Page last updated at 23:02 GMT, Wednesday, 28 June 2006 00:02 UK

NHS mobile devices 'not secure'

Portable data storage devices are becoming increasingly popular

The NHS is failing to use adequate security on portable data storage devices, according to a survey.

Of the 117 healthcare workers quizzed, almost two thirds use no or inadequate security on their mobile devices.

Medical professionals also admitted to using the devices to store patient information.

The survey was done by the British Journal of Healthcare Computing and Information Management (BJHC&IM) and company Pointsec Mobile Technologies.

Harry Wood, assistant editor of BJHC&IM, said patient confidentiality is being put in jeopardy.

A password alone is not adequate security for mobile devices.
Harry Wood, BJHCIM

The respondents included information managers, IT managers and medical professionals. Two thirds of the 117 worked in the NHS, and a quarter were suppliers to the NHS.

Portable data storage devices are becoming increasingly popular, as they can carry large amounts of data from one place to another. The participants surveyed said they use a mixture of USB memory sticks, laptops, PDAs, smart phones and mobile phones.

Patient records

Nearly two thirds of respondents used their device to store corporate information, and one fifth held security details, such as passwords and pin numbers. Half of the medical professionals who responded said they carried patient records on their devices.

But the survey also revealed that inadequate security was being used to safeguard this information. One fifth of those asked said they did not use any security, and a further two fifths only used password controlled access.

Mr Wood said: "A password alone is not adequate security for mobile devices.

"The data should be encrypted at source where it is held on the organisations network, and then anything that is taken off onto a mobile device is readily encrypted.

"This means that it doesn't matter if it has been password protected or not because you can only get into it if you gave the decryption codes."

Almost 80% of the respondents said there was a security policy in their organisation, but Mr Wood said the survey suggested these policies were not being strictly enforced placing medical records and patient information in jeopardy.

Dr Paul Cundy, a GP from London and the British Medical Association's spokesman for computing in general practice, said: "In the past, data was kept on hard discs, but we are increasingly moving into a mobile data world.

"There needs to be a far greater understanding of the consequences of having electronic records in general.

"One of the problems is that it takes a mishap to really bring things home, and I dare say at some point there will be a story about people having their medical details sold."

A Department of Health spokesman said: "Individual devices and data security are a matter for individual trusts. Each has its own Caldicott guardian who is responsible for data security and clinical confidentiality.

"Any equipment or activity taken through the National Programme for IT will meet stringent security and confidentiality requirements. These requirements were commended in the recent National Audit Office report on the programme."

Advice to doctors

Dr Nicholas Norwell, of the Medical Defence Union, advised doctors not to use computers or portable devices which they use for personal purposes, for work purposes.

He said: "It may seem convenient, but data on hard drives is notoriously difficult to erase and there have been reports of cases where people have bought computers containing patient records.

"It could also be a breach of the Data Protection Act 1988. Even if portable computers have been provided for work purposes, it is still vital that medical professionals take steps to ensure confidential information on them is secure.

"The devices shouldn't be sold on and extra care is needed when the devices are being disposed of."

Privacy fears over NHS database
30 Mar 05 |  Health
Q&A: NHS privacy fears
30 Mar 05 |  Health

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific