Opinion

Ban USB memory sticks in the NHS

Phil Colledge of 123 Consultants says the security risks of memory sticks are too great to allow their use for storing sensitive data.
January 2008

The dangers of USB memory sticks have been know by security experts for years. Why then does the NHS still allow these devices to be used? It’s a good question, particularly in light of the recent Tax Office, Department for Work and Pensions, several NHS trusts, and now Stockport and Oldham PCTs all losing personal data.

The NHS has spent considerable time and money developing N3, the NHS network, so that NHS organisations across the country can safely and easily communicate with each other. The reality on the ground is often very far from a communications Utopia.

The recent incident in Stockport has highlighted even more information governance and basic security failures. Stockport PCT provided a statement about the loss of a USB drive containing 4000 patients details. The statement shows the lack of understanding and acceptance of the dangers of USB drives and a significant lack of ownership and responsibility for personal data security.

The statement assures us that the security of the information had been considered and emailing the information had been discounted on the basis of its poor security and this justifies the use of the USB drive so that the data could be delivered personally.

The Trust then assures patients whose data it has lost that this information cannot be used for ‘identity theft’. Surely the Trust has been ill advised or misses the point completely. The data contained sensitive medical information; few of us would like anyone other than perhaps close family to know if we have a serious medical condition.

Stockport PCT Chief Executive Richard Popplewell is reported on Silcon.com as commenting that the USB device in question may have been damaged by being dropped on the road during a rainy day. He is quoted as saying that “It is extremely likely that the data was lost in circumstances in which it would be unrecoverable”.

Again this shows a lack of knowledge and understanding. In my experience it is very difficult to ensure that data stored on memory devices, hard drives, CDs etc is rendered unrecoverable. In fact, recently a PC Doctor test on a standard USB drive, involved immersing the device in water for 24 hours, exposing it to hot coffee for five minutes and finally giving it a bath in a soft drink. After all of this the USB drive, once properly cleaned and dried out, worked perfectly well.

In fact, there are many companies and government departments that specialise in retrieving data from damaged USB drives, mobile phones and other devices. It is extremely unlikely that a little rain will have rendered the USB drive data inaccessible. Perhaps again we will be told that there is ‘no evidence that this data has fallen into the wrong hands”, when in fact there is no evidence of where the data is at all!

There is clearly a big issue with USB devices and their use within the NHS. The mechanisms for transporting confidential information around the NHS needs a radical review. Any solution, of course, will have to take into account the potential risks involved before considering the counter measures to put in place.

It is difficult to assess the potential negative effects of the data losses for the patients involved. For example, it is possible that the lost USB drive from Stockport contained data on well known individuals within the Stockport area, maybe even the local MP. In this instance the limited data is no longer limited and could end up on the pages of the tabloid press. After all, MPs and well known figures in our society often use the NHS for treatment. Like the rest of us, they expect confidential information to be protected.

There are solutions for these problems. Firstly and most importantly, stop using USB drives completely and ban their use within all NHS organisations. This maybe a utopian view which may not be operationally achievable in most NHS trusts. If so, be aware of the risk and put in place counter measures.

The most effective counter measure is the use of strong encryption technology across the whole organisation to protect laptops, PDAs, Blackberry devices, emails and, if you really have to use them, USB drives.

The implementation of encryption technology enterprise-wide is not without its challenges, but there are a number of well-tested enterprise solutions on the market.

Perhaps the NHS, after spending millions of tax payers' money on an NHS-wide email system and computer network, should spend a little more and add strong encryption technologies to the email system. Having implemented encrypted emails, confidential data could then be sent using email, even if part of its journey was to utilise the internet. Perhaps then the NHS could give up using USB drives, CDs and DVDs, and utilise the email network it already has.

Further information

Phil Colledge wrote about the dangers of USB memory sticks for bjhc&im in 2006. Read his article: USB devices — a prescription for disaster

Opinion: Public data loss

Parliamentary committee calls for increased powers for Information Commissioner

Please allow scripts in your browser so that Google ads will show — the ads are safe and give information on useful IT products.

Your browser does not support inline frames or is currently configured not to display inline frames.

To top^