Nottingham hospital in USB data-theft scare

A patient data-security scare at Nottingham University Hospitals Trust has been caused by the theft of a USB memory stick from a junior doctor there.

It is common practice at the hospital to allow doctors to carry patient data around with them on USB sticks, and, the theft has come to light after a doctor at the hospital wrote to the British Medical Journal about the theft.

He said, "Current working hours for junior staff mean that effective patient handovers are critical.

Handwritten sheets have been superseded by electronic storage of patient data available to the clinical team.

"USB sticks have greater security risks than other media due to their size, storage capacity, and convenience. Trust policy states that confidential data should be stored on 128-bit encrypted USB sticks with "if found" labels on them, and be used solely on the trust's computers."

He said, "Recently, confidential patient data held on an unprotected USB stick were stolen. The trust had to inform the patient and face liability for distress or damage caused, along with public condemnation."

Calum Macleod, European director for data protection firm Cyber-Ark, said, "Enforcing a policy of encrypting patient data stored on USB sticks is almost impossible, so it is hardly surprising that there should be a security scare over the theft of a stick from a junior doctor."

Macleod said the hospitals trust should instead consider only storing the data centrally on a secure server and then have the medical staff access that encrypted information across a computer network.

Though this would mean less data access mobility, it would fully protect patient privacy and protect the Trust from legal action, he said.

NHS gets cheaper calls with VoIP upgrade >>

Nac growth sluggish as companies consider network security >>

Cisco unified comms systems allow denial of service attacks >>

Comment on this article: computer.weekly@rbi.co.uk