Passwords on sticky notes: and other security issues facing the NHS
Whether it's infected email and MP3 players, or staff noting down their passwords and forgetting to log off their computers, dangers to information security are multiplying.
To tackle these threats, NHS organisations need good policies that have the backing of the board. They need to make staff aware of the threats and train them to avoid risky behaviour.
And they need good technology and IT practices to tackle viruses and other malware, and the problems posed by those personal devices.
It's a grey Monday morning at a small district hospital and one of the managers has forgotten her password: luckily it's on a sticky note on the side of her screen.
Meanwhile, her assistant excitedly plugs in his MP3 player and emails round a funky new track he downloaded for free last night from a mysterious Russian website.
All of which is enough to make any IT manager wince. It also shows how, though new technology is clearly transforming the way the National Health Service (NHS) works, it also brings new security dangers.
Microsoft technology analyst Gareth Hall says it is important not to be fixated by technological solutions to these problems.
"Trusts need good security policies, but, if they are to work, boards must sign up to and enforce them."
"If people only think about technologies and products then they will be missing the point," he says. "You need to look at processes, people and technology.
"There are plenty of companies that have spent millions on IT and never screened their employees to find out who is using it."
Policies
Trusts need good security policies, but, if they are to work, boards must sign up to and enforce them.
Andy Jewell, information security manager at University Hospital Birmingham foundation trust, admits that IT security may not be a big concern for board members more worried about budgets and hitting performance targets.
But he points out that all trusts have to sign off on the quality of their information governance to their regulators "and IT security is one aspect of that".
Martin Bell, director of information management and technology at North Bristol trust, also says it is important to embed good policies in new systems at the planning stage.
"I think that information governance, security, access policies and so on are often added in later," he says. "I always try to ensure that security issues are part of the initial plan."
People
Despite this, IT managers are well aware that it is people, not technology, that will be the weak point in any security system. "It is my constant refrain," says Mr Jewell.
"When we are let down it is nearly always because of something our staff have done - usually as the result of an inadvertent mistake."
Staff may note down passwords or leave terminals open, allowing others access to confidential information. Or they may fall victim to `social engineering'- the tricks pulled by private investigators and others to obtain personal details.
"It has been suggested that USB stands for 'ultimate security breakdown'".
They may also just act thoughtlessly. "People need to be much more aware of security generally," says Mr Jewell. "They need to think before holding conversations in corridors and the backs of buses.
"They need to think before sending patient details to home email addresses - or using texts and instant messaging."
Careless use of text messsages allowed the press to find out about footballer David Beckham's alleged affair with his assistant Rebecca Loos, he points out. "I always ask trust staff if they would want their details broadcast in the same way."
To discourage risky behaviour, most trusts now include information governance in the induction sessions they run for new staff and follow this up with awareness training. Mr Bell says security should not just be a concern for technology managers, but for personnel and clinical managers too.
Devices and desires
Then, of course, there is a plethora of devices that staff might plug into trust systems; potentially compromising security and introducing viruses.
The dangers of the USB stick are well-known; it has been suggested that USB stands for "ultimate security breakdown". A more recent phenomenon is "slurping"; using an MP3 player or other personal device to suck up huge amounts of data.
The problem for the NHS is that it can't simply close USB ports that staff need to do their jobs. Instead, it has to look at technology that will only make them available to approved devices.
Technology
Meanwhile, trusts have to remain alert for external threats, including attempts to hack into their systems and to infect them with viruses, worms and other malware.
"It's worth remembering most viruses don't do any harm... The biggest problem is that they create a commotion."
Richard Lane, another technology analyst at Microsoft, says that the key to tackling these is to create a good, managed network and to get patch-management systems, firewalls and anti-virus protection in place.
At North Bristol Trust, Mr Bell agrees that "you need robust protection", although he is sceptical about whether an NHS organisation is as much of a target for hackers as a bank - or a high-profile IT company such as Microsoft.
He also feels that dealing with external threats is another area in which having good policies and developing a good security culture among staff is at least as important as deploying more technology.
"We have pretty good control of viruses," he says. "We probably stop 90-95 per cent of them. But it's worth remembering that most viruses don't do any harm.
"The biggest problem is that they create a commotion; staff see `Trojan Warrior' or some name like that and panic, when the worst that it will probably do is to trigger a rude email.
"We do a lot of staff training. Some of our staff have been through the information governance national vocational qualification, and some of that is about what to do with emails and what not to do with emails.
"Basically, the message for junk email is the same as the message for junk mail that comes through the door - don't open it and put it in the bin."