YTF ...
were 33,000 patient's records on a laptop? And WTF is the medical purpose of a 'retinal scan van'? This looks like a rich mother lode.
Mark Hackett, chief executive of Southampton University Hospital NHS Trust, has promised to deal properly with data security after one of his staff lost a laptop computer with 33,000 patients' records on it. The laptop was left unattended in a retinal scan van. It was password protected but not encrypted. It was attached to …
"Hackett promised the ICO he would make sure encryption was used on all mobile and portable devices, that ..."
...he would personally pay a huge fine from his own wages ??
After all, his huge wages are because of the responsibility he has, and in this he has failed. 30 years ago it may have been excusable that he didn't know about the risks of data loss, but after so many articles even in the normal press, there is no excuse.
People that are in these positions of responsibility, earning top money should personally pay for the mistakes in management made below them. In this way, they will have a better incentive to do their job properly. (carrot AND stick)
The NHS Trust I work for has rolled out hard disk encryption on ALL mobile devices, not just laptops. I thought this was supposed to be the same for any NHS Trust, so WTF are they doing allowing a mobile device to be unencrypted in the first place, let alone with patient identifiable data to be stored on it instead of on a server.
The IT department managers and whoever was storing the data locally should have their arses kicked most severely.
I work for another NHS area, all our mobile devices are encrypted (albeit with Mccrapy safeboot) and anyone requiring portable storage gets an encrypted USB drive, we also use data loss prevention software that only allowed encrypted drives (and anything else we allow) to be plugged into other USB ports, not hard is it?
The van was scheduled to visit 33,000 patients that day?
This is simply inexcusable. They wouldn't tow a lorry full of filing cabinets along behind them with files for every patient they might possibly bump in to, so why do the same thing digitally?
The whole thing smacks of incompetence. "don't worry we tied the laptop to the van with one of those flimsy security cables" Yeah it's not like a thief would ever have a pair of bolt cutters handy.
"... after one of his staff lost a laptop computer with 33,000 patients' records on it. ... It was attached to the van by cable but this was cut during the theft."
This is obviously a new meaning of the word 'lost' of which I was previously unaware.
Thank you, El Reg
PH because she lost it years ago.
Our Trust has had laptops encrypted. Unfortunately we ere dependent on our HIS (Health Informatic Services) to do this. That was when they told us they had no list of latptops issued (wtf!!!). Yeas they logged the number of the laptop but they couldn't get a list out of their system (these are IT people ffs).
We started a process of buying pre encrypted usb sticks, but our finance department put that on hold. Why? Buying them will cost money, but if we don't then people bring their own (unencrypted) and thast doesn't cost us money.
So why do public bodies lose confidential information. Simple. Look at the overpaide diretors and Chief Execs who have to stop their peopl ordering envelopes, paper, encryption support etc in order to have the money to oay their £100,000 salaries.
Has anyone stopped to consider how the legitimate user accesses an encrypted drive? Using a password maybe? If so, although the encryption protects against reading the raw drive if removed from the system, it does little more than the password to protect the entire running system.
The strongest protection for an entire system against casual or brute force attack at the login interface is a limitation on password retries, and although this can be specified in system policies it's hardly ever done. Other attack scenarios (and they're numerous) require different approaches. Encryption solves some of them but leaves others untouched.
When will we stop insisting on limited pseudo-panaceas for security without undertaking proper analysis of the realities of the problems?
Killed my wife's laptop. Killed several colleagues laptops too. The "back door" to get your data back involved a call to germany to get the time-sensitive passocde. Except there was never anyone on the otjher end. Took two weeks to get the encryption removed, during which time she had no laptop.
She doesn't use her laptop for NHS work any more.
Then they tried the same trick with encrypted USB sticks. Scenario: In NHS office, create PowerPoint presentation. Save on secure USB stick. Go to conference/meeting/local university. Discover you need admin rights to install decrypt software. Swear.
I'm out of work ATM. By choice, too, I'll have you know.
This gem, eloquently described by AC makes me feel all warm and fuzzy.
I can find my arse and don't need both hands tied behind my back to do it.
I have practical knowledge on what the differences are when considering my arse and my elbow.
Almost without exception, when in employment, I turn up regularly and I never steal anything.
I simply can't see how it's going to be difficult to get employment with this level of competition.
"Have you tested it?"
"-Yes. I double clicked it and it ran till the end."
"Woo! No techy, IT, nerdy, geeky gobbledygook here! I'm just the IT manager! - OK Launch Control - IT systems ARE GO! (You know, to be a good manager it's actually IMPERATIVE you are completely fucking technically clueless if you're managing complex IT systems, otherwise you simply get bogged down in nerdy-turdy details. I went to university, you know. Isn't the 'Office' hilarious?"