Scottish NHS trust ensures no repeat of USB data loss

After an embarrassing breach that occurred last July, NHS Lothian has implemented encrypted USB pen drives that must be used to carry personal data.

A Scottish health trust has moved quickly to prevent further security breaches following the loss of a USB stick in July.

NHS Lothian has implemented technology to ensure that from now on only approved and encrypted USB pen drives can be used to carry personal data.

Martin Egan, director of e-Health at NHS Lothian, said he has introduced a new system whereby up to 4000 users will be provided with USB devices for work use only, and which will be encrypted and password protected. Visitors will still be able to use their own USB drives, for instance to show PowerPoint presentations, but they will be prevented from writing data on to their drives.

The trust is using Sanctuary Device Control from Arizona-based Lumension Security Inc. to encrypt all approved devices, including USB drives, CDs and DVDs. It will also provide an audit trail of device usage and data transfer, and prevent the introduction of malware via removable media.

In addition, the trust will use the Disk Protect and Connect Protect products from UK encryption software firm Becrypt Ltd. to ensure full-disk encryption on all laptops in the trust, as well as control any transfer of confidential data from laptops to USB sticks.

Enrolment of users began in late October. "At the configuration of the USB device the user has to be present, and enter a password of suitable strength, and that becomes the encryption key for that particular USB stick," said Egan. The stick will act as a security token as well as an encrypted storage device for the user.

Egan said the MAC address of each USB stick was recorded and tied to the individual user. If the stick is lost, the account can be disabled, and if users forget their password, they have to present themselves in person once again to configure the device and register a new password.

Passwords will not be changed or updated, said Egan. "We decided not to force password changes. It is a difficult call, but if you make people remember too many passwords, you can end up making the system less secure.

"Other USB devices can connect to the network but only on a read-only basis. We automatically virus-check anything that is plugged into the machine."

The new system follows an embarrassing breach that occurred last July when an employee lost a USB stick that contained letters with personal information relating to 137 patients. The information had been stored by the member in breach of regulations that prohibit the storing of NHS information on personal portable computing devices.

While Egan believes the new system will prevent a repeat of the mistake, he is backing it up with a new security awareness campaign. "You've got to protect people from themselves sometimes. We cover off IT security and governance at induction, but a lot of people have been around a long time and are maybe a little rusty on that," he said. "We are now backing this up with communications that will be sent out with everyone's payslip, to remind them of their responsibilities when handling personal information. The message to them is that data security is business."

Read more on Privacy and data protection