Docs store unsecured patient data on memory sticks

Computerworld UK - Doctors are carrying around unencrypted patient data on USB memory sticks, according to stinging research carried out in a London hospital.

But the National Health Service (NHS) maintained it is taking the right steps to protect data, and that clinicians have to follow guidelines that insist on the encryption of identifiable patient data.

In a study conducted in one London hospital, clinicians Sven Putnis and Andrew Bircher found that 92 of 105 doctors surveyed carried memory sticks, Health Service Journal reported. Some 79 of these memory sticks held confidential patient information, but only five doctors had followed NHS rules and encrypted their data.

The authors said the information included patient names and birth dates, alongside X-ray results, diagnoses and treatment details, HSJ reported.

Calling the results "worrying," the researchers said there was "no reason why this lack of security would not be mirrored in surveys across every hospital in the U.K. and beyond."

They said data collection and processing had made patient care "more efficient," but that it was important the technology was monitored "to ensure we uphold patients' rights to privacy."

But the NHS hit back at the findings, saying it had issued clear instructions to local trusts that all identifiable patient data on portable devices has to be encrypted.

Dr. Simon Eccles, medical director at Connecting for Health, told Computerworld U.K. that typically patients were assigned codes that meant such records would be unidentifiable to anyone but staff.

"[NHS chief executive] David Nicholson quite rightly said that any portable device that contains identifiable information must be encrypted," he said, adding that the NHS is rolling out McAfee SafeBoot software across all hospitals to protect the data.

But he added: "At the end of the day, the responsibility for data must rest with the individual clinician." Ideally, data should be both unidentifiable and encrypted, he said.

A spokesperson at the Department of Health added: "The NHS locally has legal responsibility to comply with data protection rules."

NHS patients have suffered data losses in recent months. In June, two NHS trusts lost unencrypted laptops containing 31,000 patient records.

Reports of data losses in the NHS have raised concerns over the $22.1 billion National Programme for IT, which is building a central spine of patient data accessible by NHS staff with a smart card and passcode. In the summer, analysts said the NHS should urgently reconsider the program, and weigh up the benefits of patients carrying their own data instead.

In August, it emerged that across the public sector, the data of one in every 15 people in the country had been lost in one year alone.