Poor security in NHS portable data storage, says survey
- 28 June 2006
A survey into the use of portable storage devices by NHS professionals and suppliers has revealed that half of those interviewed use their own devices to store data and 20% of the devices used are left unencrypted with no password protection.
A total of 40% of clinicians and IT managers said that they used passwords with no second method of encryption. The most popular mobile data storage device was a USB stick (76%), with 51% using PDAs and only 2% storing data on phones.
Out of those who used mobile devices to store patient records, variable security was reported, with the majority using a single password and a small number with no security at all. 57% said they were worried that patient confidentiality would be breached if their devices fell into the wrong hands.
One response from a clinician who carried patient records was: "My patients couldn’t afford to pay for blackmail, and they probably wouldn’t care if others knew."
Martin Allen, managing director of Pointsec Mobile Technologies, which carried out the survey with the British Journal of Healthcare Computing and Information Management, said: "There is much documented evidence of patients who are worried about the safe-keeping of electronic medical records, but this survey shows the medical sector themselves are worried about medical information being held on mobile devices which are not secured by their NHS trust."
The technology firm argues that holding data on personal devices is a failure of security policy, and pointed out that while 80% of those surveyed said their organisations had security policies in place, the survey’s responses clearly show that the policy was not always followed.
"It will only be a matter of time before these weaknesses are exploited as it is very easy to steal or pick up a mobile device and access the information," added Allen.
A quarter of those surveyed had lost a mobile device in transit. Half had found them again, but anecdotal evidence had claimed that disciplinary action had occurred in a couple of cases.
"Our advice is that any NHS trust or organisation downloading sensitive or patient records should automatically encrypt the information," said Allen.