Two NHS data loss incidents show that basic levels of security are still lacking in the healthcare sector

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.scmagazineuk.com/two-nhs-data-loss-incidents-show-that-basic-levels-of-security-are-still-lacking-in-the-healthcare-sector/article/181391/

The last week has seen two more data loss incidents by NHS professionals,
with both found to be in breach of the data protection act by the
Information Commissioner's Office (ICO).

Last Thursday, specialist healthcare recruitment agency Healthcare Locums
(HCL) was found to be in breach of the act following the loss of personal
data relating to doctors employed by the organisation. The ICO said it was
first informed of the breach when HCL confirmed that a hard drive containing
doctors' security clearance and visa information had been sold on an auction
website before being returned to the agency.

Further enquiries established that the equipment was last recorded as being
transferred from HCL's Skipton branch to its branch in Loughton earlier this
year. However HCL had no inventory list for the transfer, so the
organisation failed to realise the storage device had gone missing until it
was reported by a member of the public. The device was eventually returned
to the agency and wiped in June 2010.

Also on Tuesday this week, a doctor at North West London Hospitals NHS Trust
was found to be in breach of the Data Protection Act by leaving medical
information about 56 patients on the tube.

The incident, which was reported to the ICO by the trust in May 2010,
occurred when a doctor printed out personal and diagnostic information about
patients to use in audit work, undertaken at home outside of normal working
hours. Shortly after leaving the tube station, the doctor realised the
information had been left on the train and returned to inform the station
supervisor. The documents were subsequently found by London Transport at the
train's termination point and retrieved by the doctor.

Sally-Anne Poole, enforcement group manager at the ICO, said: “Most of us
can think of a time when we've found someone else's personal belongings,
like an umbrella, left behind on a train. But the last thing we should ever
expect to find are highly confidential and sensitive papers detailing
people's medical history.

“We understand that many health professionals have busy lives and often take
work home but simple steps like removing patient's names from print outs can
help minimise the potential for personal data to be lost or otherwise
compromised. I welcome North West London Hospitals NHS Trust's decision to
report this breach to us and for the remedial action it has taken to put
more effective data protection measures in place.”

Commenting on the HCL incident, Mark Fullbrook, director of UK and Ireland
at Cyber-Ark, said: “It's difficult to know where to start with this one –
the fact that the information wasn't encrypted, the fact that its transfer
wasn't logged or the insecure method of transit used.

"Companies of all sizes regularly store and transfer highly sensitive
information regarding their employees, but what matters most are the
measures taken to protect the integrity of that data every step of the
way. With that in mind, aside from a blatant disregard for the terms within
the Data Protection Act, HCL's biggest failure is toward those employees
that entrusted personal information to the organisation.”

Looking at the North West London Hospitals NHS Trust's doctor report, Oliver
Hart, head of public sector at Sophos, said: “Today's news that a doctor
left printed personal information on 56 patients on a London tube train in
May 2010 is yet another blow for the NHS, which is increasingly coming under
fire from the ICO for leaked data.

“With budgets being cut, the NHS must take more care to protect data held
within trusts so that it can avoid paying out unnecessary penalties. There
are several ways of protecting data, including the ICO's recommended
approach of removing patient names from documents to sending encrypted data
from one location to another.

“It is of paramount importance to educate users within the NHS of the risks
of moving around patient and organisational information and how to protect
such data. Having the right data protection software is vital but it also
requires much more than just putting software in place. Alongside this, it
is key to establish the right procedures and processes to protect the data,
as well as educating users, across the organisation.”

Despite Government cuts announced this week, the privacy of citizens cannot
be forgotten, according to Kevin Bocek, director of product marketing at
IronKey. He said: “Over the past seven days, two incidents involving
healthcare professionals show that there is still much work to be done in
both the public and private sector. In both incidents, the most basic level
of data protection, encrypting stored data, was not enforced.

“Unlike the more complex attacks on Britain, these incidents are simply
preventable. If Government can cut over £80 billion in spending out of the
system it must be able to ensure that the privacy and productivity of its
citizens are protected to the most basic levels.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/