Tablet PCs: A bitter pill for the NHS to swallow?

NHS guidelines on how to turn over a new slate on iPad security
Written by Nick Heath, Contributor

NHS guidelines on how to turn over a new slate on iPad security

While businesses are jumping on the tablet bandwagon the NHS has warned staff against using tablets to handle patient data.

Tablets have been gaining popularity within hospitals for giving doctors the ability to interact with clinical data on the move, for example finding a use in the cancer ward at Cambridge University Hospitals NHS Foundation Trust.

However new guidance from NHS Connecting for Health stresses the risk of health trusts choosing tablets over traditional PCs, saying "tablet devices are inherently less secure than traditional IT equipment and not necessarily suitable for use with sensitive / patient identifiable data".

Where tablets are used within the NHS, much of their cloud back-up and connectivity features should be disabled to minimise the risk of data breaches, a new guidance document, the Use of tablet devices in NHS environments: Good Practice Guideline advises.

Patient data should never stored on tablets, the guidance says, and where tablets are used to access sensitive data, any copies of that data on the device needs to be fully erased afterwards.

Services that back-up data stored on tablets to the cloud, found in the likes of the Apple iPad and Kindle Fire, should also be disabled if possible, the guidance adds, to prevent information being stored in geographies outside of the UK's control.

Apple iPad

The NHS has warned health trusts about the dangers of tablet computersImage: Apple

"Cloud services being enabled by default can result in sensitive data being uploaded to remote servers without the user being aware it has happened or sanctioning it," it says.

"These servers may be anywhere in the world and may be out of the jurisdiction of the organisation responsible for that data."

The notes also warn that tablets are "an attractive value for thieves" due to their high value and portable nature, and need to be properly secured when not in use.

By default all tablet devices used by the NHS must have strong encryption enabled and be protected by what the document refers to as "strong passwords", with settings to remote wipe the device after a set number of failed password attempts.

To avoid the risk of information being sent to and from tablets being compromised, the guidance recommends that corporate devices should not be able to access mobile networks or Bluetooth, and that trusts should only allow the devices to connect to wi-fi through secure VPN.

As well as detailing the dangers of corporate tablets, the guidance flags up risks attached to allowing NHS staff use their own personal computing devices at work, saying such machines should be subject to the same level of central control as NHS-issued IT equipment.

Overall the document warns that health trusts will find it difficult to manage large numbers of tablets without the adoption of a mobile device management approach.

There have been a series of data security breaches by health trusts, leading the national privacy guardian, the Information Commissioner, to warn the NHS about the number of breaches within the health service.

Editorial standards