Leeds Teaching Hospital NHS Trust learned its security lesson the hard way. After its network was infected with the Sasser worm in 2004, the trust realised the need for strong anti-virus protection that is fully compatible with its IT systems.

The worm exploits vulnerable devices using Microsoft Windows XP and Windows 2000 operating systems, and shut down large areas of the trust’s network in 2004.

Chris Archer, computer services manager for the trust, says the organisation realised the network was not adequately protected, despite using McAfee security products. Issues with the supplier, however, were not necessarily the key issue.

“There is very little between the anti-virus products; they can all do the job but we had not rolled it out as strongly as we should,” says Archer.

“We do not connect directly to the internet; access is via NHSNet (now N3) and there is the danger of complacency with the idea that it provides an extra level of protection. We realised we needed to make sure we were 100 per cent protected, and had to get our own house in order and take security as seriously as any company in the private sector.”

Following a tender process, the trust chose Kaspersky Lab to ensure security for a network that consists of about 7,500 PCs used by more than 16,000 employees across seven sites. Archer says two significant reasons prompted the selection.

“Cost was one factor and the other was that we are a big Novell site and we found that Kaspersky Lab integrated better with our servers ­ – and provided the best management interface within our Novell NetWare environment,” he says.

“Most of the anti-virus companies are geared up to Microsoft, but Kaspersky Lab has maintained its partnership with Novell.”

However, rolling out satisfactory protection is only one layer of the trust’s security defences.

“It is important to remember that anti-virus is just one part of the solution, and should not give you a false sense of security. You need to keep up-to-date with Microsoft patches and updates and ensure that you have good reporting tools,” says Archer.

He says the trust is also in the process of tightening security surrounding patient records, following the recent stories of data loss in the public sector.

“We have policies and procedures regarding patient notes. For example, no data should be stored on local drives ­ only on the network so it can’t be taken off site, but we will be endorsing this better and are looking at products that blanket-block devices such as USB sticks for downloading data,” says Archer.

“If someone needs to download data, for example for a PowerPoint presentation, they will need authorisation. Such measures are in line with directives from NHS Connecting for Health to prevent blunders such as the recent loss of personal details by the Ministry of Defence, and make data protection more stringent.”