Survey reveals NHS failing to secure data on mobile devices

A survey of the healthcare sector on the use of portable data storage devices has found that almost two thirds use no or inadequate security and that half of those in the NHS use their own equipment to store data — a basic breach of security practice.

A survey into “Mobile device usage in the healthcare sector” carried out by Pointsec Mobile Technologies and the British Journal of Healthcare Computing & Information Management has revealed that one fifth of the devices used to store data have no security on them at all and a further two fifths have only password-controlled access – which does not guarantee security from hackers. Using basic hacker software downloaded from the Internet it would take a few seconds to bypass a basic password.

Just a quarter of respondents used passwords with another form of security, including encryption, biometrics, smart card and two-factor authentication. Respondents included information managers, IT managers, medical professionals and a range of other job titles. Two thirds of the 117 who responded to the survey were in the NHS and a quarter were suppliers to the sector.

USB memory sticks/memory cards (76%) were the most popular mobile device to be used to download data in the healthcare sector followed by laptop/tablet PC (69%), PDA/Blackberry (51%), smartphone (9%) and mobile phone (2%). Advances in technology have resulted in the ability to store gigabytes of information not just in these devices but also MP3 music players, cameras, voice recorders etc. The easy availability of tiny, high capacity storage devices such as USB memory sticks and memory cards makes it very easy for a person to carry unnoticed large amounts of data such as patient records or sensitive corporate data.

Overall, 42% of respondents owned at least one of the devices they used, but half of the NHS respondents were using their own devices to aid them in their everyday work. The most common type of data stored was personal contact details (80%), while three quarters stored work contact details. Nearly two thirds stored corporate data and an amazing fifth of the healthcare workers who were interviewed held security details — which could include passwords, PIN numbers and bank account details.

About half of the medical professionals carried patient records on a mobile device. The majority of medical professionals used a password alone for security. One Doctor commented that his security was okay because he used “the initials of one of his patients as his password”. Two-fifths used higher levels of security, but a small number had no security at all. Comments from respondents included a claim that there was minimal chance of loss or theft and a minimal chance of misuse. Another wrote “my patients couldn’t afford to pay for blackmail and they probably wouldn’t care if others knew” [about their medical records]. A couple thought that the risk to security was no worse than having information on paper.

Over half expressed anxiety that patient details are being held on mobile devices. The biggest concerns were that if a device is lost or stolen it would breach patient confidentiality (57%) and that the information “could get into the wrong hands and be abused” (50%). This still leaves, however, a large number who didn’t show any concern and thought that security was adequate.

The number of devices that have been lost is surprisingly high. A quarter of respondents had lost a device themselves, and a similar number knew of a colleague who had lost one. However, about half found their devices again and none said there were any consequences from the loss. One reason given for losing a device was that it was in a car accident and “probably at the bottom of a deep water filled ditch”! A small number of colleagues, however, were subject to disciplinary action and one, who had lost a PDA belonging to a local authority chief executive had even lost their job.

The survey shows that a large number of people are using their own devices for carrying data such as work contacts, corporate data and even medical records, which is a basic failure of security policy. Two thirds of the devices have no or inadequate security and there appears to be a lack of appreciation of the security risks among a large number of users. About 80% said that there was a security policy in their organisation, but the results of the survey show clearly that there is widespread and serious failure in the way that security policies deal with the risks of mobile devices and are enforced.

Martin Allen – Managing Director of Pointsec Mobile Technologies UK said “There is much documented evidence of patients who are worried about the safe-keeping of electronic medical records, but this survey shows the medical sector themselves are worried about medical information being held on mobile devices which are not being secured by their NHS Trust. It will only be a matter of time before these weaknesses are exploited as it is very easy to steal or pick up a mobile device and access the information for ill-purposes. Mobile devices seem to be falling through the security net and our advice is that any NHS trust or organisation downloading sensitive or patient records should automatically encrypt the information. That way security no longer becomes an issue it becomes second nature and works in the background.”