NHS slammed for ignoring mobile data security

Healthcare professionals are 'complacent' about data kept on mobile devices

The National Health Service is failing to provide adequate security for potentially sensitive data held on mobile storage devices, research claimed today.

A survey investigating mobile device usage in the UK healthcare sector carried out by Pointsec and the British Journal of Healthcare Computing & Information Management found that one fifth of the devices used to store UK healthcare data have no security at all, and a further two-fifths have just password-controlled access.

Only a quarter of respondents use passwords with another form of security, such as encryption, biometrics, smartcard or two-factor authentication.

Respondents included information managers, IT managers and medical professionals. Two thirds of the 117 who responded to the survey were in the NHS and a quarter were suppliers to the sector.

About half of the medical professionals polled regularly carry patient records on a mobile device. The majority of medical professionals used a password alone for security.

One doctor commented that his security was sufficient because he used "the initials of one of his patients as his password". Two-fifths used higher levels of security, but a small number had no security at all.

Comments from respondents included a claim that there was minimal chance of loss or theft and a minimal chance of misuse.

Another said that his patients "could not afford to pay for blackmail and they probably wouldn't care if others knew" about their medical records. Two respondents believed that the risk to security was no worse than having information on paper.

But over half expressed anxiety that patient details are being held on mobile devices. The biggest concerns were that a lost or stolen device could breach patient confidentiality (57 per cent) and that the information "could get into the wrong hands and be abused" (50 per cent).