Colchester University Hospital Regretting Lack of Hard Drive Encryption.

The loss of a laptop computer by a hospital is rocking the UK again.  This time, the information of 21,000 patients was lost when the laptop computer holding the data was stolen from the car of a Colchester hospital manager.  The information included names, dates of birth, zip codes, and medical information.  The hospital acknowledged that data shouldn’t have been placed on a laptop lacking encryption solutions (like full disk encryption).

 

The story was broken when patients received letters from the hospital trust regarding the data breach.  The letter also mentioned that there was password?protection on the laptop, but no disk encryption, according to the BBC.  The manager in question has been suspended while investigations are underway.

 

Who’s to blame?  Well, there are plenty of people.  To begin with, there’s the manager.  Number one, he was carrying around the data in a laptop without hard drive encryption, against hospital policies, sounds like.  And, he left it in a visible place inside his car (He’s lost a laptop and has to replace his car window).  But then, he was also on holiday.

 

You know, when a company forces an employee to work during his time off—well, things are bound to happen.  I often argue that one shouldn’t rely on the form factor of a device for data security; that is, a desktop computer is no safer than a laptop computer when it comes to data protection, for example.  You want to have some kind of encryption on those devices to protect the data, just in case—theft, random loss, rogue employees, break-ins, etc.  At the same time, encryption or not, I wouldn’t advocate walking around with sensitive data unless you truly have to.  Especially, during one’s holidays.

 

Also, I wonder what the hospital managers—the suspended manager not included—are thinking.  I get the feeling that they haven’t thought through their data security needs.  To begin with, one aspect of their security management seems to be all talk and no action: “patient data should not be stored unencrypted on a laptop and he had previously written to staff with such computers reminding them of this.”  Remind all you want, but the reason why people need reminders is because they’re actively not doing something; that’s why they need to be reminded.  If the hospital was serious about security, they probably would have deployed something hospital?wide.

 

Then, there is this gem: “The computer was password-protected and only authorised staff could access the data.”  As anyone in the UK knows, this is not true.  Password?protection is only a barrier if people are not aware that there are ways around it.  Of course, this issue has been brought up so many times, most people know they should be very afraid if password?protection is the only “protection” for sensitive data. (Some would argue that blogs such as this one are contributing towards information insecurity by revealing such “secrets.”  These same people probably think “underneath the mattress” is tantamount to “place where my money will not be found by thieves in the event of a burglary.”)

 

Encryption.  It’s pretty much the only game in town if you want to safeguard the data found on computers.  Not just computers, in fact.  Encryption solutions provider AlertBoot, for example, offer security for external drives, USB flash drives, CDs and DVDs, etc—anywhere digital media security is needed.

 

Other Related Articles:


http://www.silicon.com/research/specialreports/fulldisclosure/0,3800014102,39253496,00.htm?r=2


http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manager_is_suspended_after_losing_computer.php



Comments (0)


Let us know what you think