NHS data left lacking encryption

NHS trusts will not have completed encrypting patients' personal data held on their computers until later this year.

A number of health trusts are expected to be months late meeting a target to encrypt all data on non-secure machines by 31 March.

Many trusts will be unable to meet the local targets as set by strategic health authorities (SHAs) as they had been told not to begin the work until Connecting for Health (CfH), the body co-ordinating NHS IT, procured an encryption package - which did not take place until 20 March.

The Department of Health (DoH) has confirmed that it would then take "at least six months" for each trust to complete the roll-out of encryption.

It means data will not be fully protected until 10 months after NHS chief executive David Nicholson asked trusts to make the securing of personal data a priority.

There is no central monitoring within the NHS to ensure that trusts have carried out encryption, with it being left up to the strategic health authorities to check on compliance.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

A spokesman for the DoH defended the time taken saying: "The roll-out of encryption is a complex matter.

"David Nicholson has sought and received assurances from the heads of all trusts that they are working to ensure encryption takes place in a timely fashion. Each of the SHAs will performance manage this but it is paramount that patient care is not disrupted."

The target of 31 March for encryption to take place was a local deadline set by some SHAs and CfH said there was no central target set by the DoH. CfH said the DoH had simply sought an assurance that the process was in hand by the end of March.

CfH confirmed that 700,000 licences had been issued for its chosen encryption package, McAfee's SafeBoot.

A CfH spokesperson said: "It is understood that this process can take some time as skilled technicians are required to complete the task.

"SHAs are responsible for ensuring that trusts progress with encryption as swiftly as possible and the Department of Health has advised SHAs to consider undertaking an independent audit of their trusts' progress."

The revelation came as it emerged that records of 894,629 calls made to the Scottish Ambulance Service had gone missing, after a portable hard drive being transported by courier went astray.