Mobile device threat to patient information
The use of mobile devices is making it difficult to secure patient records.
The survey was carried out among senior clinicians, GPs, policy makers, IT directors, IT and general managers by mobile security experts Credant Technologies, working with E-Health Insider in the UK and Outpatient Surgery Magazine’s subscribers in the US.
The use of portable devices in healthcare has grown because of their convenience, speed, increased memory capacity and affordability. But they bring security and managerial problems for IT departments, especially as a fifth of those surveyed bring personal devices to work.
In the US, a third of healthcare professionals surveyed downloaded sensitive details onto personal devices.
In the UK, 6% of respondents admitted to storing sensitive patient details without any security, compared to 18% in the US.
Around 35% of healthcare practitioners rely on nothing more than a password to secure work laptops and other mobile devices.
In the UK, 56% of healthcare professionals are using strong security to protect their devices, with 35% using encryption, 17% two-factor authentication, 3% biometrics, and 1% smart cards. In the US, just 23% of respondents are using strong security to protect their mobile devices.
There have been two rounds of instructions and guidance to NHS chief executives about the security of data in transit and data on mobile devices in the past year.
The survey suggests these have worked, since 65% of security policies have been revised in the past year. The policies now often restrict the use of mobile devices in the workplace, blocking USB connections, disabling cameras on phones, and prohibiting the download of information from a hospital network to a mobile device.
Of respondents, 44% have experienced such restrictions in the UK, compared with 30% in the US. And 6% of UK respondents have faced a total mobile device ban in the workplace, compared with 4% in the US.
The most popular device used by UK medical practitioners is a laptop, at 62% of survey respondents. USB sticks are used by 17%, and BlackBerrys or other handheld devices by 13%.
The most common type of data stored is work contacts, by 61% of respondents. Half store corporate data and personal contact details, while 15% use mobile devices to hold security information such as passwords, PINs and bank account details, the same proportion who use them to store patient records and medical images.
Survey respondents are using mobile devices to store patient demographics, medical research data, diary and patient records, as well laboratory and operation procedures.
A quarter of those surveyed worried that patient details were being held on mobile devices.
Michael Callahan, VP global marketing at Credant Technologies, said: “Anyone who owns a mobile device such as a smartphone or laptop should stop and think – can someone easily open it? If so, once they are in, could they access patient records, read my emails and then use this information to access the company network, such as the NHS hospital network? If so what damage could they do if they were to assume my identity?
“Obviously the medical profession has a responsibility to protect all our confidential records, so Credant’s advice would be for all healthcare IT departments to implement a data-centric information protection solution that includes policy enforcement and centralised management and reporting. In doing this, IT departments can significantly limit patient and other important data exposure even as it resides on personal devices.”
Lyn Whitfield, managing editor of E-Health Insider, said: “Our survey reveals some positive trends. It seems that the Department of Health’s focus on the security of patient information is having some impact and that NHS trusts are taking this issue seriously at a policy level.
“However, there is a lot still to do in terms of NHS trusts taking control of their networks and the devices that connect to them, or providing staff with good, workable and secure alternatives to carrying information around on USB sticks and other devices. The survey also shows up some examples of very bad practice. Every data breach has the potential to undermine faith in the NHS and its ability to keep patient records secure, so this is not an issue that can fall off the health service’s agenda.”