title
The only person who should be suspended is the CEO, who still permits systems which allow unencrypted data to be removed from site.
A USB memory stick containing personal information on patients and staff at a secure hospital near Falkirk has been found in a car park outside an Asda store in nearby Stenhousemuir. Data on the unencrypted device included names, addresses and (worse still) medical records of patients. A member of staff at the Tryst Park unit …
As a Falkirk native, this is not at all surprising. The local NHS here has been dismantled to the point it no longer does anything useful. Also, with our local MP (Eric Joyce) more interested in claiming the highest expenses of any MP in the UK, nothing will be done as usual.
Flames because Guy Fawkes had the right idea...
I bet that the person suspended is the one at the bottom of the food chain. I'll also bet they wont suspend the manager/s in charge who should have had a system in place to make sure that it was difficult for the data get lost or if it did, that it was securely encrypted and backed up.
Don't these fuckwits ever learn?
The Daily Record report says there were also criminal record details on the memory stick.
I suspect that this part might also embarrass the hospital.
"The files reveal that a lack of sinks in dining areas at the unit threatens to contaminate food, spread disease and raises the "possibility of a major outbreak"."
http://www.dailyrecord.co.uk/news/scottish-news/2010/05/05/confidential-medical-and-criminal-details-of-hospital-patients-and-staff-found-on-memory-stick-left-in-asda-car-park-86908-22235247/
How many times? Just how many times do these cretins need before they get a clue?
Why was it even possible to connect the USB device? Surely they disable the unnecessary ports?
There is NO NEED for ANY DATA of this kind to be put on removable media.
It should all be held in the ECM system under proper security.
If any data does need to go on to removable media, it MUST be encrypted. END OF DISCUSSION. You can even have the ECM system export using a personal key. It's not difficult.
I feel for the idiot who lost the data, but I don't totally blame them. Their bosses need taken to task and a few of them sacked. Only holding these civil morons to standards will make them see sense.
It utterly beggars belief.
The CEO of Checkpoint has a grasp on the situation, couldn't be that he's hoping to sell more product could it?
Government has been loosing our data since government was invented, we just have a much greater ability to loose a lot of data these days.
CESG are great at coming out with lots of wonderful standards for departments and agencies to adhere to, sadly they never hand out the budget to do it, and often the costs are prohibitive.
The original reports of this spoke of NHS Forth Valley claiming a "computer fault" - not sure how that could happen, unless the stick was automatically ejected with enough force to fire it a couple of miles to Asda's car park through a conveniently open window perhaps?
It must have been one of those computer explosions you see in movies with bits flying everywhere. I've only ever seen this happen in real life, and it involved an A/D card which was accidentally wired to a fresh 550V generator output instead of the 30mA measuring loop it was meant to see.
Other than that, life with failing PCs has been pretty boring..
This post has been deleted by its author
I had a persistant incoming fax calling me, so I connected up a fax machine and received a 16 page medical record of an individual patient.
I faxed back a suggestion that they should check where they're sending things only to be told my number was published on an NHS website as the fax number of a local nursing home.
They also pointed out that I should inform the website and that 'It's no bloody help sending anonymous faxes'.
So the onus is on me to stop the NHS losing patient data?
Nah, I just let the faxes come in now and again, it's good reading
Data Protection Act...
Both the idiots sending the faxes, and the idiots running the NHS Website.
Actually, I know of one local GP practice which hasn't updated their own website in at least two years, and I rather doubt that any NHS website will know about the changes either.
"someone could go through the effort of changing whatever details they can change, and the present the Trust with the bill, and sue through civil court for the loss."
This looks like the *only* way they start taking notice. One off fines they will no doubt put in a budget increase for. This is more like slow starvation.
What's worse is with stuff like TrueCrypt available for free even *if* (and I agree mos justifications for doing this are rubbish) it had to be downloaded it could still be protected.
“The only way to protect data is to use mandatory encryption whenever data is moved or copied" -- Nick Lowe.
No Nick, the only way to protect data is to forbid user's to move or copy it!
Senior members of staff should be able to move and copy data; and they should only be able to do so by first encrypting it.
i found some numpties usb drive in tescos carpark, with his CV, bank details (sort codes AND accounts numbers) all his household bills, and customer reference numbers on it, 1000's of pictures. This twat was, and i quote, "head of network security at astra zenica pharmaceuticals".
So, if youre reading this mr (dick) head of network security:
A: Thanks for the free 8 gig memory stick
B: your bank details
C: giving me the best fucking laugh in a long time.
PS, your wifes a right moose.
So glad i got out of IT as a career.
...and I speak from experience with such organisations...
The people at the top don't care. They've never cared. They won't ever care.
Why would they? They're not ever held responsible for their failures (they'd be fired in a week were that true) - some dumb klutz at the bottom of the pile will be sacked for losing data he should never have had the authority or opportunity to copy in the first place. And if the CEO of this Trust was fired tomorrow, he still wouldn't give a tinker's. He'd leave on a golden handshake the rest of us could only dream of with a Lottery win, and pop up in another sinecure job before the ink was dry on his resignation.
There is just no excuse at all for this. It's not even a human error, except if you count what must have been a deliberate policy decision not to implement encrypted media at the technical level.
Everyone involved in this is culpable and should be considering thier positions; The Chief Exec, the IT Director, the senior IT security managers, Internal Auditors, Risk Managers not to mention the operational management who allowed the unencrypted stick to be used (and lost)
Every single one of those people is responsible. No excuses - clear your desks and go tomorrow.
Me? Unsurprisingly I submitted my opt out request for the the NHS Central Records spine last week. Anyone who is still willing to trust that thier personal medical records will be professionally managed after reading the above is simply an idiot.