NHS trust selects Safend suite to replace free McAfee Safeboot solution

Reporting features, simpler management and overall security features worth paying for, says trust

Doncaster and Bassetlaw Hospitals NHS Foundation Trust has selected security software provider Wave Systems' Safend Data Protection Suite, to help it to comply with the Data Protection Act (DPA) 1998, the Information Governance Toolkit and the Department of Health's mandate that all mobile data must be encrypted.

The NHS had provided the trust with McAfee's Safeboot (Endpoint) solution, free of charge, but the trust felt that the solution was lacking an enhanced reporting function as well as in-depth port control.

Nigel Hall, ICT infrastructure manager at the trust, told Computing that the hospitals went out to a "mini-tender" through a GPS framework in September 2012 and looked at a number of solutions, including a product from its current anti-virus provider Sophos. But the Safend suite came out on top for a number of reasons.

"We found that the Safend solution was better. The staff told me that the console and management of the Safend product was much simpler and easier to manage and work with [than the Sophos alternative]. The ease of deployment was something the staff really liked," he said.

The trust purchased 3,750 clients of Safend's Protector and Reporter licences and 525 Safend Encryptor laptop licences.

"What it gives us which we didn't have before [with Safeboot] is the visibility of real-time, on what's happening on our network with regard to our port control; so knowing who is plugging in which device and who is copying what [data]. It gives us a good feeling and enhances our understanding of movement of data within our network which is part of our requirements from an information governance perspective while it also helps us comply with the DPA," Hall explained.

Hall went on to describe the other advantages of using Safend as opposed to McAfee's Safeboot solution.

"Safend is better support wise, specifically the way the product works with multiple staff in using a single laptop. With Safeboot package there was a lot more involvement of almost assigning staff to laptops, so what we have now is ability for staff to take laptops and we are comfortable that they are encrypted and they can then use them and share them within their department, as their department sees fit rather than coming back to the IT support desk and requesting new users to be added," he said.

"The other massive advantage of the Safend package was that it did not need an upfront requirement for separate credentials when the machine booted, because the security for the encryption is all tied in and integrated with [the console] already, making it more seamless for the user; the user is oblivious to the fact that laptop is encrypted which is positive as the they do not have to react differently to device," he added.

Hall said a third advantage was the additional reporting features that came along with Safend.

"Safeboot had a number of reporting features within the package, but not the extra reporting features that Safend has, such as: being able to see many different file types, getting a real-time notification to alert us to particular instances of databases being copied to USB removable media, the ability to block particular instances of particular file types to USB media, and the ability to shadow (make a copy) of what is being copied to USB media as we desire. All of these are much better methods of monitoring the movement of data within the trust," he stated.

NHS trust selects Safend suite to replace free McAfee Safeboot solution

Reporting features, simpler management and overall security features worth paying for, says trust

Hall said a disadvantage of the Safeboot solution was the lack of support for traditional USB sticks.

"The Safeboot product worked with hardware encrypted USB sticks which increased costs. Any USB stick that can be introduced now can be encrypted with Safend before it is used which is a massive positive as it is saving us money," he said.

On the topic of money, Hall was adamant that the trust had made the right decision in selecting to spend some of its budget on a security tool, even though it had been given one free of charge by the NHS.

"The board went through the process of understanding the limitations of Safeboot and advantages of Safend and when you look at the advantages, and potential risks involved with using one product over another, the business was of a mindset that although the Safeboot package was free upfront, on-going improvements were being made to it, requiring us to move down more of a McAfee route to installing extra management ability with its ePo agent, so there were extra overheads on IT to provide installation of further software," he explained.

"At the same time, we wanted to give users flexibility to utilise USB media that was right for them, so taking it all into account, the business was feeling positive about spending a sum of money to reduce risks further," he added.

The NHS trust started implementation of the Safend suite towards the end of November 2012, and within about six weeks, the software was running in a pilot mode.

"It was listening and capturing all of the information on who was using all of the devices, along with port controls. Then eight weeks ago we turned that into an active restricting policy, and then over the last three months we've been moving towards Windows 7, and as part of the Windows 7 deployment, staff members get an encrypted laptop with Safend ," Hall said.

Hall explained that after the pilot period, the trust could draw up a list of devices that did not need to be encrypted, such as Dictaphones, and then build a suitable policy with the information it had to hand. Personal devices are not part of the policy.

The ICT infrastructure manager added that staff had to be adequately trained to use what he called a "simple product that is complex in what it does". As it is connected to many different operating systems the staff had to be notified of the potential impact if there were any issues. Three of the trust's staff have also been sent for a four day training session with Wave Systems.

In December, Bolton NHS Foundation Trust opted for Wave Systems' Safend Encryptor to replace McAfee's Endpoint solution after it dubbed McAfee's solution "unreliable".