A third of healthcare professionals leave data security to chance?

London - 19^th November 2008A transatlantic survey of more than a thousand healthcare professionals has shown that over a third are unwittingly putting personal information at risk by storing patient records, medical images, contact details, corporate data and other sensitive information on mobile devices such as laptops, BlackBerrys and USB sticks - and not adequately securing them.

 

The “mobile device usage in the healthcare sector” survey released today was carried out amongst senior clinicians, GPs, policy makers, IT directors, IT and general managers by mobile security experts Credant Technologies, together with E-Health Insider in the UK and Outpatient Surgery Magazine’s subscribers in the US.

A fifth of healthcare practitioners use their own devices for work – creating a security nightmare for the NHS if not managed and secured properly!

The use of portable devices in the healthcare sector has escalated due to their ease of use, speed, increased memory capacity and affordability.  Alongside the great benefits that these devices bring come huge security and managerial problems for IT departments - especially when a fifth of the staff surveyed said they brought their own devices into work. Many of these could fall beneath the IT security radar! In the US, a third of healthcare professionals surveyed were downloading sensitive details onto their own personal devices – a basic breach of security practice if they were not complying with the security policy set up by their employer.

 

35% of healthcare practitioners rely on just passwords to secure their work laptops and other mobile devices

When asked how these health practitioners are securing their data, many are relying on very basic security. 35% of those in the UK said they were using just a password. Using basic hacker software downloaded from the Internet, it would take 5 minutes to bypass basic passwords made up of a name, dictionary word or easily remembered number.

 

In the UK, 6% admitted to storing sensitive patient details with no security whatsoever. However, this was even worse in the US, with a shocking 18% having this cavalier attitude to the information they are storing on their devices. 

 

UK better at security than the US – but still pretty slack!

Although healthcare in the US is highly regulated to protect patient data with laws such as HIPAA, security practices in the US are still way below the standards upheld in the UK. In the UK, 56% of healthcare professionals are using strong security  to protect their devices with 35% using encryption, 17% two factor authentication, 3% biometrics, 1% smart cards, which makes data difficult to access if you are a cracker.  But in the US, just 23% were using strong security to protect their mobile devices.  

 

The ease with which data can now be downloaded conveniently and quickly onto these portable, high capacity storage devices makes them easy pickings for organised criminals or unscrupulous opportunists, who could target healthcare practitioners in or outside their workplace. 

 

Recent spate of breaches has had a positive impact on the healthcare sector

Since the loss of child benefit records by HM Revenue and Customs a year ago, there have been two rounds of instructions and guidance to NHS chief executives about the security of data in transit and data on mobile devices. The survey suggests these have had a positive impact, since 65% of security policies have been revised over the past year. Interestingly, these often place restrictions on the use of mobile devices in the workplace, such as blocks on USB connections, cameras on phones being disabled, or people not being allowed to download information from a hospital’s network onto a mobile device. 44% of those surveyed experienced such restrictions in the UK, compared with 30% in the US. And 6% of UK respondents had mobile devices banned totally in the workplace compared with 4% in the US.

 

Laptops still loved by healthcare professionals worldwide – then comes their USB sticks!

The most popular device used by medical practitioners in the UK are laptops, with 62% of survey respondents saying this was the main device they used. USB sticks came next, at 17% and BlackBerrys or other handheld devices were used by 13%.  The most common type of data stored  on these devices were work contacts, with 61% of respondents saying they stored this information. Half stored corporate data and personal contact details, whilst 15% used their devices for security information such as passwords, PINs and bank account details - not so sensible when many of these were being stored with limited security in the first place.  15% stored patient records and medical images. 

 

Some of the patient information that was being stored were “patient demographics”, “medical research data”, “diary and patient records”, “laboratory and operation procedures.” However, many respondents were keen to point out that they had very little information of any consequence on their mobile devices - so they believed there was nothing to be concerned about if their device was to fall into the wrong hands.

 

Quarter of healthcare professionals worried about patient details being held on mobile devices

A quarter of the medical practitioners expressed anxiety that patient details are being held on mobile devices. Many were quite clued up on what the hacking community could get up to, with many commenting that if the hackers really wanted to get to their data they knew they probably could.

 

Michael Callahan, VP Global Marketing at Credant Technologies said “Anyone who owns a mobile device such as a smartphone or laptop should stop and think – can someone easily open it? If so, once they are in, could they access patient records, read my emails and then use this information to access the company network, such as the NHS hospital network? If so what damage could they do if they were to assume my identity? Obviously the medical profession has a responsibility to protect all our confidential records – so Credant’s advice would be for all healthcare IT departments to implement a data-centric information protection solution that includes policy enforcement and centralised management and reporting.  In doing this, IT departments can significantly limit patient and other important data exposure even as it resides on personal devices.”

 

Lyn Whitfield, managing editor of E-Health Insider, said: “Our survey reveals some positive trends. It seems that the Department of Health’s focus on the security of patient information is having some impact and that NHS trusts are taking this issue seriously at a policy level.

 

“However, there is a lot still to do in terms of NHS trusts taking control of their networks and the devices that connect to them, or providing staff with good, workable and secure alternatives to carrying information around on USB sticks and other devices. The survey also shows up some examples of very bad practice. Every data breach has the potential to undermine faith in the NHS and its ability to keep patient records secure, so this is not an issue that can fall off the health service’s agenda.”

 

Many healthcare professionals admitted to resorting to their own mobile devices to store information because it was much more convenient with the following explanations: “I need to continue to work once I get home”, “I am limited to what I can email using my work laptop”, “access is controlled so I need to bypass it by using my own device”, “network issues (long log-in or load times)”, “hardware issues (insufficient work stations)”, “need to take data outside the network”.

 

BOX OUT

Credant Technologies recommend these following tips to securing data on the move

1 Encrypt the data on every device you carry if it’s sensitive.

2 Get a solution which can detect devices trying to connect to the enterprise and sync up with corporate data.

3 Make sure the encryption solution is transparent to end-users and doesn’t interfere with any of your operational activities.

4. IT departments should never leave data security up to the end user.  It is imperative that this is controlled and managed centrally  This can also reduce TCO (total cost of ownership) as machines don’t need to be locked down or bought into the office to update them.

 

ENDS

 

Notes to Editors

The “mobile device usage in the healthcare sector” survey was conducted in the UK and US amongst 1,000 healthcare professionals . It was carried out on the E-health Insider website in the UK and sent to Outpatient Surgery Magazine’s subscribers in the US.  If you would like to see a copy of the findings please contact Yvonne Eskenzi Tel: 020 71832 832 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

 

More about Credant Technologies

 

About CREDANT Technologies

CREDANT Technologies is the market leader in endpoint data protection solutions that are critical components of an endpoint protection platform. CREDANT’s data security solutions preserve customer brand and reduce the cost of compliance, enabling business to “protect what matters.” CREDANT Mobile Guardian is the only centrally managed endpoint data protection solution providing strong authentication, intelligent encryption, usage controls, and key management that guarantees data recovery. By aligning security to the type of user, device and location, CREDANT ensures the audit and enforcement of security policies across all computing endpoints. Strategic partners and customers include leaders in finance, government, healthcare, manufacturing, retail, technology, and services. CREDANT was selected by Red Herring as one of the top 100 privately held companies and top 100 Innovators for 2004, and was named Ernst & Young Entrepreneur Of The Year 2005. Austin Ventures, Menlo Ventures, Crescendo Ventures, Intel Capital, and Cisco Systems are investors in CREDANT Technologies. For more information, visit www.credant.com.

 

More about E-Health Insider

E-Health Insider is the UK’s leading website for coverage of the healthcare IT industry and NHS IT issues. It is visited by policy makers, IT directors, IT and general managers working in the NHS, senior clinicians, GPs and others passionate about the potential of IT or specific issues, such as confidentiality and consent. EHI’s weekly newsletter goes out on Thursdays to more than 22,000 subscribers. It also runs events and awards. www.e-health-insider.com