NHS: How to secure tablets for healthcare

By Brian Dolan

iPad 3The UK's National Health Service (NHS) Connecting for Health division recently published a guidance document for how healthcare providers in that country should and shouldn't be using tablet devices. The document is chock-full of warnings about tablet use in healthcare settings, but it also includes some helpful hints for how CIOs should secure the devices.

The NHS states that tablet devices are more likely to be stolen than traditional IT equipment because of their portability, desirability, and ability to be easily concealed. The guidance document also warns that it is easy to access content from the devices once they are stolen.

While the security issues are very real and important, it's also worth pointing out many of the "risks" about tablet use in healthcare listed above are the same as the reasons they have found such quick adoption. Physicians and other providers appreciate how portable the devices are and -- when apps are designed well -- how easy it can be to access clinical information from them.

An NHS spokesperson gave The Guardian a quick explanation for and overview of the guidance and its scope: "We have developed interim guidance about the safe use of tablet devices within the NHS in response to growing interest in this area. This makes it clear that these devices are currently not as secure as more traditional IT equipment. They should therefore not be used to store sensitive patient data and should, as with all mobile devices, be encrypted. Further guidance will be updated as necessary."

The NHS also claims that it tablet users are more likely to inadvertently share patient information from them than from other IT equipment. (This is a curious claim.) The guidance document goes so far as to suggest that because these devices are "inherently insecure" they may not necessarily be suitable for accessing sensitive and patient identifiable data.

While the NHS suggests providers not allow tablets store sensitive data on them, the guidance document also suggests that providers be very careful about using cloud-based services. All temporarily stored data from cloud-based services should be immediately erased after use, and providers should be aware that some cloud-based services automatically send data to remote servers, which may be in other countries where the responsible organization has no jurisdiction. So, NHS suggests all unnecessary cloud services be removed or disabled on tablet devices in healthcare settings.

While many tablets offer a variety of wireless networking options for connectivity, the NHS suggests tablets used at healthcare practices in the UK stick to WiFi access through VPNs. Cellular networks, open WiFi, and Bluetooth only provide more avenues for security compromises, so CIOs should disable them entirely, according to the NHS. The document also recommends remote wipe and GPS tracking to ensure thieves are unable to access patient health information on lost devices. Healthcare professionals should keep their tablets with them at all times and when not in use the devices should be locked away.

Finally, in case it wasn't obvious, the NHS discourages healthcare workers to use their own personal devices to access sensitive patient data. So much for BYOD in the UK?