If I knew any common sense at all, I think I would say that sensitive information you don't want people to get a hold of, such as this..should simply not be on a portable device, such as a flash drive. Lets stick with keeping that info in a storage/server room shall we?
[citation][nom]jedimasterben[/nom]That would only work, chickenhoagie, if that data didn't need to be accessed from somewhere else not on that network.And on a semi-unrelated not, I have that EXACT same flash drive![/citation]
A better PHI company should use an removeable drive encryption software that doesn't let the computer users copy any files to a CD or USB stick without encrypting them. I have such software werer I work.
I would also have an issue with someone even needing to copy any PHI to a USB stick to begin with.
Another school of thought, is if you let them do it (copy data for remote access) then should you suspend them if it get's lost. I mean he was hardly doing it to sell on the black market, most likely knowing the underpaid NHS, he wanted to work from home. If you invest in a globally accessible site with good security (dongles perhaps) that does not easily allow you to transfer the records locally then they wouldn't have this problem, instead of going heavy-handed on what was probably a very hard-working doctor.
I don't know the reason for copying staff information or patient information on a USB stick. That should be confidential and only available to people who already have access to the network and that data should not be allowed to leave the facility.
There is never a reason that an employee of a medical facility would ever need to take a patients records out of that facility. If records are being transferred to another care provider, there are already procedures in place for that.
No, there is simply no excuse for this information to ever be on a thumb drive, or for that matter, anyone's computer. It should be on a centralized storage server, and access should only be through secured remote terminals or terminal software (i.e. secured SQL server with Access front end, and only accessible on-site).
The amount of personal information that gets lost on laptops, thumb drives, etc.. is just disgusting.