The device itself can be password-protected, and the data on it can be encrypted to prevent unauthorised access.
What is encryption?
Software tools are available that will allow you to encrypt data as you save it. In very simple terms the encryption tool will ‘translate’ your data into unreadable code, for which only you or another authorised user will have the key or password to decode it.
Encryption is therefore an important control for ensuring data confidentiality and integrity, as well as authentication, and still allows the sharing of data between authorised users. However, whilst it will strengthen security, encryption does not guarantee it.
You may need to seek further help and advice from your IT support department to further explore how you can use encryption to protect your data.
Further information
NHS Connecting for Health
For information on removable media in the NHS:
nww.connectingforhealth.nhs.uk
For the NHS Confidentiality Code of Practice, visit
Wise Geek
For general information about removable media
/ Remember:
Do
- make sure that you understand your organisation’s information security policy for removable media
- consider who might gain access to information stored on removable media
- use encryption or other protection methods for confidential, personal or sensitive information
- ask for help from an IT expert if you’re not sure how to do this.
- copy files to removable media unless you really need to and it is allowed by your organisation
- leave removable media lying around
- draw attention to the confidential or sensitive nature of data stored on disks and other media by the way they are labeled, even if the data has been encrypted
- attempt to access files from any removable media that you may have found, not even to determine to whom it might belong - it could contain a computer virus; instead you should pass it on to your IT support.
Ref: 4164 /
Good practice guide
Removable media
What is removable media?
Removable media is the term used to describe any kind of portable data storage device that can be connected to and removed from your computer. Typical examples are:
- floppy disks
- data CDs or DVDs
- USB flash memory sticks or pens
- zip drives and portable hard drives.
- MP3 players, eg iPODs
- PDAs (or palmtop computers) and
- some mobile phones and digital cameras.
These devices have become commonplace as a simple means of transferring or sharing data, or as a way of backing up important information. However they also pose a problem for organisations to retain control of the information stored on them.
Preventing people from bringing such devices and media into work is an extremely difficult task. Look at the physical size of much of this media - it’s easily missed in a pocket, briefcase or handbag. Short of instituting an invasive and very workforce unfriendly search policy, keeping devices out of the workplace is virtually impossible.
What are the risks?
The NHS creates and uses a vast amount of confidential and sensitive information and it is critical that this information is well protected against unauthorised access, misuse or tampering. / Data stored on removable media becomes portable, and therefore may carry less protection for security and confidentiality. These items can easily be lost or stolen, and the data contained on them may be accessible by unauthorised users.
Whilst the data resides in the computer it is protected by access controls designed to ensure that only authorised users can read and use that data. Once it has been copied or downloaded to removable media, many of these controls will no longer apply, making it vulnerable.
For the NHS in particular this is likely to be in breach of the Data Protection Act 1998, and against any Confidentiality Code of Practice agreements that all staff must adhere to.
There are further security implications and risks from using removable media to bring unauthorised material into the organisation, such as unlicensed software or virus-infected files.
Some facts
1A survey into the use of portable storage devices by NHS professionals and suppliers has revealed that half of those interviewed use their own devices to store data and 20% of the devices used are left unencrypted with no password protection. [Source: E-Health Insider]
257% said they were worried that patient confidentiality would be breached if their devices fell into the wrong hands. [Source: E-Health Insider]
3The average word processing document or spreadsheet contains between 25k and 50k of data. This means that a 20GB MP3 player could hold over 750,000 documents.
499% of all users who use removable media to transfer data use no encryption to protect their contents. / How does this affect me?
What happens, for example, if you lose your key ring which happens to have attached to it a USB memory stick containing all your downloaded - and unprotected - documents? Documents which may contain confidential or sensitive information?
You’re in luck, of course, if it only gets picked up by an inquisitive passer-by who, after reading it, finds your information is of little interest and better still, returns it if possible. But what happens if the information is accessed by a someone more unscrupulous or a criminal. That information could be used against you or the NHS, where the mere fact that this information got into the public domain in the first place will be headline grabbing news.
On a more personal note, unprotected data stored on removable media could result in you finding that the entire contents of your bank account have been emptied or that you have become a victim of identity theft.
How can I protect my data?
Some organisations have banned the use of this media entirely, and many have restricted the use of the technology to prevent you from copying or downloading data outside the confines of the protected computer network environment.
Even if your organisation does not yet have an information security policy which covers these issues, you should still be mindful of the risks and protect your data accordingly.
Where the use of removable media is allowed, consider what information you are copying and what confidentiality and sensitivity rules may apply to it. How will you ensure that the data remains secure until it is disposed of?