Microsoft security summit: safer connectivity
Microsoft’s NHS Security Summit in Reading heard about the hard realities of security and information governance in the health service. But it also heard that technologies for tackling them exist, writes Paul Curran.
With data security and information governance at the top of most NHS “to do” lists, Microsoft organised a summit in Reading to bring IT managers and experts together to discuss issues and ways forward.
Security solution specialist Bill Orme set the tone by asking delegates for their pain points. From this it emerged that the Enterprise Agreement (EA) the NHS has signed with Microsoft gives trusts access to many of the technologies they need. What is urgently required is a better understanding of how to connect them with the real, day to day needs of frontline users.
The challenges of managing complex information flows
David Warden, infrastructure development manager at Gloucestershire Hospitals NHS Foundation Trust, said: “Unlike most other organisations, a typical NHS trust is made up of many specialised ‘businesses’ - each with different needs.
“NHS users need information from many different sources on a daily basis, so they need secure pathways between different organisations and departments.”
“There is constant churn, so establishing a definitive list of authorised local users at any point in time can be extremely challenging.
“The information flows around a typical NHS community are highly complex and cross organisational boundaries. Being responsive and providing the access authorised users need is one of the biggest challenges facing organisations like ours.”
Another delegate highlighted the - perhaps unfair - pressure that security concerns place on operations. “NHS users need information from many different sources on a daily basis, so they need secure pathways between different organisations and departments,” he said.
“When it comes to information security, there’s too much focus on data confidentiality. Breaches of confidentiality don’t generally kill people - non-availability of data does.”
Delegates concluded that having a mechanism for definitive identity assurance at both national and local level is something all parties should be working towards.
Sharing a common infrastructure with national applications
“With IAG, trusts will be able to share a common smartcard solution, allowing secure information exchange and access to local applications.”
This led Mr Orme on to describe how Microsoft’s “incubation” team and its developers have adapted Microsoft’s Intelligent Application Gateway (IAG) to respond to many of the security issues facing trusts.
The IAG allows them to control who uses an application, as well as when and where. IT managers can deliver applications and databases to remote staff and trusted third parties such as GPs, pharmacists and care workers, without putting security or privacy at risk.
“So versatile is the IAG that it can be used to solve many of the problems involving identity assurance and digital rights management,” said Mr Orme. “With IAG, trusts will be able to share a common smartcard solution, allowing secure information exchange and access to local applications.
Access control via smartcards
Microsoft identity and access solution specialist Ian Shandling went on to talk about how the IAG works hand in hand with projects being delivered by the National Programme for IT in the NHS.
He described how the N3 broadband network and the NHS “data spine” are providing access to services at a local level. As part of the spine project, for example, NHS staff are being issued with authentication credentials to access the NHS care records service (CRS), Choose and Book and the new electronic prescription service.
“The IAG allows staff to walk up to the nearest available terminal and log onto web services enabled through the NHS CRS smartcard,” he said. “It also lets a trust set policies over which applications users can view using off-site and non-trust devices.”
Optimising your infrastructure
Technical strategist Richard Lane next described how Microsoft’s Infrastructure Optimisation (IO) assessment tools can help trusts identify their current state of infrastructure maturity; and which software and services included in the EA will best bring about a secure infrastructure.
Neil Slater, enterprise strategy consultant and NHS CUI IM&T Tools project lead followed, with an update on how his team is providing best practice guidance relating to the build, deployment and management of a secure Windows desktop environment and its supporting infrastructure for use anywhere in the NHS.
“The ingredients for building a secure environment are available in what NHS sites already own [through the EA] - it’s simply a case of joining them up properly,” he emphasised.
“We will be visiting trusts in the coming months to provide on-site consulting and help with end-to-end deployment through our Early Adopter Programme. Our team has some very experienced and capable people to help you deploy the secure technology at your disposal via the EA.”
What emerged from the summit is that NHS staff, NHS Connecting for Health (the agency that runs the national programme) and vendors like Microsoft must work closely together to bring about security focused, best practice IT at an institutional level.
As Bill Orme put it in his concluding remarks: “Information governance and security should no longer be viewed simply as policy issues. They are fundamental to the safe delivery of joined-up, knowledge-driven healthcare.”
About the author: Paul Curran has been a writer, journalist and commentator on business and technology for 25 years. A regular contributor to IT, business and financial trade publications, he specialises in enterprise deployment and security issues.