Intended for healthcare professionals

Letters Using healthcare data

Security protection is needed when using USB sticks

BMJ 2007; 335 doi: (Published 19 July 2007) Cite this as: BMJ 2007;335:112
  1. Matthew Daunt, F1 doctor
  1. Queen's Medical Centre, Nottingham University Hospitals Trust, Nottingham NG7 2UH
  1. mattdaunt{at}

    Current working hours for junior staff mean that effective patient handovers are critical. Handwritten sheets have been superseded by electronic storage of patient data available to the clinical team.1

    Universal serial bus (USB) sticks have greater security risks than other media due to their size, storage capacity, and convenience. Trust policy states that confidential data should be stored on 128-bit encrypted USB sticks, with “if found” labels on them, and be used solely on the trust's computers.

    Criminals now recognise the value of personal data in the growing identity theft market. Recently confidential patient data held on an unprotected USB stick were stolen. The trust had to inform the patient and face liability for distress or damage caused, along with public condemnation (D Terry, personal communication, July 2007). In addition, clinical information is lost permanently, and there is the financial cost of replacing equipment.

    I asked 50 junior doctors about their electronic storage of patient data. Thirty six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive. None of the 20 USB sticks had 128-bit encryption, and only three had password protection (still insufficient for the trust's requirements). Four doctors used the same device on their personal computer(s), two of which had patient data stored on them.

    Cognisant of the sensitive patient information held electronically, the Caldicott and data protection adviser has recommended enhanced USB security protection to the trust, with mandatory password protection. The trust intends to supply 128-bit secured USB sticks for medical firms to use on wards, and an extensive communications programme will seek to raise awareness and promote compliance.


    • Competing interests: None declared.


    View Abstract