Portable data security concerns emerge

According to a new poll of mobile device usage in the healthcare sector, two thirds of portable data storage devices used in the NHS have inadequate or even no security features, and around half of NHS staff are using their own equipment to store work-related data, which according to security experts, is a basic breach of security practice.

The survey showed that one in five devices used by the NHS to store data have no security features at all. Moreover, another two in five have only passwordcontrolled access; using basic hacker software downloaded from the Internet it would take just a few seconds to bypass a basic password, the research by Pointsec Mobile Technologies and the British Journal of Healthcare Computing & Information Management concludes.

The survey polled 117 NHS staff and suppliers including information managers, IT managers and medical professionals. It found that only one in four respondents used passwords in conjunction with another form of security on their mobile devices, including encryption, biometrics, smart card and two-factor authentication. Of the 29 actual medical professionals polled, only two in five used a password plus another form of security, yet, about half accepted that they carried patient records on their devices. The majority feel that this is unacceptable, given concerns about loss or theft of their device.

Commenting on the results, Martin Allen, managing director of Pointsec Mobile Technologies UK said that this reveals widespread and serious failure in the way that security policies deal with the risks of mobile devices, and are enforced. “This survey shows the medical sector themselves are worried about medical information being held on mobile devices.

It will only be a matter of time before these weaknesses are exploited. Any NHS Trust or organisation downloading sensitive or patient records should automatically encrypt the information.” Most commonly, respondents said they used USB memory sticks/memory cards to download data (76%), followed by laptop/tablet PC (69%), PDA/Blackberry (51%), smartphone (9%) and mobile phone (2%).

Overall, 42% of respondents owned at least one of the devices they used, but half of the NHS respondents were using their own devices.

Other data types stored include: personal contact details (80%), work contact details (75%), corporate data (66%) and security details, include passwords, PIN numbers and bank account details (20%).