Junior doctor loses confidential patient data

Apparently junior doctors are toting unencrypted confidential data around on USB sticks, according to an article in E-Health Insider.

One of the sticks, which contained highly confidential patient data, was stolen at Nottingham University Hospitals Trust recently. The trust now faces a compensation claim from the affected patient.

Says E-Health Insider:

"Around a third of junior doctors currently use universal serial bus (USB) sticks as a means of saving and storing patient data, to pass on to other members of the clinical team at the end of a shift.

These should be stored on secure sticks which use at least 129-bit encryption protection, to be used solely on the trust’s computers but E-Health Insider has been told that this is far from the case.

Matthew Daunt, a foundation year one doctor, at the Nottingham trust, told E-Health Insider: “Many junior doctors do not use encrypted USB sticks, but instead tend to use the ones provided by drug companies free of charge. These records are not protected and can be viewed on any computer using software such as Excel, Word or Access.

In research for the British Medical Journal, Daunt asked 50 junior doctors about their electronic storage of patient data. Thirty six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive.

None of the 20 USB sticks had 128-bit encryption, and only three had password protection – even this was still insufficient for the trust’s requirements. Four doctors used the same device on their personal computer, two of which had patient data stored on them.

Daunt told EHI that the trust had turned a blind eye to this use, until they had to inform a patient that his data was potentially in the public domain.”

Calum Macleod, European Director for Cyber-Ark, a company which sells data protection products, said that the practice of storing patient data on an encrypted USB stick is fine in theory, but a potential nightmare to administer.

"Enforcing a policy of encrypting patient data stored on USB sticks is almost impossible, so it's hardly surprising that there should be a security scare over the theft of a stick from a junior doctor," he said.

Macleod said the Hospitals Trust should consider using an encrypted digital vault, accessed over a secure computer network, to maximise patient privacy.