A North London primary care trust has suffered the most personal data breaches among NHS trusts in the capital over the past three years, according to figures obtained by Guardian Healthcare. The figures showed that out of 30 trusts responding to a freedom of information (FoI) request, NHS Barnet owned up to over 20 per cent of …
Either Barnet and some others are spectacularly bad at protecting personal data OR (more likely, IMHO) all PCTs suffer this level of data loss, but sweep it under the carpet.
They should take a look at Sony to see how the pro's do it.
What a surprise
Knowing the kind if idiots who work in admin in the NHS this doesn't surprise me in the least. Most of them would have trouble spelling "data protection", never mind implementing it.
Didn't realise you could get that on the NHS. Elton John should complain - he had to pay for his...
These figures can be interpreted so many ways. The guys with the high figures could actually just have a really good handle on their breaches (by handle I mean they have properly logged how many happened, they don't necessarily have any idea how to deal with it). The other trusts with the lower figures, could have so many breaches swept under the carpet, not logged, reclassified as minor breaches, or just have a load of breaches which have gone completely unnoticed.
So these figures are pretty pointless, no?
Not surprised in the least...
As one of those friends who fixes poorly kit for people, I know for a fact that one senior nurse in my local NHS trust has a blanket forward on her trust mailbox to a personal mail account, so they can work from home. Of course because it's a blanket rule everything they receive routinely gets pumped into gmail. I'm also pretty sure there are more than one offenders.
Seemingly the trust either don't care or just aren't clever enough to audit this kind of thing.
Colour me unsurprised, too
Some time ago I happened to catch on Parliament channel (not that I *normally* watch it) the head of Fujitsu, talking to a Commons Select Committee about security of NHS data systems. He stated that the main risks were not some super-hacker managing to penetrate the systems from the outside, but a complete lack of security culture within the NHS itself, and goddammit he was totally right.
I'm the national admin for an NHS system (that has been up & running for about 8 years) and at least twice this year I've found whole departments that only have *one* login account to this system (and, as I can see all deleted accounts, I know that they have only *ever* had one), seemingly blithely unaware that users can, and should, all have their own account. Sharing login details ? What's the worst that could happen ?
The complete lack of understanding of data security is widespread across the whole public sector. Councils seem to be particularly inept in my experience. Councils are now trying to be 'flexible' and allow more staff to work from home, which means in reality more data is leaving the councils care and loaded onto unencrypted USB sticks, forwarded to public email services and stored on personal PCs without encryption.
Security, usability, cheap - pick one. The problem is you have to balance security against usability.
I've worked in places where computers were only allowed inside locked metal rooms - you opened the door to the room and all the monitors turned off. Great for security but not much good if the ambulance driver needs your address.
Most of these cases were people taking data home to work on, or forwarding emails to external addresses, Not best practice - but would you rather wait another month for your results because the consultant had to visit some data bunker to see your x-rays?
There is going to be a lot of bandwagon jumping about security - which will involve a few minions being fired for taking work home - while the entire confidential data will still be transferred on-mass to the US company's data processing center in India anyway.
And you will have to wait for an extra 12 hours in casualty because they don't have access to your records.
You're absolutely right that there's always a balance to be struck between security, usability and cost - but I think you may have gone a bit OTT in your comparison. No-one's suggesting that security procedures appropriate to GCHQ should be applied to your local GP's surgery. But the argument should have gone something like this:
1. Do we allow people to use portable devices (or printed records, for that matter) and take data off site. If you're the NSA, the answer is 'No' - if you're the NHS, then probably it's 'Yes'.
2. Is there a risk that some of these portable devices may be lost or stolen - clearly 'Yes'.
3. How do we mitigate this risk? One obvious (but not cost-free) method is by encrypting the data on the portable device (and not taping the password to the underside). Thin client and VPN could be another solution - this might even reduce costs.
It's the lack of a security culture or any form of management system that is the problem here.
Laugh or Cry
"One data breach involved the theft of a doctor's personal unencrypted laptop, which contained patient information. The trust said that the laptop was password-protected."
.... the choice is yours.
Otherwise known as "The trust has no ****ing clue what protecting data means"
A password-protected laptop means precisely ZERO protection, as all an attacker needs is a copy of Knoppix or other bootable CD and bingo - everything on that laptop is theirs.
That's assuming of course that the attacker don't have the expertise to take the hard drive out of the laptop and plug it into another computer.
I expect that practically everyone reading this forum has done one or both of these to recover data from a damaged Windows installation!
The fact that so many Government departments insist on saying "but the laptop was password protected!" is 100% proof that they have no clue whatsoever and the CEOs, COOs and CTOs of those departments all need to be fired on the spot for complete and utter abject incompetence.*
Of course, they'll continue to screw this up so royally until the Information Commissioner assigns some personal consequences to these upper managers.
*No, I don't think I used to many superlatives there.
To be fair
Theoretical data risk, quite high, and if the thief has even rudimentary grade tech skill, the potential for harm is high.
In reality the laptop will have been sold to the local fence, wiped and sold as a Christmas present in the local pub. The data will have been lost in the manner of being buried under a huge folder of pirated MP3's and an internet exposer cache full of dodgy JPG's where flesh tones predominate.
Sense of proportion
The NHS is a massive organisation, it has people of many levels of skill and capability, and it's primary function is Health, not data security. As some of the more balanced individuals point out data security is fine right up until the point the data is needed to save your life.
As a customer of the NHS, I find it a pain in the bottom that I have to carry blood test results on paper from my GP to my consultant because my GP uses a different hospital path lab to my consultant, and the systems are not joined up. If the price of having all my note joined up, is that they might accidentally left lying around by tiered or busy Healthcare professionals, then so be it. I suggest that the commentator who thinks NHS staff are stupid, should go work in the NHS for a while, they'll find the stupid ones, actually don't have access to patient records, other than to push cartfuls from A to B.
I wonder exactly what it is the people are afraid they might have exposed, in any case, and who would be interested in their data. Ask yourselves this, who would want your data, why, what benefit would it be to them, and what would the cost of discovery be to them. Ultimately, health records are confidential, and the only people who might be interested are your insurance companies, the DVLA and your employer, if you have failed to disclose a relevant medical condition. The only people who might to worry are public figures, whose records are treated with a bit more care, but even then you are dealing with a confidential record, and its unauthorised disclosure would have consequences for the discloser as well as the source. The worst outcome for anyone, is that data loss might actually lose something that is not duplicated, and that affects your health.
Doctors, even your GP will also be involved in health studies, which are usually not part of the NHS's core IT provision, and are carried out independently by interest groups, with minimal funding, in their own time, and at their own cost.
Paper records ta, its time proven common sense format that works in power cuts, and as for the ignorant claim that no one is interested in records i ask WHY are they encrypted, etc?
I dont supose any debt collection agency/criminals/private investigatoras would have any want for such details?
And as for the mentality of 'nothing to fear, nothing to hide': still wear clothes, and have curtains at home do you?
Patients are wising up!
And as for
It's far, far worse out there...
I blogged about the state of NHS infosec a few months ago. Seems the stats back up my observations.