NHS Lothian implements USB stick lock-down

09 Sep 2008

NHS Lothian is taking further action to prevent staff losing data on USB sticks, after a community health worker lost the personal details of 137 patients on a memory stick at the end of June.

Since the loss of the memory stick, which held letters to central Edinburgh GPs, the trust has run a USB stick amnesty and a data security information campaign that has included putting leaflets about its data security policies into staff payslips.

It has also bought a “technological” solution that will give the trust far more control over which staff can carry data on memory sticks and what data they can carry.

Martin Egan, director of e-health, said: “The leaflets we are sending out set out once and for all our policies and processes. We are putting them in pay slips to make sure they reach all staff.

“We have put the message out before, but internal surveys suggest that some staff are ignoring it – so we felt we needed a technical solution as well. That is why we are implementing the USB lock down.

“It will mean that no USB stick can be written to unless it is a bona-fide, NHS Lothian USB stick, and the information is encrypted.” People will be able to read from USB sticks if they need to do this for presentations and projects.

NHS Lothian has bought Lumension Security’s Sanctuary Device Control for the lock-down. Mr Egan said a key factor was that this enables encryption without the user needing administrator rights on their PC. “We do not give those out more than we have to, because that is a security risk in itself,” he said.

The new controls will be linked to the trust’s Active Directory, so it can deploy them on a named individual basis. Mr Egan said it was still collecting old USB sticks and issuing new ones.

“We have purchased 4,000 new USB sticks, which we think will be enough,” he said. “But one of the principles of the new policy is that these will be issued carefully.

“If you are going to hold patient identifiable information on a data stick, you will need explicit permission from the Caldicott Guardian to do it. If you are going to carry day to day corporate data, you will need to have signed all the relevant policies.”

Mr Egan told E-Health Insider he felt the new solution would put the trust back in control of its data. “I feel that using this tool puts me in control,” he said. “Before, we just had to hope that our staff would be doing the right thing and following our policies. Now, we know whether they are doing that.”

NHS Lothian has also bought an encryption solution for its laptops and is “on course” to have them all encrypted by the government deadline of March next year.

Lyn Whitfield

Reader's Comments

The return of the Silo

ted.yeoman@nhs.net

09 Sep 08 09:45

So which group do people delivering training fit into?

How do people working across organisation get to move their files from one place to another?

Improve security of data yes BUT beware of the unintended consequences

Loss of Freedom is Inevitable

09 Sep 08 12:09

Any Trust worth its salt would have a user space on the network for their own files, so the comment about how users would work cross service does not hold water.

This solution, taken at face value, does seem to offer a level of flexibility while maintaining security. At the end of the day, if the organisation is prepared to go to these lengths, if data security breaches occur following this then it will be the responsibility of the owner of the memory stick.

If there is a valid Trust reason for transferring data (potentially training being so), it stands to reason that an encrypted stick could be issued – there is little point in needlessly worrying about having less freedom. This is the result of data losses which will inevitably plague government organisations for many years to come.

It will take episodes such as those faced by Lothian NHS to force other NHS Trusts into the same data protection standpoint. The interesting point is that the system they are implementing makes a lot of sense to me – unlike other examples I have read about where Trusts lock out USB ports completely. Although there is obviously an issue with the capitol investments that is required to provide USB sticks and procure software, this “investment” would seem to be cheaper in the long run opposed to a series of fines and legal proceedings from those affected by data loss.

Well done Lothian NHS.

How to move data without USB sticks??

gregory.sayer@smhp.nhs.uk

10 Sep 08 09:34

its called a network!

4000?

10 Sep 08 11:28

4000 memory sticks seems an awful lot. Even with encryption there is the strong possibility that some of these would be lost.

I would question the processes in place if they genuinely need 4000 memory sticks

There is no Network!

ted.yeoman@nhs.net

10 Sep 08 11:59

If you work across organisations, 2 PCTs, 2 Acute Trusts, 1 Mental Health Trust and 2 Local Authorities as I do. If you travel around the country giving presentations as others I know do... There is no Network.

There is no single login available to allow me to access the files I have on my "home" network. I need to take them with me otherwise the copies get out of synch.

I have no problem with an encrypted stick provided all the organisations are using the same encryption and will recognise each others keys. But there is no standard.

I don't have patient sensitive information.

Google

10 Sep 08 16:17

Ted,

Just use Google mail as your file server.

Can't use Google mail

11 Sep 08 10:54

My trust blocks access to all mail portals due to the risks of introducing viruses onto the trust network.

Different country - different rules

11 Sep 08 14:29

If Scotland had to adhere to the same monitoring processes as England this might of not happened. By the end of Jan this year all CEOs had to self declare to the DoH that they had either suspended all insecure flows of data or put remedial action in place to secure data flows following the loss of theHMCR data. My Trust was able to purchase relevant network controls and encrypted stick and communicate to staff within a month. No fuss, no bother just got on a did it. Laptops hard drives were done at the same time. It's time that public services report to the same monitoring mechanisms, legisaltion etc so everyone is on the same playing field.

4000 does sound a awful lot, there is about 3800 staff members in my Trust and we have issued 170 to those who have a genuine need to transport information this way.

Lothian obviously has not mapped it's data flows to see if their transfers of information is necessary and relevant. Again another mandated DoH requirement and also contained in the Information Governance Toolkit.

We also have staff who work across Trusts, Universities, Social Care etc, and unless everyone had NHS.net email addresses you would have confidential information unencypted over the internet e.g. nhs.uk to gov.uk to ac.uk. There is no common network - thanks to the commercial decision by CfH and Cable & Wireless. Wales don't have access to NHS.net. Also there is no common electronic patient record, so some information is held in uncompatable systems!

worrying posts

12 Sep 08 14:01

"Just use Google mail as your file server." huh? I'd hope this was a joke, but with many of the people who post on here it's hard to be so optimistic. (see the reply to this "suggestion")

Limiting personal data storage to trust encrypted sticks is a fantastic step forward, but is it the appropriate solution here? And if live data, rather than fictitious, is being used for training purposes has it been anonymised?

This is not just about Patient Information

ted.yeoman@nhs.net

15 Sep 08 10:05

Patient information should never be down Loaded from a Network to another form of storage unless it is absolutely essential, transfer of information from GP to hospital for example.

However there are lots of things from student nurses presentations to Finance Directors reports to the SHA that are created on one network that need to opened on another or on stand alone machines.

In the absence of an agreed protacol for encrypting USB sticks etc and by locking out un-encrypted / non-trust sticks how is this information to be achieved?

I currently use NHS.net as a back up to sticks but have found numerous meeting rooms without internet access (to prevent inappropriate access?) in areas where I have worked.

Cabinet Office Mandates

22 Sep 08 11:31

One of the key things which has occured since the original HMRC data breach is that the Cabinet Office has issued a mandate for security minimums.

Originally this was aimed at "CPI" (Confidential Personal Information), but in June, after the embarassment of the files being left outside the Foreign Office, it was extended to cover "data".

Other respondents are absolutely correct about data interoperability. DoH came up with a product, yet most areas that could have taken advantage of that offer decided to evaluate and implement their own solutions.

I had an interesting chat with a Deparment (government sense) last week, and they have cut down the number of people who legitimately need to be able to have write access to media to 9-900 from 100,000! They did this by evaluating data flows and then setting up the proper controls over data movement to ensure the "Delivery Chain" was maintained.

Most of the data losses that I have seen reported so far have been inexcusable as there were other options for the transfer, or if it had been properly risk assessed it should have been realised that extra precautions were required.

Until the culture of "freedom of movement" is updated to include "when its safe and secure to do so" along with "I have a legal right to move this data" then breaches will keep occuring.

What about BT N3 token and NHSMail to deal with remmote working?

01 Oct 08 08:42

4000 USB sticks? One is definitely going to get stolen. Another is definitely going to be mislaid. It's a no brainer. We do need to define the best solution for that. It is a national not a one trust issue. Surely every trust coming up with their own solution is a risk? Working remotely? BT N3 token if you can get the IT support needed to install it. Maybe AwayFromMyDesk for home but not LogMeIN whose servers are in USA and subject to US law and snooping by the state. What about email? You can encrypt attachments and deal with the problems that poses, particularly if lots of "local" solutions exist. So why not use NHSMail xxx@nhs.net? You can access this from any connection, so if your files needed were there you could get them from anywhere.