back to article Colchester Hospital sacks manager over lost laptop

Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records. The PC - which was stolen (pdf) from the unnamed manager's car in June - contained copies of the personal details and treatment plans of several thousand patients. Thieves took the …

COMMENTS

This topic is closed for new posts.
  1. Lawrence
    IT Angle

    No Need.

    No way should an Individual employee be responsible for the total security of data on mobile devices. All I can do as a laptop owner is ensure that it is turned off/locked at any point that it is not in use. if such data is being transported or stored then as the PGP dude said, it is the responsibility of the enterprise and should be encrypted by default.

    Give them their job back, and place the blame in the right place, and sort your data security out.

  2. Richard

    Nice one!

    That's some serious buck passing, right there. Nice to see bureaucracy working.

  3. James

    Can we ask why ...

    .. he had his laptop on holiday with him?

    Surely we have got to get away from this idea that we've got to take work with us everywhere we go!

    As mentioned in the article - ultimately the responsibility lies with the Boards of the companies and organisations involved. If they create a culture in which people feel they have to have work with them 24/7 then this will happen.

    But it does show that the Hospital involved must have a very bad work culture.

  4. Danger Mouse
    Coat

    Scape Goat

    "The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality." says Murphy. Well brains, if the Trust took it that seriously they would have taken the steps to roll out encrypted data store. It doesn't have to cost a lot, although, seeing as it's the NHS they will pick the most expensive solution when they eventually get their fat lazy heads around to it. Here's a tip, TruCrypt, it's free as in beer and will stop the average laptop thief stumbling across confidential information. Now there's no excuse.

    (The one with 'Angry C*nt' stamped on the back)

  5. Eponymous Cowherd
    Thumb Down

    The term 'scapegoat'

    springs to mind.

  6. Anonymous Coward
    Anonymous Coward

    Appropriate care

    You have to ask what the manager was doing with a work laptop containing patient data with him/her on holiday in Edinburgh. Although it is the organisation's responsibility to ensure proper policies and procedures are in place it is the individual's responsibility that they follow them and take appropriate care with equipment and information. Taking it on holiday isn't.

  7. King Keepo
    Go

    Why sack a board member for a junior's mistake?

    If this chap took a work laptop containing confidential information on holiday, left it unattended in his car, then yes, he should be reprimanded.

    Locking the laptop and having it password protected is as much security as can be expected from non-IT staff, but even having it in a position where it is stolen like this is a little daft.

    Theft from the home is unforseeable, but leaving it in your car while on holiday is easily avoided.

  8. Andy S
    Thumb Down

    Sensitive data

    More to the point ... what was sensitive data doing on an employee's laptop in the first place. All sensitive data should be kept in the database and should not leave site under all but exceptional circumstances (i.e. offsite backups etc) and those circumstances should be strictly controlled and tightly secured.

  9. Ru
    Alert

    No need?

    He left his work laptop, full of valuable data, unsecured in a car whist on holiday. Is that someone else's fault too?

  10. Tim Spence

    RE: No Need.

    I agree, as I'm sure the board which sacked him would... I can only think that this guy had the data on the laptop without authorisation - ie. he copied it off some network share when in the office, so he could "work" while sunning himself in his garden or something.

    If an employee takes data off the network without seeking proper authorisation, then it's their fault if something happens to that data.

  11. Rob
    Alert

    Who's fault is it anyway

    Would make a good TV show for public sector organisations.

    The Corporation is at fault for not providing encryption, but also I think the Manager is at fault for leaving his laptop in his car.

    Simple rules from the anti-car crime adverts, don't leave it on display, like the sign says on work vans, no tools left in van overnight, my laptop and other media kit are my tools. This manager is also a tool.

  12. Bill Gould
    Gates Halo

    Labour Board?

    Is there any such creature available for the manager to appeal to? If so I'd be on the phone immediately and gouging the hospital for a nice fat settlement based on wrongful dismissal, etc. This was their fault. Then of course I'd go on holiday again with the settlement money.

  13. Mike Sullivan
    Alert

    I'm confused...

    Hospital manager has his laptop stolen from his car (presumably locked) is sacked.

    Mumpet from the government, gets of a train and leaves top secret military plans on a seat is what ? Sacked ? Given a severe talking to ? A dressing down in the golf club...

  14. Anonymous Coward
    Stop

    @Lawrence

    Whilst I would agree about the encryption side of things, it's possible that he's been disciplined for leaving it unattended in a car - which is quite likely to be against company regulations.

    Certainly where I work now (Bank), where I worked before (Telecoms Company), and even the place before that (IT "Services Company", actually an overgrown box shifter) had it specifically listed as something you're not allowed to do.

    Of course, we're in the situation where EITHER being fixed would have been 'good enough', so the IT director should ALSO be fired for not having adequate protection in place.

  15. Brezin Bardout

    @ Lawrence

    All I can do as a laptop owner is ensure that it is turned off/locked at any point that it is not in use...

    You could also try to not leave it unattended in a car. Anyone with basic common sense should know it is not a good idea to leave anything of value in a car. I certainly wouldn't, would you?

  16. Anonymous Coward
    Coat

    Well its good to see someone finally getting the wrap! - funny how it wasnt a minster though huh!

    However why are these people allowed to take the data in the first place.

    Surely the could do a remote terminal login to a central server that requires user:pass to access data would be a far more secure and simple option that allowing goverment users to allow to take data with them on HDD.

    That way if they do have their laptops stolen, and as usual the accounts are unencrypted at least all that will be on the laptop will be a few files and the terminal software with an account that can be changed or deleted instead of GB worth of personal information on joe public.

    *\. Mines the one with the folded peice of paper on which is scribbled in a moment of madness "Most people are Fuktards!"

  17. Anonymous Coward
    Anonymous Coward

    on holiday ?

    No they are right to sack the guy - why did he have the laptop with him whilst on holiday ? And why was it left in the car ? Thats not how you treat company property with sensitive data on it.

  18. Oliver Drew
    Thumb Down

    Hmmmm

    I think that the responsibility in this case is two-fold...the responsibility of the individual to keep his laptop stored securely (i.e. not leaving it in his car) and the responsibility of the board to make sure that hospital data and machines are secure anywhere at any time...not having an encrypted storage device is criminal nowadays as the technology is not immature and not overly expensive or difficult to deploy...for the sake of all, give the man his job back with a reprimand and look at yourselves!

  19. Anonymous Coward
    Anonymous Coward

    lacking info

    He probably got sacked for having that data on his laptop in the first place rather than losing it - which is common and, lets be honest, accepted as something that just happens.

    Since it was a unanimous decision I suspect it must have been something else than the actual loss.

  20. Jared Earle
    Thumb Down

    No need?

    What was he doing with confidential patient data ON HOLIDAY?

    Sack him. Oh, they did.

  21. Adam Price
    Thumb Down

    @Lawrence

    Of course he shouldn't be responsible for the security of the data, but he should be more aware of the ownership of the hardware at least.

    If someone takes something belonging to their employer and leaves it unattended in a car then they deserve to be sacked for it, let alone doing it whilst away on holidays.

    Work laptop is for work not holidays.

  22. Anonymous Coward
    Anonymous Coward

    RE: No Need.

    There is probably more to it than that. For instance, the rule might have been that laptops weren't to leave the hospital, let alone be taken on holiday with employees. This stinks of disciplining him for taking the laptop, but attaching the blame of the robbery too so to keep the board looking squeeky. One bird with two stones, so to speak.

    B

  23. Martin Gregorie
    Thumb Down

    @lawrence

    Excuse me. The guy takes confidential data ON HOLIDAY with him and its somehow not his fault? It should not have been on the laptop under those circumstances. Full stop.

    If you really believe that its not his fault, then I have this nice bridge over the East River that I'm sure you'll want to buy.

    IMNSHO confidential data shouldn't leave the server except as a backup or when its requested item by item by an authorised client program connected by a secure LAN or vpn.

  24. Nemo Metis
    Coat

    Let's see

    Surely this isn't stil happening? After all the laptops the intelligence services have lost one would like to think that people, especially some of the countries vital organs such as the NHS and government, would have learnt to actually plough money into data encryption and not their bank accounts. surely it's better to have a secure job that doesn't pay as well as it could over a well paid job that lasts a week because someone's after a five fingered discount?

    mine's the one with the handbook of common sense in it's pocket....

  25. Lloyd
    Alien

    Andy S has asked the pertinent question

    He's a manager so why does he need patient data? If he's doing analysis on the drug/beds/costs then everything bar name and address would be sufficient. As far as I can tell their is no way that data like this should be shifted off of a central db (where it can be called up fro treatment purposes), this is piss poor data management across the board, idiots like this shouldn't be allowed access to personal data.

    Alien because that was data security is to the civil service.

  26. Anonymous Coward
    Anonymous Coward

    Lesson to learn: don't take your work home

    He obviously thought that he was indispensible; why else would he take his laptop on holiday?

    I can see a lot of people now thinking twice before taking work home with them; you might get a few brownie points for dedication, but the risk seems to be pretty large. Would you employ someone who was fired like this?

    A few more details would be nice though; was the laptop visible in the car or locked in the boot (Merkins, that's the trunk)? Was the data supposed to be on his laptop? The story doesn't really indicate whether firing him was over-the-top or justified...

  27. Anonymous Coward
    Anonymous Coward

    okay

    As you all know there are 2 sides to this security game, logical and physical. The logical is ultimately in the remit of IT. Physical, in this case, is the Managers responsibility.

    To be honest, in this case, it doesn't matter a rats arse if the data was encrypted or not, the Manager irresponsibly left it in his car to be stolen, therefore he got bagged.

    But did they sack him or did they ask him to resign? Very important distinction there, if they want to minimise the chances of this happening again.

  28. smudge

    @ Lawrence

    "Give them their job back, and place the blame in the right place, and sort your data security out."

    The fact that they could fire the manager must mean that they have some security policy in place, that it makes breach of security a very serious offence, and that they can show that the manager was aware of it (eg training records, he/she has signed to say they have read & understood it, etc).

    That's a good start.

    Now they need to tighten up their systems to ensure that if such data is copied onto a laptop - and there had better be a damn good reason for needing to - then it must be encrypted.

  29. Anonymous Coward
    Anonymous Coward

    If...

    ... this is just a simple theft then that's a harsh punishment, if however this chap took a laptop with him on holiday that shouldn't have been there (most work laptops are for office, home and not holidays) and then left it on the seat of his car whilst he was jollying it up then that is indeed a sacking offence, as he would have known what was on the laptop. He may not have been supposed to have the records on the laptop in the first place...

  30. min

    that is seriously evil

    the fowkin bosses should take the can as well, not the single recipient of the punishment. no encryption? that is a bigger crime than taking a laptop on holiday and being relieved of it by a discerning crook.

    the unfortunate thing is that the bloke DID have data on a laptop that should not be leaving on holiday under normal circumstances anyhow.

    so serves him right. but his bosses have gotten it light and are using him as an excuse to sound off about serious enforcement of their terrible data management structure.

    the poor bloke was just, by extension, a victim of his superiors' bad planning. i hope this wakes their policy team up a little.

  31. Anonymous Coward
    Dead Vulture

    steps to insure this would not happen

    would of been implemented under Fujitsu's plan for the NHS but where seen as "overly complicating things"... which says a lot about the support that FJ had from the client really doesn't it?

    the N.H.S is its own worse enemy, the management has no back bone to enforce these things and when something like this happens they make a scape goat out of the nearest person.

  32. Nano nano

    Quotable quote

    Surely the press statement should read,

    “Patients and the public should be reassured that the Trust NOW takes security and patient confidentiality very seriously."

  33. James Bassett
    Joke

    Inconsequential

    I think you'll find the fact that it had confidential data on it was inconsequential. He just needed something that would play DVD's to keep the kids quiet for the long drive up to Edinburgh!

    Sack him!

  34. Anonymous Coward
    Anonymous Coward

    Corporate failure too

    Presumably he had the laptop on holiday because he's expected to be contactable and put in some unpaid overtime. it's the norm in he public sector now too!

    I'm not saying don't sack him, but the fact that data's allowed to be unencrypted is senior management's fault. Trouble is these days although there will be written guidance, everyone knows it's unworkable, and everyone will ignore UNTIL something like this happens. Then hapless employee gets told exactly what the rules are, whilst his managers look uncomfortably at their shoes during the hearing, thinking "there but for the grace of god", without having the backbone to admit they're guilty too.

  35. Anonymous Coward
    Anonymous Coward

    Simple...

    Work during working hours.

    No laptops.

    Data never leaves the office.

    No outsourcing.

    Development done by long-term employees, during office hours

    All very simple

  36. El Loco Americano

    In summary...

    Taking the laptop with him on vacation - not a problem.

    Having client data available in the clear on the laptop - a problem

    Whose problem? If there was a policy prohibiting the use of confidential data without encryption, or prohibiting it from use on mobile devices, or requiring encryption on all mobile devices - he deserved it.

    If the security policies were lax, and this poor sap just happened to be unlucky enough to be the first one to lose a device with critical data in the clear, then he's just a patsy.

  37. ElFatbob

    Maybe...

    he did deserve to lose his job, but at the end of the day the upper management are equally at fault. The apparent lack of a coherent and enforced security policy should be addressed....with some senior cast off's...

  38. Mike

    @Min

    "the fowkin bosses should take the can as well, not the single recipient of the punishment. no encryption? that is a bigger crime than taking a laptop on holiday and being relieved of it by a discerning crook."

    Not really. If the laptop was kept in a (feasibly) secure location (i.e. work or the home) then encryption shouldn't be necessary. Leaving a company-owned machine in a car while on holiday (why has he got a business machine on his pleasure trip? I can't take my work PC home to play games on during my hols, I had to buy my own) is removing the effective security put in place. What you're suggesting is that we should have multiple levels of security put in place to cover the same issue.

    One way to improve this would be to make the employee pay for the laptop. I bought my laptop for use at a voluntary organization and (call me overprotective), but I know exactly where it is at all times - even when driving the car doors are locked and it's never left in the car if I can help it (and if it were, it'd be hidden in the boot or something, not left in plain view). These guys have all the tech provided for them, so they don't care if it gets broken/lost/stolen cos they'll just get a new one (probably even an incentive when they want an upgrade to a new machine)

  39. Andy Livingstone

    Sacked; who is next?

    I've been scouring the press for details of civil servants and military people who were disciplined in any way.

    Can't find any.

    Firing is absolutely the right thing to do.

    Let's stop making excuses for incompetence, please.

  40. yeah, right.

    wondering...

    I wonder if this is the same manager who was told he had to have the report ready the day he returned from holiday, so he was forced to take his work with him? The same manager, perhaps, who was never told about the availability of encryption software to keep things safe and was told that "locking the laptop" would be sufficient, because the board of governors were too damn cheap to pony up for proper data security?

    Yes, leaving the laptop in the car was stupid. But I still smell "scapegoat".

  41. Illsay
    Stop

    What actually happened

    Let me provide some needed insight that a few commenters are missing and shine a light on the human drama, without plugging encryption tools.

    Just before this manager left work for his well deserved holiday there were some pretty important reports to be finished that no one else could be bothered with at the time. Looking back volunteering for this task was a bit stupid, but the silence at the meeting was a bit awkward and embarrassing at the same time. "Yep. I'll have a look at those" was out before he realized it and he forgot about the upcoming holiday. His wife however, was not so forgetful and was p-ed off by the appearance of the laptop when they packed the car. It took miles before that subject finally died, leaving the manager exhausted trying not to look like the sucker, without playing the NHS budget card.

    When they finally arrived at their holiday destination, the laptop was one of the first items the manager wanted to secure, if the dog had not escaped to freedom.The oncoming traffic barely missed the dog. The screeching of tires was deafening and the horror on the kids' faces spoke books. Seeing our manager clumsily with the laptop in his hands whilst the dog nearly getting killed was a picture that infuriated the misses. This was not a good start. Quickly the laptop was tossed in the back of the car and the dog's leash picked up from the road.

    Later that day, on a terrace with a half-downed pint in his hands, the manager's mind wonders off to another meeting earlier this year when encryption was discussed. "Policies is what we can afford, no techie tools or fancy consultants and their software". This was the official guide line and there was no support for spending budget on eventualities.

    Now the kids and the dog come running back from the parking lot looking all excited, bless them.

  42. Anonymous Coward
    Unhappy

    Encrypted Data

    Luckily our company does not deal with the general public, but the chances of our PHB being able to encrypt data are slim. I got called in for at least the fifth time yesterday to show him how to copy & paste.

    No. Really. I'm serious.

  43. Jason Pugh
    Thumb Up

    About time....

    .... just wish my company would implement this sort of policy. Leaving laptop in car = breathtaking stupidity that is pretty much inexcusable. Even if the bloke was pressured into working on his vacation (and that seems to be entirely conjecture), *anyone* who gave a damn about their job would at least attempt to take better care of company equipment. If the hospital has not implemented an appropriate data security policy, then there is certainly a question of where that responsibility lies, but that does not provide *any* excuse for this sort of behaviour.

  44. Anonymous Coward
    Anonymous Coward

    Homes are not secure anymore

    More laptops are being stolen whilst kept at home, whilst people are sleeping upstairs ... thieves break-in (quietly), take the laptops, satnavs and other small easily fenced items oh and for good measure they nick the car keys and take the cars as well.

    I get to talk to these people who get broken in to like this and thats why I have full disk encryption, encrypted usb sticks and encrypted backups in safes ... and that is just at home 8-) Plus, the burglar alarm goes on at night!

    However, this guy probably does deserve disciplining and the trust needs to tell its employees the full terms and conditions that they should work under and what the data protection act etc requires them to do. They all have a collective responsibility though.

  45. RW
    Jobs Halo

    There's more to this story than meets the eye

    My first reaction to the headline was "at long last, somebody's been held personally liable for data loss" but reading earlier comments has made me reconsider my bloodthirsty attitude.

    It's clear, in a fuzzy, foggy, vague sort of way, that there is no established protocol covering the use of what, for lack of a better word, we can call "confidential data." By this, I mean an established, universal protocol applicable to enterprises of all sorts, not just the Colchester Hospital, the NHS, or medical operations in general.

    Such a protocol might include, for example:

    1. Stipulation of a confidentiality level for every data item on file. Names, DOB, ID numbers, telephone numbers, addresses would be among the more highly confidential items.

    2. A need-to-know policy that relates all uses of data to the confidentiality level. For example, if a statistical study is carried out, none of the highly confidential data would be available. But note, otoh, that an office receptionist must know names and telephone numbers, among other things.

    [PS: points 1 & 2 are written vis a vis medical records. In the business world, proprietary data would also be of the highest confidentiality, but would also have to be available for some statistical analyses.]

    3. Universal provision of server space so data is never stored on a laptop or desktop system.

    4. A review of this insane idea that one is on the job 24/7/365. Let's have a one-to-one correspondence between hours in the office and hours of work, no work outside those hours at all. IOW, no work at home, while commuting, while on vacation, etc.

    5. Hardware solutions like diskless systems, blocking portable storage devices, no individual burning of CDs, etc. Alternatively, if a local disk is essential (not merely something a Big Boss craves), rollout of new machines should include installation of full disk encryption

    This is the merest skeleton of such a protocol; I'll leave it to the more highly tuned brains of others to flesh it out in detail and turn it into a viable standard. [And yes, I've repeated points made in earlier comments. No claim for originality.]

    The barriers to estabilshing such a protocol and to its implementation are two-fold. First of all, the existing standards mechanism such as the ISO is beyond clumsy and awkward, being a committee effort. I almost have more faith in the one-man RFC than the ISO approach to the formulation of standards.

    Second, management are meatheads. Management ranks in many, perhaps all, enterprises of all sorts, are filled with those who have reached, and in many instances risen above, their respective levels of incompetence. Perhaps the only solution is to stipulate that organizational heads are personally responsible, and it's up to them to ensure that the managerial ranks under them fully understand and buy into such standard protocols. IOW, if you are a CEO and not a meathead yourself, you'll have to get rid of the meatheads under you. You can always put them to work swabbing out toilets. Boards would have to be responsible, at risk of dismissal, for ensuring that their CEO isn't a meathead himself.

    This second barrier is more severe than it might seem. My own experience is that once an idiot manages to weasel himself into the ranks of management, he becomes an untouchable: no matter what his failures and misdeeds and incompetencies, he will never be fired, not even demoted.

    Apologies for an overly long, rambling comment. I hope it provokes further thinking by the tribe of El Reg readers.

    Too bad there's no "won't shut up" icon for longwinded screeds like this one. Ballmer will have to do.

  46. Anonymous Coward
    Anonymous Coward

    outbreak of common sense

    Should have been sacked the minute he put the confidential data on the laptop.

  47. Anonymous Coward
    Anonymous Coward

    I don't get it

    why would anyone want to go to Edinburgh for a holiday?

  48. Kevin Reader
    Stop

    Even the insurance wouldn't have covered it...

    To try and mitigate the fool vs scapegoat argument I thought I'd offer the following.

    While contracting I had a home/work insurance policy. This covered contents for household, business and travel risks and avoided issues about is X a personal or business posession. It even covered my laptop UNLESS it was unattended/insecure.

    Cover was explicitly excluded from a locked motor vehicle which counted as INSECURE.

    While this may not apply to every policy I would have thought just leaving the laptop in the car was enough to take blame for the loss of the laptop. To do it with patient data on it is mad. I also wonder why a MANAGER would need to travel home with UN-ANOMYMISED clinical data. For that part the NHS should take the blame, they would not have done it (hopefully) when you only had one paper file for all your patient notes.

  49. Matthew
    Dead Vulture

    He's not a doctor

    He's a manager, what's he doing with thousands of patient treatment records?

    The fact that the data is on his laptop (irrespective of encruption or theft status) should be a disciplinary offence.

  50. David Eddleman
    Stop

    Not his fault

    You really can't fault the guy for leaving his laptop in the car. That's not the real issue here. He left it in a secure location (behind a locked door) and that's responsible enough. Different story if he left it out in the open for anyone to take -- now we're talking gross negligence.

    The problem comes from not encrypting the data and making reasonable safeguards against third-party access. The ones who should be disciplined are the company's IT staff (assuming that this guy's not on that -- if he is, well, yer fault buddy!). They gave him remote access to company data that should be secured properly in the first place.

  51. Jason Pugh
    Alert

    @David Eddleman

    "You really can't fault the guy for leaving his laptop in the car. That's not the real issue here. He left it in a secure location (behind a locked door) and that's responsible enough."

    Sweet Jesus! Where do you live - Rockall???????

  52. dk coli

    Bad Precedent

    Why are users still allowed to put ANY sensitive data on a laptop that leaves the building?

    Do you really think that a password and/or local encryption is an acceptable safeguard?

    After FINALLY getting upper mgmt to realize these things happen, a couple of years ago we were able to require users to use laptops to ONLY connect to internal systems via Terminal Svr or RDP to their workstations. No data ever has to leave the building and if the laptop gets stolen, there's no sensitive data stored locally to be worried about. I guess I'm still amazed at the number of places that aren't requiring something similar. One bad data theft will cost much more than the price of a Terminal server.

    Honestly, unless they had a policy in place that specifically prohibited the user from storing data locally on the laptop... they should not have lost their job (especially not while trying to work during their vacation). If they needed to send a message, it should have been higher up because that's where the "NO's" come from when you want to implement better security on your network.

  53. Pete

    I worked in the health sector

    For a private company mind you

    If I had been caught putting confidential patient data on anything and taking it out of the office without express permission I would have been sacked on the spot.

    Why does a manager need this information on a laptop? I'm betting he copied it without consent thinking he could work with it while on holiday, and was slapping himself on the back for being so clever being able to get around the workplace security to be able to copy it.

    typical arrogant management attitude in my experience.

  54. greg
    Thumb Down

    Unfair dismissal surely?

    Ok, there has been a lot of incredibly high profile data loss stories going on in recent months, but this is surely taking far too drastic action. To dismiss the manager for having his laptop stolen is outrageous... It's not like he asked the theives to come and steal it while he was away.

    As has been said, data security shouldn't be managed by the individuals, it should be managed by the business IT dept. What were patients records doing on his laptop anyway? Shouldn't that all be stored in a secure central database somewhere, which the employees access using a VPN of some description, like everyone else in the real world does?

  55. Anonymous Coward
    Thumb Down

    Sorry, but...

    ...there aren't half a lot of sanctimonious tossers here; I'm with both AC "Corporate failure too " and Illsay. This reeks of someone:

    a) being required to put in unpaid overtime on holiday, while

    b) having to do so on a machine that despite being in an organization with access to sensitive data has unencrypted data on it that

    c) should never have been copyable onto a laptop, but should only have been accessible

    d) via heavily encrypted VPN.

    It's not an individual failure, it's a predictable/predicted systemic failure, and the guy sacked is just being made a scapegoat for it.

  56. Random Musings Of A Mad Person?

    Could he have been working with a drug company?

    Given that he had the patient details and also the record of their treatments on the laptop it sounds suspiciously like he was helping out a drug company with a clinical trial, perhaps even on the sly against the wishes of the hospital?

    The mind boggles about how people can have such a disregard for other people's personal data.

  57. Shane Matthews

    My Tuppence Worth

    As others have said, the data shouldn't have left the hospital in the first place. At the medical facility I consult at, all PHI data resides on the database servers. Access internally is via thin clients. If someone needs to access data from home or from a laptop, they have to establish a VPN connection first.

    The only time PHI leaves the facility is on encrypted back up tapes.

    At the end of the day, it's not rocket science.

  58. Brezin Bardout

    @ AC

    'More laptops are being stolen whilst kept at home, whilst people are sleeping upstairs ... '

    Are you suggesting it's safer to keep our laptops in a car parked outside?

    Perhaps the reason more laptops are stolen from homes is that more laptops are kept at home. I wonder what percentage of laptops kept in a car overnight are stolen, and what percentage of laptops kept in the home overnight are stolen.

  59. Anonymous Coward
    Anonymous Coward

    Bonnie Scotland

    "why would anyone want to go to Edinburgh for a holiday?"

    To get away from Essex.

  60. Charles
    Alert

    Two caveats.

    First, in order to establish a remote connection, there must be a means to access the Internet. If the location you're in happens to lack the means (no landlines, no WiFi, etc.), then you're SOL. But you may still need that data at that moment.

    And as for standardising security, I give you one very important question: Who's going to PAY for all this (expletive)? I don't care if it's a matter of life or death, but we can't put in what we don't have. Where's the BUDGET for it?

  61. Anonymous Coward
    Anonymous Coward

    why

    with remoteapp, xenapp etc being available, and connectivity being near universal, do we actually store anything on portable devices? After all, if you can ring someone to ask them for information or to do some work then they can be online. Data that is confidential should stay somewhere that is both electronically and physically secured, by all means encrypt your laptop but once you have the device, cracking the encryption is a matter of time.

  62. Anonymous Coward
    Anonymous Coward

    @Charles

    "the BUDGET for it" is in the GBP gazillion nhs it gravy train. Or did someone forget to put security in the spec? Perhaps they can only afford to employ 'managers' whose idea of computer literacy is cut'n'paste?

  63. Anonymous Coward
    Anonymous Coward

    The gazillions

    is going to paying for specific projects provided by service providers*. And yes, security of the sort we're talking about here is not part of it - that's part of the IT budget of individual trusts and it's generally pretty poor.

    So much lack of understanding of the real world here it's hard to know where to start.

    You can have all the policies in place you like, but you can't readily stop a manager from going to PC world, buying a laptop and copying stuff to it via a memory stick. Correction - you can, there are products which stop sensitive material leaving the network, but you try getting backing or funding for them. I'm currently organising a big encryption project, but you've got people who just won't bring 'em in. OK, I can cut 'em off the network if I have to, but - memory stick again.

    You can tell people they must bring their laptop in for encrypting. You can tell them not to take sensitive stuff home to work on, at least not unencrypted. But you can't make them do it. I swear that there are a hard core of users out there with a rule which automatically deletes any email coming from anyone in IT.

    Hell, there's places where you're still fighting a losing battle against floppy disks with patient data on them. Why? Because it's always been done that way. I've lost count of the number of keyboards and monitors I've ripped post-it notes off of with the username and password on them.

    All you can do is fire people for grossly ignoring the policies, as Colchester apparently did.

    Anonymous because it has to be.

    *don't get me started on their ideas of what's secure.

  64. This post has been deleted by its author

  65. This post has been deleted by its author

  66. Chris Evans

    Not enough information

    Was he authorised to have the data on his laptop? We don't know

    Was he authorised to take it on holiday? we don't know.

    Was the laptop on full view in the car or locked in the boot? we don't know.

    If I was away from work and home, locking the laptop in the boot would be more secure than say taking it into a pub/restraunt or even possibly a hotel.

    Maybe the chap had previously warned about one or more of the above aspects, we don't know. But without more evidence he does appear to have been a scapegoat.

  67. trackSuit

    Basic Education

    For over a year, Ford have had encrypted hard disks on all laptops and stationary computers. The encryption software was deployed across the network and installed without any hitches.

    All Ford employees have been obliged to do a short course on basic data security.

    People do not like personal data getting lost. It's made worse by the fact that such data is commercially valuable. People do not like their personalities (in a sense) being sold off and pimped to organisations who are only likely to abuse this information for gaining control of and a pecunary advantage.

    And Chris Evans "Not enough information" how much would you like? There's lumps of it round the back, going real cheap too, as in Free but and IT would just be a generally generalisation of a bigger thing which would be news?

  68. David Eddleman
    Flame

    @Jason Pugh

    No, I live in Southern California. Right near some ghettos.

    Point is, if you take reasonable methods to secure an item from physical theft with the tools available to you, how can you fault someone for breaking in and stealing it? Hell, I'm the last one to leave the office about half of the week, so it's my job to ensure the doors are locked and the alarm is activated before I go. If someone breaks in and makes off with our equipment, is it my fault? Fuck no, not unless I left the door unlocked or something stupid. At which point, it *is* my fault and being disciplined isn't unfair.

  69. Matt

    harsh, but fair

    ok, so encryption wasnt installed on his machine, this isnt his fault... the IT department should have done this - 5 minutes and his data would be secure...

    taking the laptop on hols, well... if he was doing some extra work, he had all rights to take it, but if it was just for storing holiday snaps and watching DVD's he should have left it...

    leaving the laptop in the car.... again noone has clarified if the thing was locked in the boot, under a blanket out of sight... or if a beautiful TX series Sony was left on the passenger seat of his open convertible... the former, well... unfortunate accident, the latter, pure stupidity...

    now, for me, the crunch... the sheer volume of data... if he was working on paitent records he would only need a fraction of the files... if he was doing data analysis, then anonymous data as mentioned before, would be more than adequate... what were 'thousands' of paitent records doing there...

    He got a stiff punishment, and has been used as an example/scapegoat, but in the current climate of data loss, what do you expect...

  70. John Dougald McCallum
    Happy

    Been to Edinburgh?

    <<why would anyone want to go to Edinburgh for a holiday?>> especialy at this timeof year,it's full of b'dy TOURISTS what with the Fringe and The International Arts Festival ,Tattoo etc

  71. Anonymous Coward
    Anonymous Coward

    @Matt

    Read what I said before. If I know the NHS and the attitude many managers have towards the IT department and security, the IT department has sent him about 50 emails telling him to bring the laptop in to be encryped and he's ignored them.

  72. Anonymous Coward
    Anonymous Coward

    Draft policy at one of the largest PCTs

    <q>Laptops

    When travelling laptops must not be carried in open view but must be locked in the boot of a car and removed once the journey is complete. If laptops are taken home by staff they must be kept safely and securely, this means that other members of their family and/or their friends/colleagues must not be able to access or use the laptop.

    All laptops that leave the security of a PCT building must be encrypted even if the laptop is only to be used for remote access to NHS information systems.</q>

    Encryption software has been approved within the last two months. Prior to that the policy read:

    <q>Furthermore person-identifiable data must not be stored on a laptop unless it is located and remains in a secure area i.e. an area which does not allow public access, unless the laptop has been encrypted.

    At present the Trust is unable to encrypt removable media and is waiting for CfH to complete its central procurement of one or more encryption tools that will assist NHS organisations to secure their patient and other sensitive data.

    Information on the use of removable media should have been submitted by managers to the Head of Information Governance as part of the data mapping exercise. This information will be used to identify where there is an operational need for encryption and to inform a planned approach to the use of encryption software once a national solution is available.</q>

    Anonymous for obvious reasons

  73. Anonymous Coward
    Anonymous Coward

    Information Security Policies, Standards, and Procedures?

    The article did not mention any information security policies, standards, and procedures at the Colchester University Hospital. Are there any? Did the unnamed manager violate policy or was he a scapegoat? Did he take the laptop during the holiday because he might be on-call and he needed the laptop? Or was he watching porn on the company laptop, hence why he needed the laptop during the holiday?

This topic is closed for new posts.

Other stories you might like