 September 2008. Find out more about this event.

Further Reading

• Read more about Microsoft's Intelligent Application Gateway (IAG)
• After HMRC: Microsoft’s Intelligent Application Gateway and information governance
• Read about Essex Rivers Healthcare trust's implementation of IAG
• Live webcast recording: IAG in practice