Disk Encryption Neglected On NHS Dumfries and Galloway USB Memory Sticks.

The newspaper Scotland on Sunday broke the story that the NHS Dumfries and Galloway has lost two USB flash drives with information on patients.  The memory sticks in question did not feature disk encryption that would have ensured information security.  And, the breach was only made public because Scotland on Sunday filed a Freedom of Information request.


In a sign that muckraking works wonders, the health authority has modified their procedures.  And yet, there’s something of a rushed feel to them, and I think the NHS honchos may not have consulted information security experts.  According to The Herald, “new guidelines are now being implemented concerning the use of USB storage devices, and all information on the sticks must be encrypted or password protected to make it impossible for others to use the data” at NHS Dumfries and Galloway.


The use of encryption is highly recommended when dealing with sensitive data.  But, as a number of cases have shown in the past—and in the UK alone—password protection in of itself is not really protection.  Indeed, I would have thought this was already common knowledge among UK residents, what with the number of potentially disastrous data breaches that have littered 2008.


It should be pointed out that the above guidelines will also apply to any laptop and desktop computers…but only in areas accessible by the public (i.e., non?NHS employees).  Again, this seems to indicate that an expert in the area of information security was not consulted.  Or, at least, an expert with adequate levels of paranoia.


Here’s my twist: the loss of the two USB devices was perpetrated by NHS staff.  So, why would you only protect data devices that are accessible by the public?  I mean, it makes sense to protect those, yes; but I’d say it makes even more sense to protect any devices handled by staff.  It’s not the non?NHS people that are actively stealing these devices…it’s the NHS staff that’s actively losing them (which is not the same as deliberately losing them).  This is clearly a case where the staff need to be protected from themselves.


A security consultant worth his mettle would probably have scouted out the physical environment before making his or her recommendations.  A computer, be it a desktop or a laptop, that is in a restricted area may not need full disk encryption to protect the devices’ hard drives—but only if that same restricted area happens to have barred windows.  If the “restricted area” happens to be on the ground floor, facing a dark alley, and has unbarred windows, making it a restricted area on paper only, I’d say it’d be a good idea to either further restrict the area by securing the windows or ensuring that the hard drives of the computers are encrypted.  The latter won’t stop a burglary but it will astronomically lessen the chances of a data breach.


Related Articles:




Comments (0)

Let us know what you think