News
Call for security warning on USB memory sticks in NHS
24 March 2010
As the deadline for the introduction of heavy fines of up to
£500,000 for organisations that breach data security rules looms on 6
April 2010, IT security solutions provider ISEEU Global is calling for a
ban on the use of USB memory sticks and other portable media used to
store and transmit personal data in the National Health Service.
ISEEU warns that failure to address the issue of data loss in the NHS
once and for all will cost NHS trusts hundreds of thousands of pounds
and put the confidential files of millions of vulnerable patients at
risk.
Phil Bullivant, director of ISEEU, commented: “The catalogue of NHS
data losses is unacceptable with the Information Commissioner's Office
(ICO) slamming the Health Service as one of the worst offenders for data
loss, reporting as many incidents as the entire private sector.
“Just recently, three USB memory sticks containing sensitive
information relating to the diagnosis and treatment of cancer patients
in Middlesex and Surrey were lost. The data contained in the USB sticks
was in Word format — leaving the information entirely accessible to
anyone with a computer. There is also the well-documented example at
Stockport Primary Care Trust when a member of staff lost a USB stick
containing data extracted from the medical records of some 4000
patients.
“Confidential patient data is also at risk with the loss and theft of
laptops in the NHS — just last year Hampshire Partnership NHS Trust had
to inform the ICO about the theft of a laptop holding the personal data
of 349 patients and 258 staff stolen from an employee attending a health
conference while the theft of a laptop in the West Midlands resulted in
the loss of more than 5,000 patients' details.
“It is clear that removable storage devices and other portable media
are a prescription for disaster for the NHS and they should have a
government health warning on them at the very least. In a private
company such embarrassing and potentially damaging incidents would lead
to a wholesale review of procedures and the NHS should be no different.
With the Government taking a much-needed tougher stance on the issue of
data loss, now is the time for Trusts to review data protection and put
systems in place to protect sensitive patient information.”
While encryption has been hailed as the way forward for NHS trusts,
it is clear that even these are not infallible from security risks. Last
December USB maker SanDisk issued a security alert over a potential
vulnerability in the data access control mechanism for its Cruzer
Enterprise series of USB flash drives. The vulnerability was in the
application running on the host computer, not with the USB device
hardware or firmware — the device has a hardware-based encryption module
on board. SanDisk issued a software update online for existing users and
updated all products being shipped to customers.
ISEEU's Phil Bullivant argues that this begs the question: why is
portable media being used as an acceptable form of data transfer in the
NHS in the first place, given the sensitivity of patient data and the
implications for getting it wrong?
He said: “The only way for government to ensure patient data is
secure is to ban the use of removable media such as memory sticks and
CDs which are all too easy to misplace or drop on the train.
“It is time for NHS trusts to invest in their IT infrastructure and
implement secure ways for NHS workers to remotely access central
documents on the network safely and securely without the need to rely on
haphazard quick fixes which pose serious security threats. Patients have
a right to expect their personal information will be treated with the
utmost care.
“ISEEU Global has developed a highly secure solution to enable health
workers to access data without compromising data integrity. The ISEEU
Clinical Workforce Accessibility Solution incorporates two highly secure
products; ISEEU Global Access to connect remotely to all administration
and clinical applications and ISEEU Global Courier data transfer
technology to virtually courier confidential patient data. The solution
also incorporates full administrative and workflow control enabling
managers to see at the click of a button who has accessed particular
files and provides a full audit report on activity. The technology
integrates seamlessly with Trusts' own systems and complies with
governance and security requirements.”
Investing in a robust, secure IT solution which allows safe
transmission of sensitive data would make the current NHS reliance on
removable media redundant.
Phil Bullivant concluded: “Trusts need to stop fire-fighting
individual instances of data loss and start getting to the root of the
problem. A review of IT infrastructure in the NHS is urgently required
to address the issue of data access and transfer and ensure that the
Government's investment in networks such as N3 are not wasted. The cost
of implementing secure remote access and transfer solutions is not
significant compared to the heavy fines as well as the cost to Trust’s
reputations for losing valuable, confidential data.
“While the appeal of the USB stick lies in its ease of use and cost
effectiveness, perhaps now is the time to ban their use or at the very
least ensure they come with cigarette-style warnings: 'use of this USB
could seriously threaten your data security and cost your trust hundreds
of thousands of pounds'.”
|