[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Concern about USB sticks used for handovers
From: InfoSec News <alerts () infosecnews ! org>
Date: 2007-07-26 7:07:38
Message-ID: Pine.LNX.4.61.0707260207230.6910 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.e-health-insider.com/news/item.cfm?ID=2894
25 July 2007
The security of data stored on USB sticks has been called into question
following the theft of a stick containing unprotected confidential
patient details at the Nottingham University Hospitals Trust.
Around a third of junior doctors currently use universal serial bus
(USB) sticks as a means of saving and storing patient data, to pass on
to other members of the clinical team at the end of a shift.
These should be stored on secure sticks which use at least 129-bit
encryption protection, to be used solely on the trust's computers but
E-Health Insider has been told that this is far from the case.
Matthew Daunt, a foundation year one doctor, at the Nottingham trust,
told E-Health Insider: "Many junior doctors do not use encrypted USB
sticks, but instead tend to use the ones provided by drug companies free
of charge. These records are not protected and can be viewed on any
computer using software such as Excel, Word or Access."
In research for the British Medical Journal, Daunt asked 50 junior
doctors about their electronic storage of patient data. Thirty six of
them stored patient data electronically, 20 using a USB stick, three a
floppy disk, and 13 a hospital computer hard drive.
None of the 20 USB sticks had 128-bit encryption, and only three had
password protection – even this was still insufficient for the trust's
requirements. Four doctors used the same device on their personal
computer, two of which had patient data stored on them.
Daunt told EHI that the trust had turned a blind eye to this use, until
they had to inform a patient that his data was potentially in the public
domain.
"Recently, a USB was stolen from a junior doctor containing highly
confidential patient data. The trust had an obligation to personally
inform the patient and now faces a compensation claim. The trust only
realised then, the extent to which this was against their policy – an
information governance breach similar to leaving papers alone open to
theft.
"As a result the trust has been forced to look again at ensuring that
improved security arrangements are in place that will help ensure that
this critical way of working, which is more manageable for junior
doctors, can be done in a safe and controlled way."
The trust confirmed that its Caldicott guardian and data protection
adviser has recommended enhanced USB stick security protection to the
trust, with mandatory password protection.
The trust added that it intends to supply 128-bit secured USB sticks for
medical firms to use on wards, and an extensive communications programme
will seek to raise awareness and promote compliance.
Junior doctors used to work by completing handwritten sheets after each
shift for all their patients so that other clinical staff are aware of
what treatment action has been undertaken during the previous shifts.
Daunt says that USB sticks have made life a lot easier for ensuring
continuity of care, but at a time when security and confidentiality are
high on patients' concern lists, this must be tackled better.
"Criminals now recognise the value of personal data in the growing
identity theft market and patients are aware of this too. Security
protection is paramount to avoiding cases where the practice could be
called into question. Technology is changing, and doctors are moving
with the times, but the doctor/patient confidentiality guarantee should
always be protected."
© 2007 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic