For the Forth Valley NHS Board, the answer is now a resounding ‘Yes’. Of course, it should have been a ‘Yes’ before there was a data breach, and before sensitive patient details were put at risk. However, the Board has now recognised (and has formally committed to ensure) that the only USB sticks available for use by Board staff should be issued by the Board, and that these USB sticks should all be encrypted.
It is, in today’s world of portable media, a basic security step. ISO27001 control A.10.7.1 specifically deals with management of removable media and any organisation implementing this control must (amongst other things) use encryped memory sticks – which can be purchased with USB-resident encryption, so that they are simple to deploy and use in the workplace.