• silicon.com
• Technology
• Security

By Andy McCue, 7 August 2003 11:24

NEWS Hospital bosses in Greater Manchester have tightened up IT security procedures after a Crewe estate agent found a new £30 memory stick contained confidential details of 13 cancer patients. A report into the security breach, which happened earlier this year, found that the data had been transferred onto the memory stick when a computer storing a database of patient details was sent for an upgrade. The hospital's IT supplier Pocos took the computer to MBS Computers in Crewe, where the data was copied onto the stick. But the investigation was unable to ascertain how it then came to be sold as new. Although the investigation cleared staff of any intentional security breach, the hospital board admitted in the report that safeguards should have been in place to stop contractors taking confidential information away from the hospital. Some security changes were already underway at the time of the incident in March but additional measures brought in include training staff in IT security and reminding current suppliers of their responsibilities to protect records. Security firm SecureWave says it is becoming an increasingly big issue with IT departments concerned about the widespread and relatively uncontrolled use of portable storage devices such as USB memory sticks. Louis Oley, managing director at SecureWave, said the up to 2GB capacity of memory sticks and plug-and-play features in Microsoft Windows 2000 and XP mean they are much more of a threat than 1.44MB floppy disks. He said: "The sheer size of the capacity of memory sticks, as well as their ease of use, is what is causing real threats and creating huge problems. Even my modest 128MB stick is the equivalent of 90 floppies, enabling unauthorised applications to be run or copies of entire databases to be stolen with impunity and no record of the theft of intrusion." IT departments need to implement security procedures and software that can centrally control the use of these devices on workstations, make a copy of whatever is copied to them so there is an audit trail and, where appropriate, set limits on how much data can be transferred to memory sticks, said Oley.