NHS imposes USB stick security

In response to embarrassing losses of USB memory devices, the National Health Service has mandated an encryption tool that will also withstand the rigours of medical work.

The National Health Service has moved to stem the tide of embarrassing losses of unencrypted USB memory sticks by mandating an encrypted device that will also withstand the rigours of life on a medical ward.

The NHS chose the SafeStick USB memory device from Swedish supplier BlockMaster Security AB. The storage tool automatically encrypts all data loaded on to it, and requires the user to key in a password before accessing the information.

The contract for 100,000 devices over two years follows several incidents in which NHS staff lost memory sticks containing sensitive information, and marks a new attempt to impose discipline over the way the USB devices are used.

Following the bad publicity, many NHS trusts already moved to tighten their USB stick security, and BlockMaster, in a recent press release, said that 100 NHS hospitals have already begun using its devices. One of them is the West Suffolk Hospital NHS Trust, which adopted the SafeStick six months ago.

"We were ahead of the game and had already gone through our own evaluation process to find a secure USB stick," said Mel Hodson, head of IT procurement at West Suffolk. "We also wanted something that was easy to manage, and something that was tough enough for our environment. For instance, we need to be able to wipe them down and clean them, so we wanted something that could survive being dropped in a bucket of liquid."

West Suffolk has already bought 200 SafeSticks, and uses them in conjunction with McAfee Inc.'s Port Control, which enforces policies and allows the trust to manage USB port usage on its desktops and laptop machines. "The SafeStick is now the only device that can be used on our PCs for writing data," Hodson said. "By using Port Control, it means that data can only be copied to the encrypted Safestick, and not to any other kind of USB stick. We allow people to read data from other USB sticks, for instance visitors with presentations, but they cannot write to them."

Each SafeStick has its own asset number, and is recorded in the central SafeConsole management system. If a stick is lost or stolen, it can be immediately disabled. And by using a built-in lock-down feature, West Suffolk has configured the system so that if a PC is left unused for 15 minutes, users must rekey their password to get to the data held on the USB drive.

As for additional USB stick security features, SafeConsole manages initial registration of users and any password resets. "The management console is very easy to use, and very straightforward for users, because they can reset their own password, or they can get the help desk to reset it for them," Hodson said. "If users choose to reset their password, they lose the information that is on the memory stick. That stops someone putting in another user's stick and resetting it."

She said the adoption of an encrypted drive, which is more expensive than a standard memory stick, has had the effect of making staff act more responsibly. "It took some users a while to get used to the fact that this was the only device they'd be able to use. They had been so used to being able to bring devices in from home," she said.

"Now, because the stick is encrypted, people seem to be thinking about security a lot more. So far, we have had no losses. If someone lost a stick in the past, they were fairly cheap, so they would just come and get another, or bring one in from home."

Despite the efforts at West Suffolk and elsewhere, USB stick security is still a challenge in the NHS and local government. Just last month, for instance, a health worker in Bradford was forced to resign after losing an unencrypted memory stick holding extensive details on thousands of patients.

Last December, Leeds City Council launched an investigation into the loss of a memory stick holding details of 5,000 preschool children. In that case the stick was found by a member of the public who handed it in.

And encryption is not always a foolproof solution, as demonstrated last December at a prison in Preston. A medical worker was taking data from the prison clinic to an administration department for backup, but the USB stick -- holding the information on more than 6,000 prisoners -- went missing along the way. The drive was encrypted, but unfortunately, the worker attached a sticky note to it with the password on it.

Read more on Application security and coding requirements