NHS organisations have tightened up on mobile device security in response to the recent spate of data breaches from the public sector, an E-Health Insider survey suggests.

A year ago this week, Chancellor Alastair Darling was forced to tell Parliament that HM Revenue and Customs had put the personal details of 25m child benefit claimants onto two CDs and lost them in the post.

The widely publicised loss prompted a review of government data security, more powers for Information Commissioner Richard Thomas, and tougher penalties for data breaches.

NHS chief executive David Nicholson wrote to all chief executives in December 2007, telling them to review information governance arrangements and encrypt data in transit. The message was reinforced in a further “dear chief executive” letter in September.

EHI’s survey, sponsored by Credant and completed by 300 readers at the start of October, suggests that trusts are acting on these messages. Almost all respondents said their organisation had an IT or information security policy and 65% said this had been revised in the past year.

The survey also found that organisations are moving to ban or restrict the use of mobile devices, such as laptops, personal digital assistants and USB sticks. Six per cent of respondents said their organisation banned such devices outright and 44% said their use was restricted.

However, there was less evidence that organisations are taking steps to actively enforce their policies. Twenty six per cent of respondents said polices were given to staff, and 42% said they were published on a corporate intranet.

Only 12% said they were enforced by warnings or other network action – although 11% said they were supported by physical measures, such as USB ports being glued up or blocked.

The survey also found there is work to do in terms of providing staff with good, secure alternatives to carrying information around on potentially insecure devices. Thirty nine per cent of respondents said they used mobile devices because they needed to take data outside a secure network and 28% said they used them simply because they were “convenient and easy.”

There was also evidence of poor practice. A fifth of respondents said they used their own, rather than employer-owned devices at work, and only 36% said they were protecting data with encryption – while 29% said they used only a password and 5% said they used no security at all.

Despite this, 73% of respondents said they felt the data on their mobile devices would be safe from identity thieves, hackers and others who might use it for personal gain.

This might be because relatively few respondents said they carried patient data on mobile devices. Only 9% said they carried patient records and 6% medical images.

However, 15% said they carried security information, such as passwords, while 45% said they carried personal contact details and 61% work contact details – some of which could potentially help social engineers and hackers.

Michael Callahan, VP Global Marketing at Credant Technologies, said: “Credant’s advice would be for all healthcare IT departments to implement a data-centric information protection solution that includes policy enforcement and centralised management and reporting.

"In doing this, IT departments can significantly limit patient and other important data exposure even as it resides on personal devices.”

A similar survey was run in the US. It reinforces the impression that action to tackle high profile data breaches are having an effect in the UK. Only 4% of US respondents said mobile devices were banned and 30% said they were restricted, while 18% said they used no security at all on the data they contained.

Related article:

Left to their own devices?