Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Healthcare professionals putting patient data at risk

Credant Technologies : 21 November, 2008  (Technical Article)
Credant survey reveals large numbers of senior healthcare employees are continuing to carry unencrypted sensitive information on mobile storage devices
A transatlantic survey of more than a thousand healthcare professionals has shown that over a third are unwittingly putting personal information at risk by storing patient records, medical images, contact details, corporate data and other sensitive information on mobile devices such as laptops, BlackBerrys and USB sticks - and not adequately securing them.

The "mobile device usage in the healthcare sector" survey was carried out amongst senior clinicians, GPs, policy makers, IT directors, IT and general managers by mobile security experts Credant Technologies, together with E-Health Insider in the UK and Outpatient Surgery Magazine's subscribers in the US.

A fifth of healthcare practitioners use their own devices for work - creating a security nightmare for the NHS if not managed and secured properly!

The use of portable devices in the healthcare sector has escalated due to their ease of use, speed, increased memory capacity and affordability. Alongside the great benefits that these devices bring come huge security and managerial problems for IT departments - especially when a fifth of the staff surveyed said they brought their own devices into work. Many of these could fall beneath the IT security radar! In the US, a third of healthcare professionals surveyed were downloading sensitive details onto their own personal devices - a basic breach of security practice if they were not complying with the security policy set up by their employer.

When asked how these health practitioners are securing their data, many are relying on very basic security. 35% of those in the UK said they were using just a password. Using basic hacker software downloaded from the Internet, it would take 5 minutes to bypass basic passwords made up of a name, dictionary word or easily remembered number.

In the UK, 6% admitted to storing sensitive patient details with no security whatsoever. However, this was even worse in the US, with a shocking 18% having this cavalier attitude to the information they are storing on their devices.

Although healthcare in the US is highly regulated to protect patient data with laws such as HIPAA, security practices in the US are still way below the standards upheld in the UK. In the UK, 56% of healthcare professionals are using strong security to protect their devices with 35% using encryption, 17% two factor authentication, 3% biometrics, 1% smart cards, which makes data difficult to access if you are a cracker. But in the US, just 23% were using strong security to protect their mobile devices.

The ease with which data can now be downloaded conveniently and quickly onto these portable, high capacity storage devices makes them easy pickings for organised criminals or unscrupulous opportunists, who could target healthcare practitioners in or outside their workplace.

Since the loss of child benefit records by HM Revenue and Customs a year ago, there have been two rounds of instructions and guidance to NHS chief executives about the security of data in transit and data on mobile devices. The survey suggests these have had a positive impact, since 65% of security policies have been revised over the past year. Interestingly, these often place restrictions on the use of mobile devices in the workplace, such as blocks on USB connections, cameras on phones being disabled, or people not being allowed to download information from a hospital's network onto a mobile device. 44% of those surveyed experienced such restrictions in the UK, compared with 30% in the US. And 6% of UK respondents had mobile devices banned totally in the workplace compared with 4% in the US.

The most popular device used by medical practitioners in the UK are laptops, with 62% of survey respondents saying this was the main device they used. USB sticks came next, at 17% and BlackBerrys or other handheld devices were used by 13%. The most common type of data stored on these devices were work contacts, with 61% of respondents saying they stored this information. Half stored corporate data and personal contact details, whilst 15% used their devices for security information such as passwords, PINs and bank account details - not so sensible when many of these were being stored with limited security in the first place. 15% stored patient records and medical images.

Some of the patient information that was being stored were "patient demographics", "medical research data", "diary and patient records", "laboratory and operation procedures." However, many respondents were keen to point out that they had very little information of any consequence on their mobile devices - so they believed there was nothing to be concerned about if their device was to fall into the wrong hands.

A quarter of the medical practitioners expressed anxiety that patient details are being held on mobile devices. Many were quite clued up on what the hacking community could get up to, with many commenting that if the hackers really wanted to get to their data they knew they probably could.

Michael Callahan, VP Global Marketing at Credant Technologies said "Anyone who owns a mobile device such as a smartphone or laptop should stop and think - can someone easily open it? If so, once they are in, could they access patient records, read my emails and then use this information to access the company network, such as the NHS hospital network? If so what damage could they do if they were to assume my identity? Obviously the medical profession has a responsibility to protect all our confidential records - so Credant's advice would be for all healthcare IT departments to implement a data-centric information protection solution that includes policy enforcement and centralised management and reporting. In doing this, IT departments can significantly limit patient and other important data exposure even as it resides on personal devices."

Lyn Whitfield, managing editor of E-Health Insider, said: "Our survey reveals some positive trends. It seems that the Department of Health's focus on the security of patient information is having some impact and that NHS trusts are taking this issue seriously at a policy level.

"However, there is a lot still to do in terms of NHS trusts taking control of their networks and the devices that connect to them, or providing staff with good, workable and secure alternatives to carrying information around on USB sticks and other devices. The survey also shows up some examples of very bad practice. Every data breach has the potential to undermine faith in the NHS and its ability to keep patient records secure, so this is not an issue that can fall off the health service's agenda."

Many healthcare professionals admitted to resorting to their own mobile devices to store information because it was much more convenient with the following explanations: "I need to continue to work once I get home", "I am limited to what I can email using my work laptop", "access is controlled so I need to bypass it by using my own device", "network issues (long log-in or load times)", "hardware issues (insufficient work stations)", "need to take data outside the network".

Credant Technologies recommend these following tips to securing data on the move:.

1 Encrypt the data on every device you carry if it's sensitive.
2 Get a solution which can detect devices trying to connect to the enterprise and sync up with corporate data.
3 Make sure the encryption solution is transparent to end-users and doesn't interfere with any of your operational activities.
4. IT departments should never leave data security up to the end user. It is imperative that this is controlled and managed centrally This can also reduce TCO (total cost of ownership) as machines don't need to be locked down or bought into the office to update them.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo