Keep it safe

A lost USB stick could mean more trouble than you imagine

IN OCTOBER 2009 a laptop containing the patient records of 33,000 diabetics is stolen from an unlocked retinal screening vehicle in Southampton. Earlier in July thieves take a laptop computer from an Audiology Department in Maidstone with sensitive personal data of 33 patients. This happens just a month after Ashford and St Peter’s Hospitals NHS Trust reports that digital files providing full diagnosis and treatment records of cancer patients on three USB memory sticks have been either lost or stolen. The data is unprotected and saved in Word format so is easily accessible by anyone with access to a computer.

It seems there has been a flood of such stories over the last few years – and many more can be found on the ‘Enforcement’ page of the Information Commissioner’s Office website (www.ico.gov.uk). The ICO is the independent government authority set up to “uphold information rights in the public interest” and part of its remit is the enforcement of the Data Protection Act. This is the legislation that governs the protection of personal data in the UK and part of the ICO remit is to investigate and take action against unwarranted breaches of patient confidentiality.

The increasing digitalisation of patient data has meant that large-scale breaches are becoming all too common. In the last two years NHS organisations were responsible for 30 per cent of the security breaches reported to the ICO, with most of these resulting from burglaries and theft. The majority of ICO enforcement actions are directed at Trusts and other healthcare organisations rather than individual doctors but this does not mean you are not at risk if treating patient data in a careless manner.

Know the rules

Most doctors are not expected to be experts on electronic data security. In its core guidance on confidentiality The General Medical Council states: “Unless they have a relevant management role, doctors are not expected to assess the security standards of large-scale computer systems provided for their use in the NHS or in other managed healthcare environments.”

But the guidance does make clear that as a doctor you “should familiarise yourself with and follow policies and procedures designed to protect patients' privacy where you work and when using computer systems provided for your use. This includes policies on the use of laptops and portable media storage devices.”

In general, sensitive data held on a laptop or other portable device such as an USB data key should be encrypted and accessible only by password. Such precautions require some technical expertise and this should be provided by your employing Trust or other body. Your main responsibility as a doctor is to follow these guidelines; otherwise you are likely to be subject to disciplinary procedures and possible sanctions from the GMC if you are found to be the cause of a data breach.

Should you feel that adequate procedures are not in place where you work the GMC is clear on the matter:

“If you are concerned about the security of personal information in premises or systems provided for your use, you should follow the advice in Good Medical Practice on Raising concerns about patient safety (GMP, 2006) including concerns about confidentiality and information governance.”

Just having policies in place is sometimes not enough. In December 2008 a USB data stick used routinely to back-up clinical administrative databases went missing from Her Majesty's Prison Preston.

A thorough search never turned up the data stick which held medical details relating to over 6,000 patients who were or had been incarcerated at the prison. It later emerged that the data stick had indeed been encrypted but the password had been attached to the device on a piece of paper.

An honest admission

Such obvious failings may seem hard to credit but most often data losses are the result of healthcare staff not being aware of their responsibilities or simply thinking “it won’t happen to me”. In a recent MDDUS case a young doctor taking part in a clinical audit used his personal USB data key to transfer patient details to another computer. The data key then went missing and he phoned the MDDUS in a panic.

MDDUS medico-legal adviser Dr Gail Gilmartin commented: “The most important thing to do if you discover unprotected data has been lost or stolen is to be honest and report it as soon as possible to your supervisor or the data controller in the hospital or practice where you are working. To delay is only likely to make the situation worse.”

She added: “Better though to have a good understanding of the data security policies and procedures where you work and stick to them. Taking short cuts is simply not worth the risk.”

Jim Killgore is editor of MDDUS Summons