NHS in move to stem data breaches

The UK has made a start at shedding its reputation as a data breach hotspot with the news that 100 hospitals are to start using encrypted USB sticks from Swedish company BlockMaster.

In one of the biggest public sector procurements ever announced for secure USB sticks, BlockMaster's UK distributor Softek will install 100,000 ‘SafeStick' drives in tandem with the SafeConsole management system over the next two years.

The full list of hospitals involved is not yet public, but named health trusts include George Eliot NHS Hospital Trust in Warwickshire, the Aintree University Hospital NHS Trust, and West Suffolk Hospital NHS Trust.

The trusts involved appear to have clubbed together to source the drives through NHS ‘procurement hubs' after assessing BlockMaster's sticks against rivals on a joint basis.

BlockMaster's SafeSticks are a big step up from the mixture of unsecured drives, DVD and CD media and manually encrypted USB sticks that they will replace in the 100 institutions involved, where the confidential movement of patient data had become hard to guarantee.  Each of the tamper-proof drives features transparent 256-bit AES encryption and secure use features such as lockdown of a drive if accidentally left docked to a PC.

The management console, which the company says can run on any Windows machine, covers everyday issues such as password recovery, remote wiping and management, compliance auditing, and configuration of the drive when used as an authentication token.

"It's fantastic news to see that the NHS is leading the way with USB security. The introduction of best-practice and diligence by organisations will protect sensitive data on portable devices and prevent embarrassing, as well as costly data breaches," said BlockMaster CEO, Daniel Östner.

"The number of unsecure USB sticks lost each year is a problem we cannot sweep under the carpet. We need to be proactive with USB security and not wait for a breach to happen until we think about it," he said.

According to BlockMaster's technical director, Johan Söderström, the NHS testing process for the drives involved throwing drives in a bucket of water and stamping on them, all of which the SafeSticks had managed to survive.

He expected a lost and damaged ‘casualty rate' of roughly three percent of the drives over the deal's two years. "It [the drives] had to be easy to use and hard to make a mistake," he added, underlining the need for simplicity when confronted with untrained users. The drives were designed to be put on keyrings, which he hoped would reduce the chances that they might be lost.

The drives could also resist threats such as the Conficker worm due to the SafeStick's use of its own autorun routine. The company is expected to announce further security features for the drive at London's Infosecurity show at the end of April.

What's driving this sudden interest in the security of these USB sticks in particular? With the UK public sector, the answer is twofold, starting with the humiliating number of data breaches that have hit government and public sector organisations in the last two years. It's also true to say that UK freedom of information laws now make disclosure of breaches by public bodies much harder to hide than was previously the case.

Last month, SanDisk announced a much smaller but still significant contract to supply NHS Dumfries & Galloway in Scotland with 1,100 of its Cruzer Enterprise drives.