NHS slammed for ignoring mobile data security

Healthcare professionals are 'complacent' about data kept on mobile devices

The National Health Service is failing to provide adequate security for potentially sensitive data held on mobile storage devices, research claimed today.

A survey investigating mobile device usage in the UK healthcare sector carried out by Pointsec and the British Journal of Healthcare Computing & Information Management found that one fifth of the devices used to store UK healthcare data have no security at all, and a further two-fifths have just password-controlled access.

Only a quarter of respondents use passwords with another form of security, such as encryption, biometrics, smartcard or two-factor authentication.

Respondents included information managers, IT managers and medical professionals. Two thirds of the 117 who responded to the survey were in the NHS and a quarter were suppliers to the sector.

About half of the medical professionals polled regularly carry patient records on a mobile device. The majority of medical professionals used a password alone for security.

One doctor commented that his security was sufficient because he used "the initials of one of his patients as his password". Two-fifths used higher levels of security, but a small number had no security at all.

Comments from respondents included a claim that there was minimal chance of loss or theft and a minimal chance of misuse.

Another said that his patients "could not afford to pay for blackmail and they probably wouldn't care if others knew" about their medical records. Two respondents believed that the risk to security was no worse than having information on paper.

But over half expressed anxiety that patient details are being held on mobile devices. The biggest concerns were that a lost or stolen device could breach patient confidentiality (57 per cent) and that the information "could get into the wrong hands and be abused" (50 per cent).

This still leaves a large percentage who did not show any concern and thought that security was adequate.

The number of devices that have been lost is surprisingly high. A quarter of respondents had lost a device themselves, and a similar number knew of a colleague who had lost a device.

However, about half found their devices again and none said that there were any consequences from the loss.

USB memory sticks/memory cards were identified by the research as the most popular mobile device to be used to download data in the healthcare sector at 76 per cent of respondents, followed by laptop/tablet PC (69 per cent), PDA/BlackBerry (51 per cent), smartphone (nine per cent) and mobile phone (two per cent).

The easy availability of tiny, high capacity storage devices such as USB memory sticks and memory cards "makes it very easy for a person to carry unnoticed large amounts of data such as patient records or sensitive corporate data", the report warned.

Overall, 42 per cent of respondents owned at least one of the devices they used, but half of the NHS respondents were using their own devices to aid them in their everyday work.

The most common type of data stored was personal contact details (80 per cent), while three-quarters stored work contact details.

Nearly two-thirds stored corporate data and a fifth of the healthcare workers who were interviewed held security details, which could include passwords, Pins and bank account details.

Martin Allen, managing director of Pointsec Mobile Technologies UK, said: " There is much documented evidence of patients who are worried about the safe-keeping of electronic medical records.

"But this survey shows that the medical sector itself is worried about medical information being held on mobile devices which are not being secured by their NHS Trust."