What is the best way to protect confidential patient data on mobile devices? Caroline Ikomi looks at the essentials

Newton's first law of motion says a moving body will want to keep moving. The same law seems to apply to confidential patient data. The problem is trying to stop data from moving further than you want it to.

Data on the move is an issue that has caught out a number of high-profile organisations, including HM Revenue and Customs, Nationwide Building Society and MI5. All have suffered embarrassing losses of laptops or CDs, with the potential for damaging data leaks.

And such losses could be more than just embarrassing. Doctors who have laptops containing patients' records stolen could end up in court. Information commissioner Richard Thomas said in mid-November that a "blatant breach of fundamental observation" should attract criminal penalties to enforce compliance with data protection laws. This bullish attitude can only harden in the light of the HMRC child benefit data loss.

So how should you address mobile data security? Broadly, there are three key things you need to do:

  • encrypt data stored on laptops, smart devices such as PDAs, mobile phones and USB devices;

  • audit and control data transfer and access to removable media, for example USB keys, iPods or CDs;

  • control the security policy running on the user's endpoint device, irrespective of its type.

Disk encryption: full-disk or file?

Encryption for laptops boils down to two choices: full-disk encryption or file-based encryption. The latter is tempting because Windows XP comes with file-based encryption. While this means anything stored in specific folders or directories is encrypted automatically, there is a big security flaw. It relies on you and other users putting files in the encrypted folders.

That is fine in theory, but do you really want to rely on others to decide what is sensitive information and place it in the right folder?

The advantage of full-disk encryption is that it automates the process and secures the entire disk, so mobile users do not have to worry about it - and cannot interfere.

Security in hand

So far, so good - but what about PDAs and smart phones? The key here is to conduct a rigorous audit of all the devices being used in the trust and then to deploy a single encryption solution to cover as many of the devices as possible.

Unauthorised handheld devices should not be allowed to connect to the main network or to store sensitive data. The solution chosen should encrypt data automatically with no user intervention.

Stopping data leaks

It is also important to remember that hard disks are only one storage medium on a typical laptop. This brings us to the second area for endpoint security: managing and controlling data leakage. This means controlling the flow of data onto peripheral devices such as CDs, DVDs, USB drives and portable storage media, including mp3 players and digital cameras.

The starting point for protection against leaks via these devices is to include them in the trust's acceptable usage policy and to educate all users on the importance of following policy and the risks of breaching it.

Policies also need to be backed up and enforced using port control solutions, which can automatically block a USB device that does not comply with the security policy, or prevent the transfer of certain files or file types.

An example of a security policy could include allowing encrypted USB devices - but not iPods or mobile phones - from an authorised user.

Virus protection

This leads us to the third area of endpoint security: protecting data from software threats, such as malicious code.

Effective endpoint security starts with every machine running a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the central network. The endpoint security client should also ensure the laptop is running the appropriate software patches and includes virtual private networking for secure transfer of corporate information back to the network.

Some industry observers question the need to have any sensitive data on mobile computing devices. It is an interesting point, but the data is already out there, and it is going to keep moving. The only effective way to protect NHS organisations and their patients is to ensure data loaded onto mobile devices is kept locked down.