Concern about USB sticks used for handovers

Tags: Confidentiality encryption HIS Information Information governance iS Security USB sticks

25 Jul 2007

The security of data stored on USB sticks has been called into question following the theft of a stick containing unprotected confidential patient details at the Nottingham University Hospitals Trust.

Around a third of junior doctors currently use universal serial bus (USB) sticks as a means of saving and storing patient data, to pass on to other members of the clinical team at the end of a shift.

These should be stored on secure sticks which use at least 129-bit encryption protection, to be used solely on the trust’s computers but E-Health Insider has been told that this is far from the case.

Matthew Daunt, a foundation year one doctor, at the Nottingham trust, told E-Health Insider: “Many junior doctors do not use encrypted USB sticks, but instead tend to use the ones provided by drug companies free of charge. These records are not protected and can be viewed on any computer using software such as Excel, Word or Access.”

In research for the British Medical Journal, Daunt asked 50 junior doctors about their electronic storage of patient data. Thirty six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive.

None of the 20 USB sticks had 128-bit encryption, and only three had password protection – even this was still insufficient for the trust’s requirements. Four doctors used the same device on their personal computer, two of which had patient data stored on them.

Daunt told EHI that the trust had turned a blind eye to this use, until they had to inform a patient that his data was potentially in the public domain.

“Recently, a USB was stolen from a junior doctor containing highly confidential patient data. The trust had an obligation to personally inform the patient and now faces a compensation claim. The trust only realised then, the extent to which this was against their policy – an information governance breach similar to leaving papers alone open to theft.

“As a result the trust has been forced to look again at ensuring that improved security arrangements are in place that will help ensure that this critical way of working, which is more manageable for junior doctors, can be done in a safe and controlled way.”

The trust confirmed that its Caldicott guardian and data protection adviser has recommended enhanced USB stick security protection to the trust, with mandatory password protection.

The trust added that it intends to supply 128-bit secured USB sticks for medical firms to use on wards, and an extensive communications programme will seek to raise awareness and promote compliance.

Junior doctors used to work by completing handwritten sheets after each shift for all their patients so that other clinical staff are aware of what treatment action has been undertaken during the previous shifts.

Daunt says that USB sticks have made life a lot easier for ensuring continuity of care, but at a time when security and confidentiality are high on patients’ concern lists, this must be tackled better.

“Criminals now recognise the value of personal data in the growing identity theft market and patients are aware of this too. Security protection is paramount to avoiding cases where the practice could be called into question. Technology is changing, and doctors are moving with the times, but the doctor/patient confidentiality guarantee should always be protected.”

Links

BMJ www.bmj.com

Readers Comments

Risks in handover times

mary.hawking@nhs.net

26 Jul 07 20:16

Dr Daunt is to be congratulated - and so are the Trust and the junior doctor whose USB stick was stolen for facing the problem. This is bound to be a universal problem: handover - when the care of a patient is transfered from one individual or team to another (handover in hospitals: discharges - and admissions - between secondary and primary care) is recognised as a time when mistakes are particularly likely to occur. That being so, it is inevitable - and desirable - that any new method of making the handover process more efficient will be used. I haven't heard this particular risk - authorised or unauthorised use of removal media such as USB sticks or floppy discs to facilitate handover in Trusts - discussed before. Do any Trusts have policies on this? If not, why not? "Don't do it" is not a policy..

And on hospital PC is worse?

26 Jul 07 22:40

Last Saturday I walked onto a ward in my hospital. The first PC was logged on as "Ward X" - there were about 25 desktop items, which were Word, Excel and Notepad files of Junior Doctors "handover sheets" - full info - name, number, diagnoses, to do lists etc. Two clicks and "print" and it would all have been in anyone's hands - or plug in the USB stick and there it all is in portable format. Yet all the Juniors believe in patient confidentiality, and our hospital has a password protected PAS that allows storing and printing of this data. So why do they not use it? Why do they compromise patient data?

I think we need to use some disciplinary muscle to stamp this out.

Secure Biometric USB Reader

mikehitchens25@btinternet.com

27 Jul 07 03:54

The LME Bio biometric fingerprint reader allows for secure storage of patient identifiable data for a number of registered users and optional secure remote access to a work-based clinical system from anywhere.

(post edited by EHI)

Why is anyone using USB sticks to CARRY data?

swilson@lockstep.com.au

27 Jul 07 05:26

I would have thought that using USB sticks to convey patient data between healthcare workers at changeover would be deprecated on a number of grounds, not just the risk of losing unencrypted information.

Why isn't this data available to all staff concerned on a central EHR/EMR? What needs to be copied to a stick that isn't already available online through a terminal? If data is replicated in an uncontrolled way, the biggest risk isn't that it could fall into the wrong hands; rather, it is that the portable data is modified and comes to diverge from the 'original'. It is supremely important that at no time is there any doubt about the primacy of a given piece of health data.

At changeover, carers should be using a secure key (ideally a smartcard) to access definitive data online, not swapping data on an ad hoc basis through portable media.

Cheers,

Stephen Wilson Managing Director Lockstep

www.lockstep.com.au

Handovers are not just the issue

27 Jul 07 09:11

The use of USB stick per se is an issue. Patient data is required for many activities that are not directly related to active patient care e.g. performance, research, audit, governance data etc. all of which are sensitive in the wrong hands. Anonymised data may, to some extent, protect the patients identity, but will that be enough to protect the NHS organisation in question?

Thats the whole point

27 Jul 07 10:04

Quote: Why isn't this data available to all staff concerned on a central EHR/EMR?

Because the currebt solution is so awaful, too slow and does not provide the information needed in this manner.

The use is common, best plan would be to offer a FREE encrypted sotware utility and insist on its usage.

Because of the size and manner of usb drives, its impossible to ban them, so pointless. better to secure them.

Of course this is a totally irrelevant arguement when I see the consultant orthpaedic surgeon staggering to his car with 15 kilos of patients written notes, locking them in his unsecure car boot and driving to the private hospital to update patients who have opted out.

It's a regular occurence and thiefs can open that car model in 6 seconds

Only the medium has changed

27 Jul 07 10:43

Thirty years ago - when I was a house officer - I kept a small notebook with to-do lists for patients identified through attaching to the page one of the stickers for putting on lab request forms. So did nearly all my colleagues.

This was neither more, nor less, secure that the use of USB sticks.

good point about the paper note book

27 Jul 07 13:08

The ex-house officer makes a good point about the historic use of written notes for hand over, but I expect his hand writing was so illegible that only another doctor could read it.

Nothing new

stressfreedave@hotmail.com

30 Jul 07 11:59

This is nothing new. It was not that long ago it was found most doctors/nurses were using insuficient security when using mobile devices with 1/3 not even having a password for it. Some things never change.

Saying that the doctor and the hospital should be congratulated for facing the problem is wrong. They knew it was happening and if they had stopped it sooner, the USB along with the patients data would not have been stolen. They turned a blind eye and got caught. I fail to see why they deserve praise for facing a problem that ran into them and they could not dodge, let alone keep their job.

In the past data might have been less secure, but that is no reason not to secure it now. The hospital should have had the means to have data stored on teir server so the next consultant could access the data, after all, what happenes to the data on the USB after the patient leaves? They have to store it somewhere, why not store it there right away? Another good example of how IT could be used to protect data but simply not being done.

I have used computer systems where you can not just bwalk away and stay logged in because if you dont use the computer for a set amount of time, you are automatically logged out. Others log you out the min you remove your smart card. I fail to see why Ward X does not do the same

Risks and threats

30 Jul 07 16:48

There are several issues which are highlighted here:

Historic:

A severe underinvestment in IT by the Public Sector in general, and the NHS in particular has resulted in the decline of IT capabilities and the inevitable "home baked" solutions. It would seem evident that part of these solutions has brought about the use of USB sticks and the obvious security risks that these present. Unfortunately, the seemingly unending promise of NPfIT delivering services has made the annual fight for adequate investment in IT even more difficult. (Why invest in a system that will be replaced this year, next year, sometime, never).

The next issue is the proliferation of USB sticks and the real time reduction in cost of this hardware (for USB sticks also read iPod, Mobile Phone, PDA etc). Businesses eager to do business with the NHS will happily hand-out USB Sticks emblazoned with their company name and logo to staff. Unfortunately, staff will use them without giving a second thought with regard to whether they hold virus' trojans or other malware. Ask yourself, could that USB stick contain a small hidden script that will sniff out its competitors names and e-mail files that get a hit?

Furthermore, the level of awareness of Information Governance issues is worryingly low. I always ask our induction sessions, "who has heard of 'information governance' before?", this is followed by "who has heard of the term 'Caldicott Guardian" before?". Even with people who have many years experience in the NHS I am alarmed at the lack of response to either question.

Information Security and Data Protection MUST take a higher profile than currently exists. Will it take the prosecution of a Chief Executive for sufficient resources to be invested in this vital issue.

We can all recount 'horror stories' surrounding the lax controls of patient data but unless something is actually done about it then we shall continue to relate the same stories for many years to come. With the advent of identity theft the general public is becoming more savvy and, sadly, more litigious.

Patient notes should be kept up to date on the master system. There should be no need to carry their details on usb sticks, if there is a need it means a failing system is being 'propped up' by unauthorised and insecure methods and for as long as that happens it will be allowed to remain. If there is a need to transfer patient details between organisations then this should be undertaken in a professional and measured manner in which all the risks have been identified and mitigated.

I could go on, but I think the ramblings of this particular lunatic have gone on for long enough.

INFORMATION GOVERNANCE - THINK IT THROUGH AND DO UNTO OTHERS AS YOU WOULD HOPE THEY WOULD DO UNTO YOU.