The Register® — Biting the hand that feeds IT

Feeds

Colchester Hospital sacks manager over lost laptop

Holiday car break-in leads to dismissal

By John Leyden, 12th August 2008
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records.

The PC - which was stolen (pdf) from the unnamed manager's car in June - contained copies of the personal details and treatment plans of several thousand patients. Thieves took the machine after breaking into the car, which was parked in Edinburgh at the time, where the unnamed manager was holidaying.

The computer was password-protected but the data was not encrypted.

Colchester Hospital University NHS Foundation Trust said (pdf) that the manager involved was dismissed following a disciplinary panel last Friday. "The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality. I again apologise for the distress the theft of this laptop may have caused," said Peter Murphy, chief executive of Colchester Hospital University NHS Foundation Trust.

Data loss cock-ups are all too common and rarely result in anyone been shown the door.

Jamie Cowper, director of marketing at PGP, said that responsibility for implementing adequate security policies ultimately rests at board level.

"Technologies such as encryption should be implemented and managed on an enterprise-wide basis, not left up to the individual. Unless there is evidence of grievous misconduct, the responsibility for data security should lie with the organisation as a whole – and that means that in cases such as this, punishment should be top-down rather than bottom-up." ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (73)
Latest Comments
Anonymous Coward
Anonymous Coward

Information Security Policies, Standards, and Procedures?

The article did not mention any information security policies, standards, and procedures at the Colchester University Hospital. Are there any? Did the unnamed manager violate policy or was he a scapegoat? Did he take the laptop during the holiday because he might be on-call and he needed the laptop? Or was he watching porn on the company laptop, hence why he needed the laptop during the holiday?

0
0
Anonymous Coward
Anonymous Coward

Draft policy at one of the largest PCTs

<q>Laptops

When travelling laptops must not be carried in open view but must be locked in the boot of a car and removed once the journey is complete. If laptops are taken home by staff they must be kept safely and securely, this means that other members of their family and/or their friends/colleagues must not be able to access or use the laptop.

All laptops that leave the security of a PCT building must be encrypted even if the laptop is only to be used for remote access to NHS information systems.</q>

Encryption software has been approved within the last two months. Prior to that the policy read:

<q>Furthermore person-identifiable data must not be stored on a laptop unless it is located and remains in a secure area i.e. an area which does not allow public access, unless the laptop has been encrypted.

At present the Trust is unable to encrypt removable media and is waiting for CfH to complete its central procurement of one or more encryption tools that will assist NHS organisations to secure their patient and other sensitive data.

Information on the use of removable media should have been submitted by managers to the Head of Information Governance as part of the data mapping exercise. This information will be used to identify where there is an operational need for encryption and to inform a planned approach to the use of encryption software once a national solution is available.</q>

Anonymous for obvious reasons

0
0
Anonymous Coward
Anonymous Coward

@Matt

Read what I said before. If I know the NHS and the attitude many managers have towards the IT department and security, the IT department has sent him about 50 emails telling him to bring the laptop in to be encryped and he's ignored them.

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19