Sounds like a case of...
A UK doctor faces a disciplinary inquiry after an unencrypted laptop containing confidential patient data was stolen from his home. The unnamed junior medic acted against regulations set by the Hull and East Yorkshire Hospitals NHS Trust, his employers. The doctor took unencrypted patient information – including names, dates …
What, has the NHS not heard of VPN? Thought not. Would eliminate the need to copy it onto a machine able to be lost/stolen.
The computer the GP was using had the little RDP bar at the top, so I guess they may have.
I still don't get how they have unencrypted laptops though; when the company I work for decided encryption was going to be a standard, anyone with a laptop unencrypted after a certain deadline was booted off the network, unless you could account for yourself.
but as long as users are able to copy data off the central system (be it on CD, thumbdrive or a laptop) and take it home, whether or not they have heard of VPN, have installed it and are using it will be totally irrelevant.
Security is inconvenient. Good security is damn inconvenient. And as long as there are other, less inconvenient ways, users will use those ways.
Having security options available is not what matters. Being unable to circumvent them is.
The NHS has heard of VPN, however the BT N3 connections are a hindrance to that because the NHS all goes through it and it isn't very good. Making outside VPN connections tricky. And of course it costs money, and it costs time in technical support for moronic users who can't and shouldn't be allowed access to a PC, never mind a career responsible for others.
And even if we did have VPN, GP's and doctors think they are above the law and wouldn't use them anyway. I am sick of hearing "You can't tell me what to do" by a GP when we tell him what to do because we pay him to do it. (I know whoever heard of an employee not doing what their employer tells them and pays them to do, well except MP's)
Losing a laptop is nothing and this report is 1 of many more that are not reported. We had one practice manager fax 500 'at most risk' patients information, things like cancer sufferers, serious illness that required home vists etc. Fax over an unsecure fax line rather than email, because she couldn't work email. The fax went first to a number we don't use and didn't know about, so who knows has those 500 patient records on hard copy.
This is the same practice manager that is set to get the NHS budget to spend. And she isn't alone in her stupidity, I sould say 30% are worthy positions for their job.
I kid you not being a patient in this country is set ot get a whole lot worse with the white paper. not just for data cockups but for "cough..." Mistakes in budgeting.
Mines the one with the emigration papers in the pocket.
Anon for obvious reasons.
When half the NHS systems were collapsing due to worms and viruses , my dad told me of a day in the lab where a doctor walked in, logged onto a pc, plugged a usb stick into it and started copying results on. A few mins later the machine crashed, he unplugged it and tried the next machine, and the next... Then shrugged, unplugged the USB stick and walked out!
The laptop in question is a personal laptop it seems. Blocking USB devices from being used on hopsital computers only goes so far. We use several USB-based devices, and it is trival to unplug on, pop on your thumb drive, and copy data. We have policies in place that ban carrying data offsite, period, unless authorized by IT. This way, we can ensure encrypted transport and end-point use. We've even taken to encrypting personal laptops as an extension of services to help ensure data will be safe in the event that it needs to be taken home for any reason. With the IT staff signing off on data-carryout, we also have records (general as they may be) of who carried data off premisis and when.
Good security is a high inconvenience for sure. However, whole-disk encryption, VPNs, and a few other measures help keep the security high (enough) without imposing the inconvenience of the paranoid.
Except a small proportion working directly for PCTs in walk in centres and the like.
Practice managers are employed _by_ GPs, not the other way around.
N3 is not very good, and the NHS administration demands and isnsists on emailing vast amounts of data, which would be far better dealt with by sharing over the network from the servers it lives on.
The N3 NHS.net email is claimed to be encrypted from end to end, but isn't. It is decrypted at the store and forward server, where it remains vulbnerable, despite presumably having a different encryption applied to the filesystem. THe threat models are not well developed.
Actually, "the NHS" knows next to nothing about VPN. I say this with some authority, having spent a couple of months trying to get VPN access into my wife's surgery. I can buy expensive single-PC solutions from third-party providers, which go through servers in the US, and which have limited (or useless) encryption, buy I don't want to do that. Can anyone at CfH tell me how to get into N3? Can they f**k. None of them have any idea, beyond trying to sell me completely inappropriate and fantastically over-priced BT "products". Of course, they may just be lying to me.
And you're wrong about "GPs and doctors think they're above the law". There are exceptions, of course, just as there are exceptions in IT. But the simple fact is, if CfH would just bloody well tell us how to get in, then we'd do it properly. The "GPs and doctors" will use whatever they're given. You're the problem, not them.
But, having said that, at the end of the day any security we have in place is pretty much irrelevant. The receptionists and secretaries know all about you. The PCT knows all about you. Our software provider knows all about you. If your surgery uses SystmOne, then all your details are already stored on a national database, ripe for exploitation. Get over it. There's not much point in locking the stable door when there's a huge hole in the back wall.
And, by the way:
> I am sick of hearing "You can't tell me what to do" by a GP when we tell him what to
> do because we pay him to do it. (I know whoever heard of an employee not doing
> what their employer tells them and pays them to do, well except MP's)
Do you employ any GPs then? In case you'd forgotten, GPs are (mostly) self-employed. The govt pays them ~ £125 for each registered patient, for an entire years' primary health care. If the govt didn't pay it, you'd pay that £125 yourself. Get over it.
Not anon, for obvious reasons.
Maybe he had enough about being a doctor, decided to become a public servant when he saw their salary and how much (little) work was involved, but needed some experience on his CV.
Apart from the fact that data protection laws were broken, what was the actual harm in this case. This data contained "Names, dates of birth and details of treatments", so in the case of this woman's daughter, it had her name (now better knwn by being splashed over the press), date of birth (big wow) and details of treatments (which I suspect would be along the lines of "admitted with suspected broken leg, received x-ray, underwent surgery, made appointment to remove plaster cast in six weeks").
Yes, there has been a leak of a certain amount of personal data here, but it's not going to be of much value to anyone other than the junior doctor who presumably had it on his laptop inorder to do a patient audit, something most junior doctors are encouraged to do in order to further their careers, as it affects their ability to get training posts. This, arguably, is a failing on the part of the NHS in that everything for new doctors is now about point scoring in order to not end up in a dead-end post.
The real problem here is that junior doctors are expected to collect this sort of data and do this sort of audit work, in their own time, on their own computers. Very few of these people are likely to have been properly trained in, or even made aware of, correct procedures for handling potentially sensitive data. In this case, the doctor involved was unlucky that he got his laptop stolen, but I bet you there are thousands more just like him with 'low level' personal data on private laptops.
Data, which no doubt she has put all over Facebook.
It will show her name and date of birth, maybe even where she lives. And no doubt she put he status as "owww, brokemy leg at school today, had an xray, now have a cast too" then later "had my cast taken off"
However, posting all of that is really her choice. This Doctor took that choice away from her, and thats why its bad.
That's not the point, as well you know.
Sure, it's all 'low level' personal data until it's yours.
...of course the 'value' of the data is not the point, I was merely trying to point out that not all personal data is equivalent. The point I was trying to make here is that junior doctors are put under pressures where this sort of system failure happens. POlicies may be put in palce in a 'top-down' manner, but by the time they have filtered through the many layers of the NHS to the people on the ground, they may no longer be practical.
The fact is that junior doctors are expected to conduct patient audits. To do so, they have to collect exactly this sort of data. They are expected to do the analysis in their own time, on their own computers. In order to do this, which has been made an important part of thier career advancement, the data has to be taken off teh NHS networds, and put onto their laptops. This usually (in my limited experience) happens via a usb pen-drive. Junior doctors will have spent five years at medical school learning all about the intricate details of the human body, what can go wrong with it, and how to fix it, but I bet you they won't have had a single lecture about NHS data security until they start their jobs. At this point, they are likely to be working in excess of 50 hour weeks (and that's the low end of the estimate) plus the extra hours that they are expected to put in for training, specialist qualifications, and things like audits and research papers. If you push people past breaking point, expect them to make mistakes. The fault here is endemic to the NHS, and to the work culture enshrined within.
Consultants will say, 'I had to work 100 hour weeks, I expect you to do the same' whilst at the same time making a nod towards working time regulations (specifically the loopholes and exemptions), however the nature of the NHS has changed and is now much more technological. The ethos hasn't kept up with the changing work practices, the NHS does, after all have a huge inertia, being one of the world's largest employers.
So yes, I didn't mean to trivialise the data loss that happened here, but I think that we have a case of shooting the messenger (the unfortunate junior doctor who took the bullet), and a little bit of hyperbole from the press about the nature of the data loss (the mother of the 12yo in question possibly exaggerating the severity of the consequences on her daughter; pretty much anyone who would find that information interesting would already know it).
From the undertaking that the Hull and East Yorkshire NHS trust made with the Information Commissioner.....
"The data controller shall ensure that all staff, including any contract or temporary staff, are made fully aware of its internal policies and procedures relating to data and IT security and the requirements of the Data Protection Act 1998, normally at induction training, and that such training is refreshed on a regular basis".
.. there is a law, and it has yet again been broken.. Nothing more to it.
I am breaking my cardinal rule of not posting on NHS IT stories.
The question in my mind is simply was this laptop issued by the Trust or was it his own personal jobby that he simply plugged into the network in place of the desktop that he was given?
If it's the former then it should have been full-disk encrypted so that, even if there was patient data on it taken beyond the walls of the Trust, it could not be compromised (at least, sufficiently difficult to say that the data remained uncompromised for ICO purposes). This would be something the Trust could control.
If it's the latter then the doctor in question must carry the can for breach of policy and the loss of the data due to that breach. If it was known that he was using personal equipment (and this is still purely hypothetical on my part as the article makes no mention one way or the other) then whoever authorised that use should also be required to explain themselves sharpish.
Surely in the NHS they don't allow people to use their own devices?
From BBC News website...
" Dr David Hepburn, medical director for Hull and East Yorkshire NHS Trust, said steps had been taken to prevent patient details being downloaded from computers but it was more difficult to control information being sent by email.
"This particular employer used email to send the information to himself and then stored it on a non-encrypted laptop." "
"The NHS" does not exist, it is merely a wrapper to identify something currently made up of thousands of small organisations (GP's, hospitals) grouped under 150odd PCT's and 10 SHA's. There is no 'one' NHS desktop environment or standard. They generally play it their own way to some extent, which may explain the enormous expense and complexity of the NPfIT.
In 2009 the Hull & East Yorkshire Hospitals NHS Trust signed an undertaking to the Information Commissioner promising better computer security. This was after the loss of two unencrypted computers containing confidential patient data.
Part of the undertaking reads..."The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised or unlawful processing, accidental loss, destruction and/or damage."
The new security measures don't seem to be working very well, do they?
The undertaking by the Hull & East Yorkshire Hospitals NHS Trust is available from the Information Commissioner's website. It's a PDF file.
So, the person who failed to prevent the first two data losses gets to decide what should be done to prevent any more losses occurring ? FFFFFS. (Like 'FFS' but a lot more 'F's.)
so, what do the extra Fs stand for?
"The biggest threat to IT security lies between the front of the monitor and the back of the office chair"
You can have all the policies and procedures in place, but if users don't follow them......
Yes, the laptop should be encrypted if its an NHS one (Dept of Health directive was issue nearly 2 years ago and a free to Trusts solution was given, albeit not the best)
If it was his own and he transferred the info by USB stick or email then he's clearly in breach of the rules, and should answer for his misdemeanour.
As for the purile comment about "what harm has been done?", would you like your personal details made public? What if it had been medical details about a sexually transmitted disease, or a mental health problem. You can't differentiate, all data is sensitive.
Before the reporting, Mr Thief just had a database of names. Now, thanks to the newspaper he can put a nice picture to the name!
And if he's a paedo he can use that information to groom his prey. Thanks un-named doctor and Hull Daily Mail!
I couldnt help but notice that the URL for this story is
I'd have used a stronger word than 'flap' myself, but you're on the right lines.
Was she b*****ks. This is exactly the same as the ASDA cuddly swearing dog story. ooo look, a chance to get my name in the paper by pretending to be outraged by something.
These people piss me off more than anything else.
Have you thought about sharing this information with Private Eye? They have an ongoing NHS IT section.
This looks like a case of the employer trying to blame the employee claiming they had policies in place. But, if the employer treated patient confidentiality and data protection seriously, they'd be checking the laptops, they'd supply the laptops with encryption software pre-installed (as one of my earlier employers did).
They'd have the processes in place to ensure people were complying with the rules, they'd provide the tools - which it looks as if they didn't.
> details of treatments (which I suspect would be along the lines
> of "admitted with suspected broken leg, received x-ray,
Maybe also the fact that.... her daughter had an abortion.
Or had mental health problems
Or was on a methadone programme
Or had signs of sexual abuse
There are a fuckload of reasons why medial records are very private. Any idiot not securing this data needs to be made an example of.
If you'd read the story, you'd have seen that the records in question related to orthopaedic treatment.
Orthopaedics = broken bones, dislocations, etc.
OK so he emailled the data to his own email address and then opened the email on his own laptop. So we're not talking about simply copying data onto a personal laptop or any other mass storage.
The question here is how did the system allow someone to bulk export sensitive data from the system to save in a file that he could then email? Why has the system been written to allow users to bulk export sensitive data. Yes they need to be able to run reports, but reports don't need masses of personal data such as addresses. A report of patients and the treatment they have had, for example, does not require that lots of personally identifying information (name, age, sex, address, etc.) anybody having a need for that information should be able to access it via the system.
One of the biggest potential threats when it comes to "losing" this sort of data is hardly ever mentioned. Somebody loses a laptop or a memory stick and it's all over the national press, however it's never mentioned how many people print out reports containing personal data and then throw the report away rather than shredding it.
Bulk export is pretty straightforward -
1. Search facility - the software *must* have a search facility. If you're lucky, there's an "export to XML" or somesuch button. If you;re not, you use the PrtScrn key followed by CTRL-V. Messy, but better than nowt.
2. It's pretty difficult to entirely seperate the user from the DB whilst still letting them actually access the DB. It isn't impossible, but given that software contracts are awarded on cost, and a straightforward direct client -> DB connection is easy (and thus cheap to write) we'll not see securely proxied DB connections anytime soon. Things like Citrix can help, but generally speaking you can plug Excel (or whatever) into the DB and go digging.
Ofc he *shouldn't* have done what he did, but as Loyal Commenter has explained pretty well, he was stuffed if he did, and stuffed if he didn;t. The problem lies *entirely* with the NHS. Don't for one moment think this is a one off - he was just unlucky enough to get his laptop nicked AND ADMIT IT.
The fix is simple (but never gonna happen) - give junior doctors time on-clock to do this audit work. Explain that if they do it on-clock, all is good, if they take the data home, "bye-bye". Means consultants having to work the graveyard shifts tho, and Lord forbid they should have to do that.
Speaking as someone who does (some of this) occasionally. First, "The NHS" is thousands of different organisations, as pointed out above. What works for a hospital in Hull isn't going to work in a GP surgery with a dozen employees.
I occasionally have to do searches on surgery (and national) systems for audit and reconciliation purposes (for both clinical care and financial reasons); this is only going to get (much) more common. If the system can't do that, it's useless. I need to bulk-export data and analyse it offline. I'm going to do that back at base, not in a small building crowded with secretaries, receptionists, and patients. I take the data on a USB stick. Emailing it would be dumb, but no-one has explicitly told me not to do it; they've got their own jobs to do, without worrying about me. Besides, some datasets can be several gig.
I can't do *any* useful analysis without an age and a sex, and a treatment code, for starters. Sometimes I need an NHS number, to correlate a hospital patient with one of our patients. Sometimes I need a postcode, to get deprivation data. Names are never necessary. National databases already have sensitive information stripped out. However, there's generally something that they've stripped out that would have made life a lot easier. Surgery systems don't so this; it would just add another level of cost and complexity, and would be dumb, given that we already have the raw data.
Most surgeries do this sort of thing; it will be impossible not to do it post-commissioning, assuming that commissioning actually happens.
The data governance people don't have a crystal ball, and can't predict our requirements in advance, and how we want to use the data. You can generally use a "clinical care" get-out-of-jail card to justify what you're doing, depending on how anal your local people are, and what spin you put on it. And you can have a long argument with data governance, and might eventually get a nod and a wink, with nothing on paper. Life is a lot more complicated than a large book of regulations.
Ok, data will be lost eventually. But, at the end of the day, a lost database that contains an NHS number and a HES (treatment) code is not the end of the world. There is no HES code for "lost cucumber". The really sensitive stuff, joking aside, is only peripherally a medical problem, and there's no way any of that will appear in any sort of a database (except maybe at social services). You would actually have to physically read the GP's notes for that. There are other ways that this sensitive information can be lost - SystmOne being a prime example - but it's not going to happen through database analysis.
you have missed one point: the doctor reported HIMSELF. If he had kept quiet, 99% chance it would have been the last he heard of it. Although he was reckless with his patient data, and there are issues as to why he was allowed by the NHS IT system email it to himself, he deserves points for reporting it. Which reminds me I know someone who has patient data on laptop, better ring...
The NHS is likely to bleed data for a number of key reasons;
1. NHS IT in general can be described as pathetic, no architecture, no DC/DR capabilitity, the list goes on. (lord knows where the £12bn disappeared to, but front line staff can't see it)
2. Users having to call 3 different call centres to try and log a fault with equipment (they all say it belongs with the other help deskS)
3. Consultantsdon't trust the NHS to get the right patient information to the right location at the right time, at which point they can not see the patient, so they take the records they know they will need to ensure they can see the cancer patient tomorrow morning.
Professional negligence, pure and simple.
Firstly of the junior doc in question
Secondly of whoever allowed a mass extraction / email of patient data without the big red light flashing.
Its not like a list of people in Hull with HIV. Who cares?
Confidentiality is treated like a holy grail. Its not always that important.
More important is good quality care.
An audit of surgical outcomes is good for the population of Hull if the surgeons can identify ways to improve their care. The next 12 year old girl to have a fracture may have pain relief quicker, or surgery done more safely or effectively.
These areas for improvement could be highlighted by audit undertaken by clinical staff.
No doubt watertight security will now prevent useful medical audit, instead it will be done by 'audit departments', who have nothing to learn from looking at the data and so important lessons will be overlooked. A dedicated department, costing lots and achieving nothing. Remember that next time you are waiting in an A and E dept.
No more doctors working in their own time, within their own resources to try and improve care by reviewing case notes. Especially if a trumped up lawyer is able to sue the trust for breach of confidentiality. This doctor will no doubt be needlessly suspended for months. Particularly if he is foreign.
And computer 'experts' will further cripple the useful sharing of medical information in the NHS at great expense.
Overall a very costly fuss about nothing, methinks.
You are the problem, yes you reading this post. The trouble is you don't give a flying f*ck about protecting someone else's data only your own. If yours get lost/stolen or abused you complain, yet everyone of you will spend the rest of your live, cutting corners, typing emails, sending files that you don't give a f*ck about. The major leak if anywhere is your apathetic attitude to data protection and confidentiality. We spend vast sums of money to stop you being a pr*ck but you spend you time trying to find ways around it, finding ways to save time money and whinge about how the internet is slow and why you can't do this or that. Then you blame IT when you find a f*cking way round the systems and rules to prevent this.
If we gave you just tv screens to look at, you would take photos of the screen, or write it all down.
The Problem is and will always be you.
The sooner you become responsible for our own data the better. Yes you can carry it around yourself and keep it locked in your safe or if you like drop it on road outside your house.
Your data, is your problem. Simples.
...Loyal Commenter's analysis is, in this case, pretty much spot on. Doesn't excuse doc's foolishness, but there are others who probably need to actually take responsibility for the whole snafu; he gets a ticking off, and allowed to get on with the job he's actually there to do.
Any employer with a serious interest in securing sensitive data on laptops and stopping the use of USB thumbdrives etc should license PGP Desktop, it works a treat for 200 quid perpetual. Absolutely no excuses! What worries me is the new government scheme where GPs are going to club together to provision hospital services instead of PCTs. As everything continues to decentralise in the NHS, who is going to manage IT practices across a squillion different organisations?
...for not reading the article. This data was sent by email to his personal email account, and the laptop stolen was his privately owned laptop, not NHS property.
There is no easy fix for this sort of data breach. Doctors have legitimate need to access bulk data, and 99% of the time they will be doing audits and research at home, unpaid, on their personal computers. It's part of their training, a requirement in order to get job advancement, and a significant benefit to patient care. These doctors work ludicrous numbers of hours at the hospital, put in more time unpaid at home, and then get rubbished for circumventing security...
Yes, in an ideal world bulk export features would anonymise identifying information, but none of the (many) client information systems I have worked with (in NHS and other govt and private areas, both health and otherwise, UK and Australia) can do this. IT budgets simply don't stretch this far, there often being insufficient funds to implement even key functional requirements. Similarly, hospitals might provide doctors with access to data administrators to do the data extraction for them, but there is rarely the budget for enough skilled DB admins to write the queries for the hundreds of junior docs doing audits and research at any major NHS trust, nor are the docs routinely able to articulate what they actually want to do with the data, making extracting the right data doubly difficult.
As far as whole disk encryption, blocking USB storage, blocking email attachments, of course these area all relatively easy to implement. There is also no technical reason why doctors couldn't be using a remote desktop or citrix session via VPN from home instead of 'storing' the data locally. Unfortunately however these things make getting work done a right pain in the arse and incredibly inefficient for people who already very busy (both medicos and understaffed IT support). And most trusts have remote access locked down so tight that VPN isn't a practical solution for more than a small number of users (i.e. locked to specific machines accessing from specific IP addresses), let alone the costs of hardware involved in giving every junior docs, and VPN account charges, citrx licenses, and reimbursing docs for their home internet usage.
Step 1: Sit in the waiting room of any orthopeadic clinic, near the reception preferably, and make covert notes of all patients who turn up and are asked to confirm their name, DOB and address... Leech personal medical data by looking at which limb has a plaster cast on it.
Step 3: Profit.
Peoples health data not only affects their privacy BUT is a very valuable commodity for insurance companies.
If the UK insurers are anything like those in the U.S. and Canada, all claim data - procedures, consultations and prescriptions - are stored on yet another database which is used to establish pre-existing conditions for both medical and non-medical insurance policy premium determination.
The insurers will not reject applications for coverage containing false information, and they will happily accept your money BUT when it comes to claim time they suddenly drag out all their data and deny all claims.
The NHS, nor any medical facility, should permit any data to leave it's jurisdiction - does this mean they would allow doctors to cart files and charts off home? I don't think so.
That's why I like the Canadian system that contains data in separate databases, each individual one on it's own is less than useful.
"The NHS, nor any medical facility, should permit any data to leave it's jurisdiction - does this mean they would allow doctors to cart files and charts off home? I don't think so."
NHS Consultants operating between multiple hospitals regularly go round with shopping bags and boxes full of patient records.
Whilst they would probably agree this is far from ideal, it is better than the alternative, of not having the right file in the right place at the right time, as if they do not have the patient's record, they are not suppose to see the patient, and they tend to view this as worse than the potential breach of the DPA.