NHS clinicians risking patient data

Doctors are breaking data protection rules by carrying unencrypted data on USB devices

UK clinicians are putting patient data at risk by carrying information on unprotected USB sticks, according to a new report.

Research by two clinicians at a London teaching hospital published in Health Service Journal found that 92 out of 105 doctors carried memory sticks with them.

But only five out of the 79 USB devices which held confidential patient information were password protected.

This contravenes data protection rules and exposes the NHS to the kind of data loss scandal that has affected several central government departments in recent months.

Matthew Brown, vice president of products at data loss prevention firm Workshare, said that the first step towards correcting the problem should be an "information audit" to gain insight into how data flows in and out of the organisation.

This should be complemented by technologies such as encryption and access controls, he added.

"Implementing policies is not enough. You cannot simply stop employees from downloading information onto USB devices as they will just find a way around it to do their job," said Brown.

"The NHS must proactively look at how its information is being used, and take steps to ensure that risks are stopped before they have a chance to happen."

Neil Yeomans, partner in the IT security practice at consultancy firm Deloitte, explained that the Department of Health has already issued information governance standards and guidelines, and warned that unintended breaches can be as damaging as criminal acts.

"It is clear that the solution to managing such a risk requires flexibility and is as much about people and culture and changing behaviour as it is about process and technology," he added.