NHS Lothian implements USB stick lock-down

NHS Lothian is taking further action to prevent staff losing data on USB sticks, after a community health worker lost the personal details of 137 patients on a memory stick at the end of June.

Since the loss of the memory stick, which held letters to central Edinburgh GPs, the trust has run a USB stick amnesty and a data security information campaign that has included putting leaflets about its data security policies into staff payslips.

It has also bought a “technological” solution that will give the trust far more control over which staff can carry data on memory sticks and what data they can carry.

Martin Egan, director of e-health, said: “The leaflets we are sending out set out once and for all our policies and processes. We are putting them in pay slips to make sure they reach all staff.

“We have put the message out before, but internal surveys suggest that some staff are ignoring it – so we felt we needed a technical solution as well. That is why we are implementing the USB lock down.

“It will mean that no USB stick can be written to unless it is a bona-fide, NHS Lothian USB stick, and the information is encrypted.” People will be able to read from USB sticks if they need to do this for presentations and projects.

NHS Lothian has bought Lumension Security’s Sanctuary Device Control for the lock-down. Mr Egan said a key factor was that this enables encryption without the user needing administrator rights on their PC. “We do not give those out more than we have to, because that is a security risk in itself,” he said.

The new controls will be linked to the trust’s Active Directory, so it can deploy them on a named individual basis. Mr Egan said it was still collecting old USB sticks and issuing new ones.

“We have purchased 4,000 new USB sticks, which we think will be enough,” he said. “But one of the principles of the new policy is that these will be issued carefully.

“If you are going to hold patient identifiable information on a data stick, you will need explicit permission from the Caldicott Guardian to do it. If you are going to carry day to day corporate data, you will need to have signed all the relevant policies.”

Mr Egan told E-Health Insider he felt the new solution would put the trust back in control of its data. “I feel that using this tool puts me in control,” he said. “Before, we just had to hope that our staff would be doing the right thing and following our policies. Now, we know whether they are doing that.”

NHS Lothian has also bought an encryption solution for its laptops and is “on course” to have them all encrypted by the government deadline of March next year.