[ISN] Concern about USB sticks used for handovers

From: InfoSec News (alerts@private)
Date: Thu Jul 26 2007 - 00:07:38 PDT


http://www.e-health-insider.com/news/item.cfm?ID=2894

25 July 2007  	

The security of data stored on USB sticks has been called into question 
following the theft of a stick containing unprotected confidential 
patient details at the Nottingham University Hospitals Trust.

Around a third of junior doctors currently use universal serial bus 
(USB) sticks as a means of saving and storing patient data, to pass on 
to other members of the clinical team at the end of a shift.

These should be stored on secure sticks which use at least 129-bit 
encryption protection, to be used solely on the trust’s computers but 
E-Health Insider has been told that this is far from the case.

Matthew Daunt, a foundation year one doctor, at the Nottingham trust, 
told E-Health Insider: “Many junior doctors do not use encrypted USB 
sticks, but instead tend to use the ones provided by drug companies free 
of charge. These records are not protected and can be viewed on any 
computer using software such as Excel, Word or Access.”

In research for the British Medical Journal, Daunt asked 50 junior 
doctors about their electronic storage of patient data. Thirty six of 
them stored patient data electronically, 20 using a USB stick, three a 
floppy disk, and 13 a hospital computer hard drive.

None of the 20 USB sticks had 128-bit encryption, and only three had 
password protection – even this was still insufficient for the trust’s 
requirements. Four doctors used the same device on their personal 
computer, two of which had patient data stored on them.

Daunt told EHI that the trust had turned a blind eye to this use, until 
they had to inform a patient that his data was potentially in the public 
domain.

“Recently, a USB was stolen from a junior doctor containing highly 
confidential patient data. The trust had an obligation to personally 
inform the patient and now faces a compensation claim. The trust only 
realised then, the extent to which this was against their policy – an 
information governance breach similar to leaving papers alone open to 
theft.

“As a result the trust has been forced to look again at ensuring that 
improved security arrangements are in place that will help ensure that 
this critical way of working, which is more manageable for junior 
doctors, can be done in a safe and controlled way.”

The trust confirmed that its Caldicott guardian and data protection 
adviser has recommended enhanced USB stick security protection to the 
trust, with mandatory password protection.

The trust added that it intends to supply 128-bit secured USB sticks for 
medical firms to use on wards, and an extensive communications programme 
will seek to raise awareness and promote compliance.

Junior doctors used to work by completing handwritten sheets after each 
shift for all their patients so that other clinical staff are aware of 
what treatment action has been undertaken during the previous shifts.

Daunt says that USB sticks have made life a lot easier for ensuring 
continuity of care, but at a time when security and confidentiality are 
high on patients’ concern lists, this must be tackled better.

“Criminals now recognise the value of personal data in the growing 
identity theft market and patients are aware of this too. Security 
protection is paramount to avoiding cases where the practice could be 
called into question. Technology is changing, and doctors are moving 
with the times, but the doctor/patient confidentiality guarantee should 
always be protected.”

© 2007 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jul 26 2007 - 00:16:22 PDT