Hard Drive Encryption Missing From Seven Stolen UK Hospital Laptops. A Defiant Act?.


The Telegraph is reporting that two breaches involving NHS data have occurred in the UK.  Based on the details provided by the article, it looks like one was a case of egregious behavior (labeled as “defiant” by the writer), and the other less egregious—but just as non-compliant as the first one.  These wouldn’t have been problems—in a pragmatic sense as well as a compliance/legal sense—if full disk encryption solutions like AlertBoot had been used.


 


The first case involves the loss of a laptop from a car.  Amazed that this is still happening.  Not thefts from a car; that’s going to happen until the second coming of Jeebus, although by that time it will be more like breaking into a rocket or something.  Nope, amazed that people are still taking unencrypted laptops and leaving them in their cars.  Not good news for the 11,000 patients whose information got stolen.  Apparently, the compromised data involves names, addresses, NHS numbers, and personal medical histories.

 

In the second case, six laptops were stolen from locked file cabinets at St. Georges hospital.  The laptops were a temporary measure, according to an internal e-mail that was sent to St. George’s staff.  I ask, a temporary measure to what?  Did they have to replace six desktop computers at the same time?  (Because it would be weird.  The article makes it sounds as if they were all in the same office.)  If so, and this is the more important question, would those desktop computers have been safe from the thieves?  After all, they showed the determination to break into locked drawers and file cabinets.  My guess is that desktop computers wouldn’t have been safe either.

 

Those following this blog will recall that I’ve often preferred people using laptop computers, and locking them up at the end of the day, over desktop computers that are left in plain sight.  I’d like emphasize that I’ve also noted that the lock up has to be done in some seriously secure containers…like a safe.  Or a safe?like file cabinet.  You know, those designed not to be broken into?  A simple file cabinet will not do (which makes me wonder about the security of plain, but sensitive, paper documents).  On the other hand, the fact that hospital staff were locking them up does show that they were being security conscious.

 

If they really knew their stuff, though, they would have encrypted the laptops—which is required: “Department of Health rules say…. Mobile storage devices including laptops must be fully encrypted.”  Those are the rules.  And, they’re stricter than what HIPAA requires.  As far as I know, under HIPAA laptop encryption is an option, not a requirement.

 

Of course, hard drive encryption wouldn’t have prevented the thefts.  The point is to protect the data if (some would argue “when”) the computers get stolen.  Nothing gets the job done like disk encryption when it comes to hard drives, be they in computers or external.



Comments (0)


Let us know what you think