E-Health insider is carrying a story about Lothian NHS implementing a tough, but flexible approach to data sharing on USB memory sticks. They are utilising encrypted USB sticks, which will be required to write data to an external medium – your common Staples memory stick will be read only. This is backed up by a more stringent control of USB ports across the Trust in general.One comment on this story seemed to unduly worry about this approach, fearing a reduced flexibility that would result. Now, any Trust worth its salt would have a user space on the network for their own files, so the comment about how users would work cross service does not hold water.

This solution, taken at face value, does seem to offer a level of flexibility while maintaining security. At the end of the day, if the organisation is prepared to go to these lengths, if data security breaches occur following this then it will be the responsibility of the owner of the memory stick.

If there is a valid Trust reason for transferring data (potentially training being so), it stands to reason that an encrypted stick could be issued there is little point in needlessly worrying about having less freedom. This is the result of data losses which will inevitably plague government organisations for many years to come.

It will take episodes such as those faced by Lothian NHS to force other NHS Trusts into the same data protection standpoint. The interesting point is that the system they are implementing makes a lot of sense to me, unlike other examples I have read about where Trusts lock out USB ports completely. Although there is obviously an issue with the capitol investments that is required to provide USB sticks and procure software, this “investment” would seem to be cheaper in the long run opposed to a series of fines and legal proceedings from those affected by data loss.

Well done Lothian NHS.