It looks like the National Health Service (NHS) in the UK has had enough with the constant loss of USB sticks that contain confidential patient information. And while their decision is a sound one, it still leaves a question: what about pre-existing USB memory sticks? And what about employees’ own USB drives? I’d say they need a USB security and data encryption software that can account for these potential security lapses as well.
NHS Buys 100,000 Encrypted USB Sticks
According to this article, the NHS has signed an exclusive contract to distribute 100,000 secure USB sticks to hospitals throughout the UK. These USB memory sticks are encrypted from the start, so users can start using it right away, knowing that if a USB memory stick is lost afterwards, the contents will be protected.
Of course, one would have to take the time to setup a password, I assume. But otherwise, if NHS staff throughout the UK use these secure USB memory sticks, data breaches from lost USB sticks will be a thing of the past.
What About Existing And Personal Memory Sticks? Is There USB Security For Those?
However, such optimistic predictions must be reined in a bit. While I have no doubt that data security will be much improved once these secure USB sticks are deployed, I expect data breaches from lost, missing, and stolen USB sticks to continue in the foreseeable future, albeit at much lower occurrence rates.
The reason? There is no mention of USB ports being secured, and because many people have a habit of not following data security policies if it doesn’t suit them.
We all know that people fail to follow policies–otherwise, there would be no need fire people, discipline them, defend the company against harassment suits, etc. One thing these encrypted USB sticks won’t solve is the problem of employees bringing in their own USB disk and using them to transfer data. And what’s going to happen when those get lost?
There are many scenarios, but I can definitely imagine a concerned citizen picking it up and alerting the media, which has happened too many times in the past couple of years. So, pre-deployed USB security on memory sticks, while a big part of the security picture, cannot solve what I imagine to be a big part of the data security risks the NHS is facing, and will continue to face.
Obtain USB Security Via USB Memory Stick Data Security Software
There is also the issue of what to do with the old USB sticks. I mean, technically, they’re a data security threat because you can’t just toss them away or resell them. In order to keep data integrity, many experts will recommend that these be disposed of–as in, burnt or crushed.
I don’t know how many of these things the NHS has lying around, but mass disposal could be a very expensive proposition. Rather, they could explore the use of encryption software to secure the contents of these normal (average? Generic? Not pre-encrypted?) USB devices. An endpoint security solution like AlertBoot could be used to easily and rapidly protect the contents of such devices, and increase over USB security.
Secure USB Ports, Too
Or, instead of encrypting, NHS could use port control software to manage which devices can have access to NHS computers.
This way, a whitelist policy could be created for all 100,000 secure USB sticks that the NHS has signed up for, so that data may be read and copied to these devices. At the same type, all other devices would be locked out: stick it into the port, but nothing happens.