Call for ban on use of USB sticks in hospitals

Thursday 8th April 2010

With the introduction of heavy fines of up to £500,000 this week (Tuesday 6 April 2010) for organisations that breach data security rules, IT security solutions provider ISEEU Global is calling for a ban on the use of USB memory sticks and other portable media used to store and transmit personal data in the National Health Service.
 
ISEEU warns that failure to address the issue of data loss in the NHS once and for all will cost NHS Trusts hundreds of thousands of pounds and put the confidential files of  millions of vulnerable patients at risk.
 
Phil Bullivant, director of ISEEU, commented: "The catalogue of NHS data losses is unacceptable with the Information Commissioner's Office (ICO) slamming the Health Service as one of the worst offenders for data loss, reporting as many incidents as the entire private sector.
 
"Just recently, three USB memory sticks containing sensitive information relating to the diagnosis and treatment of cancer patients in Middlesex and Surrey were lost. The data contained in the USB sticks was in word format – leaving the information entirely accessible to anyone with a computer. There is also the well-documented example at Stockport Primary Care Trust when a member of staff lost a USB stick containing data extracted from the medical records of some 4000 patients.
 
"Confidential patient data is also at risk with the loss and theft of laptops in the NHS – just last year Hampshire Partnership NHS Trust had to inform the ICO about the theft of a laptop holding the personal data of 349 patients and 258 staff stolen from an employee attending a health conference while the theft of a laptop in the West Midlands resulted in the loss of more than 5,000 patients' details.  
 
"It is clear that removable storage devices and other portable media are a prescription for disaster for the NHS and they should have a government health warning on them at the very least. In a private company such embarrassing and potentially damaging incidents would lead to a wholesale review of procedures and the NHS should be no different. With the Government taking a much-needed tougher stance on the issue of data loss, now is the time for Trusts to review data protection and put systems in place to protect sensitive patient information."
 
While encryption has been hailed as the way forward for NHS Trusts, it is clear that even these are not infallible from security risks. Just last month USB maker SanDisk issued a recall of its Cruzer Enterprise series of USB flash drives, which are password-protected  with built-in encryption and are used by some NHS Trusts, because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained in its devices.
 
ISEEU's Phil Bullivant argues that this begs the question – why is portable media being used as an acceptable form of data transfer in the NHS in the first place, given the sensitivity of patient data and the implications for getting it wrong?
 
He said: "The only way for government to ensure patient data is secure is to ban the use of removable media such as memory sticks and CDs which are all too easy to misplace or drop on the train.
 
"It is time for NHS Trusts to invest in their IT infrastructure and implement secure ways for NHS workers to remotely access central documents on the network safely and securely without the need to rely on haphazard quick fixes which pose serious security threats. Patients have a right to expect their personal information will be treated with the utmost care.
 
"ISEEU Global has developed a highly secure solution to enable health workers to access data without compromising data integrity. The ISEEU Clinical Workforce Accessibility Solution incorporates two highly secure products; ISEEU™ Global Access to connect remotely to all administration and clinical applications and ISEEU™ Global Courier data transfer technology to virtually courier confidential patient data. The solution also incorporates full administrative and workflow control enabling managers to see at the click of a button who has accessed particular files and provides a full audit report on activity. The technology integrates seamlessly with Trusts' own systems and complies with governance and security requirements."
 
Investing in a robust, secure IT solution which allows safe transmission of sensitive data would make the current NHS reliance on removable media redundant.
 
Phil Bullivant concluded: "Trusts need to stop fire-fighting individual instances of data loss and start getting to the root of the problem. A review of IT infrastructure in the NHS is urgently required to address the issue of data access and transfer and ensure that the Government's investment in networks such as N3 are not wasted. The cost of implementing secure remote access and transfer solutions is not significant compared to the heavy fines as well as the cost to Trust's reputations for losing valuable, confidential data.
 
"While the appeal of the USB stick lies in its ease of use and cost effectiveness, perhaps now is the time to ban their use or at the very least ensure they come with cigarette-style warnings – 'use of this USB could seriously threaten your data security and cost your Trust hundreds of thousands of pounds."

ISEEU Global

Feedback

Have YOUR say.

Name:
Email:
Location:

We welcome all feedback. However, we cannot publish anonymous comments, so please supply your name and location. Your details will not be displayed if you so request. To protect privacy we never publish email addresses.