USB sticks are small and fast with mega memory. But new technology brings new problems; MPS Writer Sara Williams explains why they should be used with caution.
Earlier this year an inquisitive junior doctor questioned the security of data at his hospital trust following the theft of a USB stick.
F1 doctor Matthew Daunt surveyed 50 junior doctors on how they stored their patient data. The results were revealing. Most (72%) stored their patient identifiable data electronically and they used the following methods:
- 40% used a Universal Serial Bus (USB)
- 26% used a hospital computer drive
- 6% used floppy disk
Only 3% of the 20 doctors who used a memory stick used a form of password protection and none of them had 128-bit encryption, which is mandatory in most NHS trusts.
USB sticks have the potential to be mobile safe houses of information, but without encryption or password protection they are like a wrought iron vault with the door open.
Finding a USB stick with patient's confidential information on it is similar to leaving patient notes in a waiting room. Both amount to an information governance breach, which could lead to a compensation claim. Should such a known breach occur, the patient must be informed immediately, as it is a high probability that the information has been compromised.
Losing a USB pen can also lead to possible identity theft, and the risk of losing important clinical data. It is no worse than leaving behind a paper containing confidential information. Identity theft is the UK's fastest growing type of identity fraud and according to the consumer magazine Which?, it costs Britain more than £1.3 billion a year and affects more than one in four adults.
Most USB pens come with some form of attachment, such as a key ring or a neck strap, thus minimising the possibility of losing them. However, such safety measures will not protect users from the risks caused by transferring data between machines and people.
This makes the argument for compulsory password encryption imperative. Matthew raised his concerns with the Information Governance Committee at the trust, and as a result, they now advocate that the security protection of a memory stick is sufficient for the information it holds. The trust is also considering supplying NHS staff with 128-bit encrypted memory sticks for use on ward-based firms.
Although Matthew's trust does not deem it appropriate to store patient data on USB sticks without security, they have not banned them completely. He argues that all memory sticks should be password-protected before they are dispensed to staff to store data.
"Patient data should never be kept on a stick without encryption and password protection," says Dr Stephanie Bown, Director of Policy and Communication at MPS. "If the USB stick is personal property, users may need to consider whether they need to register as data controllers, and should take advice from their trust. The most important point to remember is to comply with trust DPA policy."
Not only does Matthew's survey show that clinicians can make a difference, it reveals that the current level of awareness of the damages of USB sticks is low among junior doctors. It is good practice to understand these rules and make sure that you are keeping patient identifiable data secure.
Avoid risks of USBs
- Ensure that the data is stored on the appropriate hard drive straight away to avoid loss.
- Get your USB virus checked for Trojans or other malware.
- Do not use it as your central hub of information; use it is as a subsidiary one.
- Attach a key ring or a neck strap to lessen the risk of losing it.
- Find out what your trust's data protection policy is, and take Matthew's advice and highlight any holes.
- Set up a password or an encryption.
To read Matthew's Daunt's article – "The trouble with memory sticks" check out the latest issue of Casebook, which can be read online by visiting the Education section of the MPS website - www.mps.org.uk. Casebook is published in six jurisdictions and reaches an audience of more than 240,000 doctors.