Healthcare workers putting patient data at risk

A third of healthcare workers keep confidential information on portable devices without adequate security

Healthcare professionals are putting sensitive patient information at risk by storing records, medical images, contact information and other data on unprotected mobile devices.

A survey of around 1,000 workers from the healthcare industries in the US and the UK found that over a third keep confidential information on laptops, BlackBerrys and USB sticks without adequately securing the data.

The Mobile Device Usage in the Healthcare Sector report was conducted by mobile security firm CredentTechnologies, together with E-Health Insider in the UK and Outpatient Surgery Magazine in the US.

A fifth of respondents admitted to using their own devices to transport patient information, meaning that they are not controlled by IT departments and often breach existing security policies.

Data being stored in this way includes patient demographics, medical research data, diary and patient records and laboratory and operation procedures.

Just over a third of those surveyed rely solely on passwords to secure their work laptops and other mobile devices, an approach seen as wholly inadequate considering the type of information being carried.

Six per cent of UK respondents admitted to storing sensitive patient details with no security whatsoever, jumping to 18 per cent in the US.

Although regulations exist in both territories to protect this type of data, the survey revealed that security practices in the US are still way below the standards upheld in the UK.

Some 56 per cent of healthcare professionals in the UK use strong security to protect their devices. Around 35 per cent use encryption, 17 per cent rely on two-factor authentication, three per cent use biometrics and one per cent use smart cards.

However in the US, just 23 per cent use strong security to protect their mobile devices.

When asked why they were using these potentially dangerous devices, the majority cited convenience, capacity and speed of removal as the primary reason.

Fortunately the report also highlights the positive steps taken in recent months, particularly following the high profile data losses from various government organisations.

Two rounds of instructions and guidance have been issued to NHS chief executives in the past year about the security of data in transit and on mobile devices.

There has also been a dramatic rise in the number of healthcare organisations placing restrictions on the use of mobile devices in the workplace, such as blocks on USB connections, cameras on phones being disabled or people not being allowed to download information from a hospital's network onto a mobile device.

"Anyone who owns a mobile device such as a smartphone or laptop should stop and think whether someone can easily open it," said Michael Callahan, vice president of global marketing at Credent.

"If so, once they are in, could they access patient records, read my emails and then use this information to access the company network, such as the NHS hospital network? If so what damage could they do if they were to assume my identity?"