16 Feb 2011
Some 82 per cent of NHS Trust facilities do not encrypt their wireless network traffic, leaving sensitive data such as personal and medical records exposed to unauthorised users, according to the results of a survey conducted by research company Orthus.
Orthus randomly selected 40 NHS Trust facilities, and tested their networks on foot and on public transport to simulate a "drive-by-hacking attack". Once the source was identified, it was tested for the security characteristics of the network.
The results indicate that only 18 per cent of the Trusts tested were encrypting their traffic, leaving 82 per cent unencrypted and susceptible to attack.
"This survey found that, generally speaking, NHS facilities deploying wireless systems have done little to secure them - in spite of warnings," said the report.
"The majority of the systems we found were still on manufacturer default setting, with virtually no security defences enabled.
"The results of this survey are truly revealing. NHS Trusts deploying wireless technology seem to be doing very little to secure their systems, and their data can be potentially accessed by unauthorised personnel with very little effort," said the report.
"Clearly this has significant Data Protection Act implications."
Furthermore, almost half (47 per cent) of the Trusts had not changed the default settings for the systems prior to implementing them. This is a concern as default passwords for most manufacturers can be found on the internet.
From a network security perspective, there are two critical aspects to this story. Firstly, by allowing easy access to the WLAN a Trust’s entire store of sensitive patient and employee data is put at risk. Second is the Trusts’ obvious lack of adherence to data protection laws, risking potential fines of up to £500,000 for non-compliance. The potential damage to the Trust and its IT operation is huge.
With so much at stake, I am amazed that so many NHS Trusts and other “network critical” organisations are still not doing more to protect their networks from attack. Reports like this highlight an urgent need for NHS Trusts to review their LAN security more regularly, particularly when such basic errors are still being made.
On a more positive note, recently we’ve seen a strong growth in enquiries about boosting LAN security, particularly from public sector bodies and NHS Trusts. Perhaps they are becoming increasingly aware of their responsibilities under the Data Protection Act following the first heavy fines issued by the Information Commissioner at the end of 2010.
http://www.networksfirst.com/Advanced-LAN-Security.aspx
Posted by: Darren Ashcroft, consultant 10 Mar 2011
Have your say on this article
Newsletters
Latest stories from Health
You may also like
Health jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
