Welsh health board blocks social networking

Abertawe Bro Morgannwg University Health Board is blocking its 10,000 computer users from uploading material to social networking services by default. It allows general exceptions for the communications and IT departments, and specific exceptions for clinical staff who use such services for research. "If there is a need, we're not here to block people doing things, just that they are doing it safely," the board's ICT security manager Chris Phillips told Kable's Information Security conference on 3 November. But of the default blocking, he added: "Based on our assessment, we think it's too high a risk for us." The specific exceptions can be detailed, he said, with a member of staff or a group being granted access to a specific section of Flickr, but not the rest of the site. The board has used M86's email and web filtering software over five years, with the latter used to control access to a range of sites. It allows most staff 45 minutes of access to sites deemed to be for personal use in each 24 hour period, such as shopping, banking and travel. However, it sets exceptions as appropriate, such as allowing secretaries who book hotels unlimited access to travel sites. Some sites, such as all using the .nhs.uk suffix, are 'white listed' as completely open for use. Phillips said the email filtering software has been adopted as the standard across the NHS in Wales. "We examine every piece of mail entering or leaving the organisation. Not personally, thank God," he said. Anyone whose email is blocked gets an acknowledgement from the Cymru MailMarshall system, including the sender and the subject line. The email is released on request, after its subject line has been checked by a member of IT staff. The email software scans for file types and for words in the text. "You would not believe the number of our staff who will send out credit card numbers, expiry date and security data," Phillips said. "When you tell them they say 'Oh, I didn't realise that'." He added that some staff believe they should have uncontrolled use of web and email, with one clinician threatening the board with legal action over its looking at his email – hence the practice of sending automated acknowledgement emails when messages are blocked. Others complain it interferes with their work, but Phillips said that was preferable to a £500,000 fine from the Information Commissioner's Office, with the trust being responsible for more than 1m patient records, staff data and legal records generated by its secure mental hospital. He said that it was difficult to balance data protection and staff wishes. "My job is to enable people to do their jobs safely. This piece of software lets us do that."