How USB Memory Sticks Compromise Medical Data


The benefits that come from making patients’ records more available using technology must be be balanced against patient privacy. This article deals with perhaps the most convenient way of storing information, the USB memory stick, and highlights the consequent risks to patient privacy, and offers some ways to minimize these risks.

The USB Memory stick

One of the most invidious threats to patient privacy is the growing use of USB memory sticks. They pose a bigger threat than laptops and PDAs because of their small size, consequent convenience and the default mode used by many with no password protection at all. Examples of a privacy breach associated with USB memory sticks from 2008 include:

07/04/08 Lothian NHS worker loses USB containing patient data: A health worker at NHS Lothian has admitted losing a USB memory stick containing personal information of 137 patients. Source: Computer Weekly

09/06/2008 Mentally-ill patients’ details lost: The records of 200 mentally ill patients were lost on a computer memory stick dropped in a road.The highly sensitive information included notes on sexual abuse, drug addiction, self-harm and suicide bids. Source: Daily Mirror

There are a number of levels of risk management that may be deployed to prevent this kind of disaster. Some U.K. NHS organizations have disabled all USB ports to prevent data being removed via USB ports. This may seem draconian but is effective against deliberate as well as accidental harm. Where this is not the case, a usage policy should be implemented where usage of USB memory sticks is permitted only where there is a clear need or benefit. Others may usefully be accommodated by a secure remote login from a desktop machine.

Where USB memory sticks are to be used, they should be encrypted as well as password protected, and suitable sticks provided by the organization. Personal USB memory sticks should be banned.

Staff education is important: the human tendency to believe "it won’t happen to me!" needs to be challenged, before rather than after the event.


There is considerable evidence of breaches in privacy arising from inappropriate use of USB memory sticks. As a health care organization, there is a duty of care to take reasonable steps to prevent privacy breaches, and the steps required are not unreasonable or prohibitively expensive, and should be implemented without delay. However, perhaps surprisingly, although storage of information on USB memory sticks represents a major risk to patient privacy, transmission via faxes represents, in my view an even greater threat, which I shall in explore in a subsequent article.