Mark Hackett, chief executive of Southampton University Hospital NHS Trust, has promised to deal properly with data security after one of his staff lost a laptop computer with 33,000 patients' records on it. The laptop was left unattended in a retinal scan van. It was password protected but not encrypted. It was attached to the …
were 33,000 patient's records on a laptop? And WTF is the medical purpose of a 'retinal scan van'? This looks like a rich mother lode.
"And WTF is the medical purpose of a 'retinal scan van'?"
Mostly checking for diabetic retinopathy, plus a few other things. Put the kit in a van and several hospitals/clinics can share it, rather than bringing people to the big hospital just to do something Spec Savers could do.
What is the point.....
of either the DPA 1998 or the ICO ,since they are both a toral waste of space ?, I dont know what it would take for anyone to get anymore than a mild telling off from ICO and no one cares whether they break the Act or not.
I mean, seriously!
Do they really need patient records on laptops? seriously. why not just use a VPN and keep the actual records somewhere secure.
"Retinal scan van"
Eye diseases or mass surveillance excercise?
The problem with getting this sort of thing done is it's not very exciting. It demands planning, staff cooperation and an awareness that information is important. Dull virtues untill someone gets slapped with a fine.
The buck stops here
"Hackett promised the ICO he would make sure encryption was used on all mobile and portable devices, that ..."
...he would personally pay a huge fine from his own wages ??
After all, his huge wages are because of the responsibility he has, and in this he has failed. 30 years ago it may have been excusable that he didn't know about the risks of data loss, but after so many articles even in the normal press, there is no excuse.
People that are in these positions of responsibility, earning top money should personally pay for the mistakes in management made below them. In this way, they will have a better incentive to do their job properly. (carrot AND stick)
The NHS Trust I work for has rolled out hard disk encryption on ALL mobile devices, not just laptops. I thought this was supposed to be the same for any NHS Trust, so WTF are they doing allowing a mobile device to be unencrypted in the first place, let alone with patient identifiable data to be stored on it instead of on a server.
The IT department managers and whoever was storing the data locally should have their arses kicked most severely.
I work for another NHS area, all our mobile devices are encrypted (albeit with Mccrapy safeboot) and anyone requiring portable storage gets an encrypted USB drive, we also use data loss prevention software that only allowed encrypted drives (and anything else we allow) to be plugged into other USB ports, not hard is it?
Lets bolt the stable door after the horse has gone
FFS, how much FAIL is there in government controlled places / IT
let me guess
The van was scheduled to visit 33,000 patients that day?
This is simply inexcusable. They wouldn't tow a lorry full of filing cabinets along behind them with files for every patient they might possibly bump in to, so why do the same thing digitally?
The whole thing smacks of incompetence. "don't worry we tied the laptop to the van with one of those flimsy security cables" Yeah it's not like a thief would ever have a pair of bolt cutters handy.
Should've gone to Specsavers
They can do retina scans, as can many other retail opticians. Why does anyone need vans for this?
Fingering The Thief
Was Wacky Jacky anywhere nearby when the theft took place? Our wondrous government will stop at nothing to get our DNA and iris prints into their database, so what better method of nicking the data from one of the eye units and pretending it was done by Joe the Bandit.
"... after one of his staff lost a laptop computer with 33,000 patients' records on it. ... It was attached to the van by cable but this was cut during the theft."
This is obviously a new meaning of the word 'lost' of which I was previously unaware.
Thank you, El Reg
PH because she lost it years ago.
Encryption and money
Our Trust has had laptops encrypted. Unfortunately we ere dependent on our HIS (Health Informatic Services) to do this. That was when they told us they had no list of latptops issued (wtf!!!). Yeas they logged the number of the laptop but they couldn't get a list out of their system (these are IT people ffs).
We started a process of buying pre encrypted usb sticks, but our finance department put that on hold. Why? Buying them will cost money, but if we don't then people bring their own (unencrypted) and thast doesn't cost us money.
So why do public bodies lose confidential information. Simple. Look at the overpaide diretors and Chief Execs who have to stop their peopl ordering envelopes, paper, encryption support etc in order to have the money to oay their £100,000 salaries.
Why did my post disappear?
password protected but not encrypted
Has anyone stopped to consider how the legitimate user accesses an encrypted drive? Using a password maybe? If so, although the encryption protects against reading the raw drive if removed from the system, it does little more than the password to protect the entire running system.
The strongest protection for an entire system against casual or brute force attack at the login interface is a limitation on password retries, and although this can be specified in system policies it's hardly ever done. Other attack scenarios (and they're numerous) require different approaches. Encryption solves some of them but leaves others untouched.
When will we stop insisting on limited pseudo-panaceas for security without undertaking proper analysis of the realities of the problems?
My local trust tried going the encryption route
Killed my wife's laptop. Killed several colleagues laptops too. The "back door" to get your data back involved a call to germany to get the time-sensitive passocde. Except there was never anyone on the otjher end. Took two weeks to get the encryption removed, during which time she had no laptop.
She doesn't use her laptop for NHS work any more.
Then they tried the same trick with encrypted USB sticks. Scenario: In NHS office, create PowerPoint presentation. Save on secure USB stick. Go to conference/meeting/local university. Discover you need admin rights to install decrypt software. Swear.
Re "My local trust tried going..."
I'm out of work ATM. By choice, too, I'll have you know.
This gem, eloquently described by AC makes me feel all warm and fuzzy.
I can find my arse and don't need both hands tied behind my back to do it.
I have practical knowledge on what the differences are when considering my arse and my elbow.
Almost without exception, when in employment, I turn up regularly and I never steal anything.
I simply can't see how it's going to be difficult to get employment with this level of competition.
"Have you tested it?"
"-Yes. I double clicked it and it ran till the end."
"Woo! No techy, IT, nerdy, geeky gobbledygook here! I'm just the IT manager! - OK Launch Control - IT systems ARE GO! (You know, to be a good manager it's actually IMPERATIVE you are completely fucking technically clueless if you're managing complex IT systems, otherwise you simply get bogged down in nerdy-turdy details. I went to university, you know. Isn't the 'Office' hilarious?"
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- China building SUPERSONIC SUBMARINE that travels in a BUBBLE
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Experimental hypersonic SUPERMISSILE destroyed 4 SECONDS after US launched it
- That 8TB Seagate MONSTER? It's HERE... (You'll have to squint, 'cos there are no specs)