| PRESS RELEASE – 27
JUNE 2006
A survey of the healthcare sector on the use of portable data storage
devices has found that almost two thirds use no or inadequate security
and that half of those in the NHS use their own equipment to store data
— a basic breach of security practice.
A survey into “Mobile device usage in the healthcare sector” carried
out by Pointsec Mobile Technologies and The British Journal of
Healthcare Computing and Information Management (bjhc&im) has
revealed that one fifth of the devices used to store data have no
security on them at all and a further two fifths have only
password-controlled access — which does not guarantee security from
hackers. Using basic hacker software downloaded from the Internet it
would take a few seconds to bypass a basic password.
Just a quarter of respondents used passwords with another form of
security, including encryption, biometrics, smart card and two-factor
authentication. Respondents included information managers, IT managers,
medical professionals and a range of other job titles. Two thirds of the
117 who responded to the survey were in the NHS and a quarter were
suppliers to the sector.
USB memory sticks/memory cards (76%) were the most popular mobile
device to be used to download data in the healthcare sector followed by
laptop/tablet PC (69%), PDA/Blackberry (51%), smartphone (9%) and mobile
phone (2%). Advances in technology have resulted in the ability to store
gigabytes of information not just in these devices but also MP3 music
players, cameras, voice recorders etc. The easy availability of tiny,
high capacity storage devices such as USB memory sticks and memory cards
makes it very easy for a person to carry unnoticed large amounts of data
such as patient records or sensitive corporate data.
Overall, 42% of respondents owned at least one of the devices they
used, but half of the NHS respondents were using their own devices to
aid them in their everyday work. The most common type of data stored was
personal contact details (80%), while three quarters stored work contact
details. Nearly two thirds stored corporate data and an amazing fifth of
the healthcare workers who were interviewed held security details —
which could include passwords, PIN numbers and bank account details.
About half of the medical professionals carried patient records on a
mobile device. The majority of medical professionals used a password
alone for security. One doctor commented that his security was okay
because he used “the initials of one of his patients as his password”.
Two-fifths used higher levels of security, but a small number had no
security at all. Comments from respondents included a claim that there
was minimal chance of loss or theft and a minimal chance of misuse.
Another wrote “my patients couldn’t afford to pay for blackmail and they
probably wouldn’t care if others knew” [about their medical records]. A
couple thought that the risk to security was no worse than having
information on paper.
Over half expressed anxiety that patient details are being held on
mobile devices. The biggest concerns were that if a device is lost or
stolen it would breach patient confidentiality (57%) and that the
information “could get into the wrong hands and be abused” (50%). This
still leaves, however, a large number who didn’t show any concern and
thought that security was adequate.
The number of devices that have been lost is surprisingly high. A
quarter of respondents had lost a device themselves, and a similar
number knew of a colleague who had lost one. However, about half found
their devices again and none said there were any consequences from the
loss. One reason given for losing a device was that it was in a car
accident and “probably at the bottom of a deep water filled ditch!” A
small number of respondents’ colleagues, however, were subject to
disciplinary action and one, who had lost a PDA belonging to a local
authority chief executive had even lost their job.
The survey shows that a large number of people are using their own
devices for carrying data such as work contacts, corporate data and even
medical records, which is a basic failure of security policy. Two thirds
of the devices have no or inadequate security and there appears to be a
lack of appreciation of the security risks among a large number of
users. About 80% said that there was a security policy in their
organisation, but the results of the survey show clearly that there is
widespread and serious failure in the way that security policies deal
with the risks of mobile devices and are enforced.
Martin Allen, Managing Director of Pointsec Mobile Technologies UK,
said: “There is much documented evidence of patients who are worried
about the safe-keeping of electronic medical records, but this survey
shows the medical sector themselves are worried about medical
information being held on mobile devices which are not being secured by
their NHS trust. It will only be a matter of time before these
weaknesses are exploited as it is very easy to steal or pick up a mobile
device and access the information for ill-purposes. Mobile devices seem
to be falling through the security net and our advice is that any NHS
trust or organisation downloading sensitive or patient records should
automatically encrypt the information. That way security no longer
becomes an issue; it becomes second nature and works in the background.”
For more information about the survey or to arrange an interview with
Harry Wood from bjhc&im or Martin Allen from Pointsec please
contact Yvonne Eskenzi 020-71832 832 or 07961 394461.
About Pointsec:
Pointsec is the worldwide de facto standard for mobile device
security – with the most customers deployed, highest level of
certification and more complete device coverage than any other company.
Pointsec delivers a trusted solution for automatic data encryption that
guarantees proven protection at the most vulnerable point where
sensitive enterprise data is stored – on mobile devices. By securing
sensitive information stored on laptops, PDAs, smartphones, and
removable media, enterprises and government organizations can protect
and enhance their image, minimize risk, shield confidential data, guard
information assets, and strengthen public and shareholder confidence.
Pointsec’s customers include blue chip companies and government
organizations around the world. Founded in 1988, Pointsec Mobile
Technologies AB is a wholly owned subsidiary of Protect Data AB,
publicly traded (PROT) on the Stockholm stock exchange. The company has
two U.S. offices, nine EMEA offices, three APAC offices, two offices in
India and one office in Dubai, Middle East. Pointsec can be found on the
web at: www.pointsec.com
About bjhc&im:
BJHC Limited publishes The British Journal of Healthcare Computing
& Information Management, now in its 23rd year of providing
authoritative and comprehensive coverage on the information-driven
revolution in clinical services management. The company also publishes
Health Informatics Europe, a free online journal, and holds the
annual three-day Healthcare Computing exhibition, alongside the HC
conferences organised by the BCS Health Informatics Forum, every March
in Harrogate. Two other annual national events are organised by the
company: The Autumn Forum, held in Oct/Nov, which offers participants
the chance to discuss and debate topical issues in healthcare and
socialcare informatics, and the spring Telecare event, which focuses on
the deployment of assistive and remote-monitoring technology in care
communities. BJHC Limited is based in Weybridge, Surrey.
For more information see www.bjhc.co.uk,
www.hi-europe.info,
www.healthcare-computing.co.uk,
www.bjhc.co.uk/autumnforum
and www.telecare-events.co.uk
|