Data watchdog slaps Southampton Uni hospital
Physician, encrypt thyself
Mark Hackett, chief executive of Southampton University Hospital NHS Trust, has promised to deal properly with data security after one of his staff lost a laptop computer with 33,000 patients' records on it.
The laptop was left unattended in a retinal scan van. It was password protected but not encrypted. It was attached to the van by cable but this was cut during the theft.
Sally-Anne Poole, head of investigations at the Information Commissioner's Office, said: “Storing large volumes of personal information on portable devices is unnecessarily risky. Why were so many records downloaded on to an unencrypted laptop in the first place? It is vital that NHS organisations ensure their staff handle personal information securely,".
The theft happened last October.
Hackett promised the ICO he would make sure encryption was used on all mobile and portable devices, that physical security is enough to stop unauthorised access to data, that his staff know the rules and are properly trained in keeping data safe. ®
Encryption and money
Our Trust has had laptops encrypted. Unfortunately we ere dependent on our HIS (Health Informatic Services) to do this. That was when they told us they had no list of latptops issued (wtf!!!). Yeas they logged the number of the laptop but they couldn't get a list out of their system (these are IT people ffs).
We started a process of buying pre encrypted usb sticks, but our finance department put that on hold. Why? Buying them will cost money, but if we don't then people bring their own (unencrypted) and thast doesn't cost us money.
So why do public bodies lose confidential information. Simple. Look at the overpaide diretors and Chief Execs who have to stop their peopl ordering envelopes, paper, encryption support etc in order to have the money to oay their £100,000 salaries.
password protected but not encrypted
Has anyone stopped to consider how the legitimate user accesses an encrypted drive? Using a password maybe? If so, although the encryption protects against reading the raw drive if removed from the system, it does little more than the password to protect the entire running system.
The strongest protection for an entire system against casual or brute force attack at the login interface is a limitation on password retries, and although this can be specified in system policies it's hardly ever done. Other attack scenarios (and they're numerous) require different approaches. Encryption solves some of them but leaves others untouched.
When will we stop insisting on limited pseudo-panaceas for security without undertaking proper analysis of the realities of the problems?
The NHS Trust I work for has rolled out hard disk encryption on ALL mobile devices, not just laptops. I thought this was supposed to be the same for any NHS Trust, so WTF are they doing allowing a mobile device to be unencrypted in the first place, let alone with patient identifiable data to be stored on it instead of on a server.
The IT department managers and whoever was storing the data locally should have their arses kicked most severely.
I work for another NHS area, all our mobile devices are encrypted (albeit with Mccrapy safeboot) and anyone requiring portable storage gets an encrypted USB drive, we also use data loss prevention software that only allowed encrypted drives (and anything else we allow) to be plugged into other USB ports, not hard is it?
The buck stops here
"Hackett promised the ICO he would make sure encryption was used on all mobile and portable devices, that ..."
...he would personally pay a huge fine from his own wages ??
After all, his huge wages are because of the responsibility he has, and in this he has failed. 30 years ago it may have been excusable that he didn't know about the risks of data loss, but after so many articles even in the normal press, there is no excuse.
People that are in these positions of responsibility, earning top money should personally pay for the mistakes in management made below them. In this way, they will have a better incentive to do their job properly. (carrot AND stick)