The security of data stored on USB sticks has been called into question following the theft of a stick containing unprotected confidential patient details at the Nottingham University Hospitals Trust.

Around a third of junior doctors currently use universal serial bus (USB) sticks as a means of saving and storing patient data, to pass on to other members of the clinical team at the end of a shift.

These should be stored on secure sticks which use at least 129-bit encryption protection, to be used solely on the trust’s computers but E-Health Insider has been told that this is far from the case.

Matthew Daunt, a foundation year one doctor, at the Nottingham trust, told E-Health Insider: “Many junior doctors do not use encrypted USB sticks, but instead tend to use the ones provided by drug companies free of charge. These records are not protected and can be viewed on any computer using software such as Excel, Word or Access.”

In research for the British Medical Journal, Daunt asked 50 junior doctors about their electronic storage of patient data. Thirty six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive.

None of the 20 USB sticks had 128-bit encryption, and only three had password protection – even this was still insufficient for the trust’s requirements. Four doctors used the same device on their personal computer, two of which had patient data stored on them.

Daunt told EHI that the trust had turned a blind eye to this use, until they had to inform a patient that his data was potentially in the public domain.

“Recently, a USB was stolen from a junior doctor containing highly confidential patient data. The trust had an obligation to personally inform the patient and now faces a compensation claim. The trust only realised then, the extent to which this was against their policy – an information governance breach similar to leaving papers alone open to theft.

“As a result the trust has been forced to look again at ensuring that improved security arrangements are in place that will help ensure that this critical way of working, which is more manageable for junior doctors, can be done in a safe and controlled way.”

The trust confirmed that its Caldicott guardian and data protection adviser has recommended enhanced USB stick security protection to the trust, with mandatory password protection.

The trust added that it intends to supply 128-bit secured USB sticks for medical firms to use on wards, and an extensive communications programme will seek to raise awareness and promote compliance.

Junior doctors used to work by completing handwritten sheets after each shift for all their patients so that other clinical staff are aware of what treatment action has been undertaken during the previous shifts.

Daunt says that USB sticks have made life a lot easier for ensuring continuity of care, but at a time when security and confidentiality are high on patients’ concern lists, this must be tackled better.

“Criminals now recognise the value of personal data in the growing identity theft market and patients are aware of this too. Security protection is paramount to avoiding cases where the practice could be called into question. Technology is changing, and doctors are moving with the times, but the doctor/patient confidentiality guarantee should always be protected.”

Links

BMJ www.bmj.com