NHS information security: iSEEU calls for end of USB memory sticks
Posted on Thu, Mar 04, 2010
The deadline looms for the introduction of heavy fines of up to £500,000 for organisations that breach data security rules (6 April 2010). iSEEU Global thinks that a serious review of NHS information security is due, starting with a ban on the use of USB memory sticks for storing and transmitting sensitive data in the NHS.
Data breaches of NHS information security could in significant fines
ISEEU warns that failure to address the issue of data loss in the NHS will cost NHS Trusts hundreds of thousands of pounds and put the confidential files of millions of vulnerable patients at risk.
The catalogue of NHS data losses is unacceptable with the Information Commissioner's Office (ICO) slamming the Health Service as one of the worst offenders for data loss, reporting as many incidents as the entire private sector.
Three USB memory sticks containing sensitive information relating to the diagnosis and treatment of cancer patients in Middlesex and Surrey were lost. The data contained in the USB sticks was in Word format - leaving the information entirely accessible to anyone with a computer. There is also the well-documented example at Stockport Primary Care Trust when a member of staff lost a USB stick containing data extracted from the medical records of some 4000 patients.
It is clear that removable storage devices and other portable media are a prescription for disaster for the healthcare and the NHS and they should have a government health warning on them at the very least. In a private company such embarrassing and potentially damaging incidents would lead to a wholesale review of procedures and the NHS should be no different. With the Government taking a much-needed tougher stance on the issue of data loss, now is the time for Trusts to review data protection and put systems in place to protect sensitive patient information.
Encryption is not infallible
While encryption has been hailed as the way forward for NHS Trusts, it is clear that even these are not infallible from security risks. Just last month USB maker SanDisk issued a recall of its Cruzer Enterprise series of USB flash drives, which are password-protected with built-in encryption and are used by some NHS Trusts, because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained in its devices.
Why is portable media being used as an acceptable form of data transfer in the NHS in the first place, given the sensitivity of patient data and the implications for getting it wrong?
The only way for government to ensure patient data is secure is to ban the use of removable media such as memory sticks and CDs which are all too easy to misplace or drop on the train.
It is time for NHS Trusts to invest in their IT infrastructure and implement secure ways for NHS workers to remotely access central documents on the network safely and securely without the need to rely on haphazard quick fixes which pose serious security threats. Patients have a right to expect their personal information will be treated with the utmost care.
NHS information security needs robust, flexible, secure transmission solution
Investing in a robust, secure IT solution which allows safe transmission of sensitive data would make the current NHS reliance on removable media redundant.
iSEEU advises NHS Trusts need to stop fire-fighting individual instances of data loss and start getting to the root of the problem. A review of IT infrastructure in the NHS is urgently required to address the issue of data access and transfer and ensure that the Government's investment in networks such as N3 are not wasted. The cost of implementing secure remote access and secure data transfer solutions is not significant compared to the heavy fines as well as the cost to Trust's reputations for losing valuable, confidential data.
While the appeal of the USB stick lies in its ease of use and cost effectiveness, there are similarly easy-to-use solutions that provide the robust security that USB sticks lack.
Find out more about iSEEU Global's portfolio of information security solutions or contact us to arrange a demonstration.