Disappointing Advice from the NHS on Securing Tablets

In this weeks news from the Guardian Government Computing Network (a UK based news site) there was an article about some disappointing – from my point of view – guidance from the National Health Service (NHS) on tablet (specifically iPad) security. Unfortunately it appears that the actual guidance document itself is not freely available, so I’m having to rely on newspaper reporting. In an article entitled “NHS warns staff over tablet security risks” the guidance is reported as saying that tablets are:

  • “inherently less secure than more traditional technology”
  • “a high profile target for malware”

Which is an exaggeration of the facts. There is nothing inherently less secure about this technology. There are some significant issues with android devices and malware, but they are only as bad as the issues with malware for PCs. Indeed  the lack of security comes from a lack of information, mechanisms and tools from enterprise IT to support and encourage secure use.

The document then goes on to issue the following guidance:

  • “[staff are warned] not to use tablet devices to store sensitive patient data”
  • “staff must have strong encryption and passwords if using tablets”
  • “devices must be configured to allow for remote wiping, or wiping after a number of failed password attempts”
  • “[the guidance] warns against the use of cloud services with tablets”
  • “Users should remove or disable unnecessary services”
  • “the ability to transfer data from the devices should be restricted to a list of permitted destinations”
  • “tablets should not be deployed ‘out of the box’, but should be configured with a standardised OS and firmware version together with current security updates before use”

(The points above are all direct quotes from the article) If this is an accurate summary of the guidance then this is truly disappointing as if implemented, this guidance would (a) significantly reduce the benefits from using these device; (b) be unlikely to succeed. The amount of resistance from users to these measures would likely be very high. People with tablets are more likely to ignore, avoid or subvert these measures than they are to follow them. The guidance ignores the whole point of the tablet, and the challenge it offers to IT by treating in the same way that legacy desktops and devices have been treated.

It recapitulates a depressing tendency from centralised IT functions and government security to ignore the different uses that tablets are put to and to try and reinstate an inappropriate traditional “one size fits all” approach to managing devices.

The NHS has missed an opportunity here. Instead of taking such a conservative approach they could have:

  • recognised the different uses that people have for tablets,
  • understood the different security risks and controls appropriate for those different uses

and, based on this, recommended appropriate tools and measures for these different uses to deliver the maximum benefit while enabling secure and responsible use of tablets. This would have increased the chance of different agencies within the UK health sector taking them seriously and increased the chance that their guidance would be effective in actually securing devices in the sector.

Advertisements

2 Comments to “Disappointing Advice from the NHS on Securing Tablets”

  1. Nice post Doug, and raises some good points about how tablet based computing needs a whole different mindset from large organisations. Somehow not a great surprise that the public sector may be behind the curve on this, but then again I recently read that the NHS is adopting NationalField, a “social network for enterprise” for 1 million of its staff – see http://www.wired.co.uk/news/archive/2011-12/01/nationalfield-moves-from-obama-to-the-nhs – which is all the more surprising.

    • Hi Dominic,

      Thanks for the comment. The truly disappointing thing is not so much particular guidance or advice from government departments, but the way that it constantly conforms to a pattern: risk averse, ignoring benefits, over-estimating the sensitivity of data (interesting because when it comes to data privacy/protection the reverse is done), over estimating the potential impacts and ignoring the reality of the situation. That is why I think you find this split personality – in the sorts of situations you see those factors don’t apply, so government agencies adopt hell-for-leather.

      Doug

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: