Survey exposes unsafe security practice

Measures taken by doctors to safeguard confidentiality, especially electronic records, are severely deficient and fuel the concerns of those trusted to police data security, say the authors of a letter to the British Medical Journal.

The signatories to the letter draw their conclusions from a survey of 32 surgical trainees invited to complete a questionnaire about their Data Protection Act registration and electronic data confidentiality practices.

They report: “Of 29 responders, 26 trainees regularly computerised and stored patients’ data. One person was registered with the Data Protection Act. Only three of 14 desktops, eight of 19 laptops, and three of 14 handheld computers forced a password logon. Sixteen of 29 trainees used the same password for all machines, and 25 of 27 passwords were less than eight characters long.

“All desktops, 16 of 19 laptops, and five of 14 handhelds were routinely connected to the internet, and half of these had not had their online security settings adjusted. Of 29 trainees, 28 did not encrypt their sensitive data files. Ten trainees had sent patients’ data unencrypted over the internet, using a non-secure server.”

The signatories, Damian Mole, a research fellow in surgery at Queen University, Belfast, information technology manager, Colin Fox, and information technology and security manager, Giulio Napolitano, both from the Northern Ireland Cancer Registry, conclude that the confidentiality practices among the trainees are unsafe and speculate that their findings are unlikely to be confined to their group.

Medical IT security training has been started for the surgical trainees and the letter’s authors urge others to initiate similar programmes before a serious breach occurs.