Colchester Hospital sacks manager over lost laptop
Holiday car break-in leads to dismissal
Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records.
The PC - which was stolen (pdf) from the unnamed manager's car in June - contained copies of the personal details and treatment plans of several thousand patients. Thieves took the machine after breaking into the car, which was parked in Edinburgh at the time, where the unnamed manager was holidaying.
The computer was password-protected but the data was not encrypted.
Colchester Hospital University NHS Foundation Trust said (pdf) that the manager involved was dismissed following a disciplinary panel last Friday. "The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality. I again apologise for the distress the theft of this laptop may have caused," said Peter Murphy, chief executive of Colchester Hospital University NHS Foundation Trust.
Data loss cock-ups are all too common and rarely result in anyone been shown the door.
Jamie Cowper, director of marketing at PGP, said that responsibility for implementing adequate security policies ultimately rests at board level.
"Technologies such as encryption should be implemented and managed on an enterprise-wide basis, not left up to the individual. Unless there is evidence of grievous misconduct, the responsibility for data security should lie with the organisation as a whole – and that means that in cases such as this, punishment should be top-down rather than bottom-up." ®
Information Security Policies, Standards, and Procedures?
The article did not mention any information security policies, standards, and procedures at the Colchester University Hospital. Are there any? Did the unnamed manager violate policy or was he a scapegoat? Did he take the laptop during the holiday because he might be on-call and he needed the laptop? Or was he watching porn on the company laptop, hence why he needed the laptop during the holiday?
Draft policy at one of the largest PCTs
When travelling laptops must not be carried in open view but must be locked in the boot of a car and removed once the journey is complete. If laptops are taken home by staff they must be kept safely and securely, this means that other members of their family and/or their friends/colleagues must not be able to access or use the laptop.
All laptops that leave the security of a PCT building must be encrypted even if the laptop is only to be used for remote access to NHS information systems.</q>
Encryption software has been approved within the last two months. Prior to that the policy read:
<q>Furthermore person-identifiable data must not be stored on a laptop unless it is located and remains in a secure area i.e. an area which does not allow public access, unless the laptop has been encrypted.
At present the Trust is unable to encrypt removable media and is waiting for CfH to complete its central procurement of one or more encryption tools that will assist NHS organisations to secure their patient and other sensitive data.
Information on the use of removable media should have been submitted by managers to the Head of Information Governance as part of the data mapping exercise. This information will be used to identify where there is an operational need for encryption and to inform a planned approach to the use of encryption software once a national solution is available.</q>
Anonymous for obvious reasons
Read what I said before. If I know the NHS and the attitude many managers have towards the IT department and security, the IT department has sent him about 50 emails telling him to bring the laptop in to be encryped and he's ignored them.