Looks like the data troubles for the UK National Health Services won’t ebb away any time soon. The Aberdeen Royal Infirmary has reported that it’s missing a laptop computer with sensitive information. It looks like there was some thought given to data security, but the lack of appropriate information protection software like data encryption from AlertBoot is troubling.
The NHS Grampian has announced that the stolen laptop contained the details of 1,392 patients, including names, addresses, birth dates, and clinical information which was coded. The information is double password protected (whatever that means. I just don’t trust password-protection).
The laptop was stolen, according to the BBC, “from a locked office in a locked corridor in the [gastro-intestinal] department.” There is no mention of how the office was accessed. Makes me wonder if this is another case of “let’s break a window–there’s too many locks in this place!”
It’s hard to fault Aberdeen for the data breach. Consider what they had in place:
- Double-passwords (again, I’d have preferred–nay, demanded–the use of hard disk encryption)
- Locked doors
- Laptop stored in a cupboard. I’m assuming that it was basically hidden from view
- Has issued a press release with the ID numbers for the computer: NHS Grampian identification number (NHSG4422) and computer serial number (HUB60310Y8)
- Has sent notification letters to all affected within a week of having the breach
Yes, the laptop is still missing. And I’m not too crazy about the lack of encryption. However, when you take a look at the above, you can tell that this is one hospital with a data security policy, and more importantly, that these policies were being followed, which is more than I can say for most hospitals that experience a data breach.
I’m not sure, though, if the person(s) who drafted up these security policies can be excused for believing it was good enough. Granted, the data’s safer because there are the locked doors and double-passwords. But if you’re going to require people to memorize passwords, why not employ encryption as well? I mean, encryption still requires the use of passwords and actually provides data security (plain password protection does not while still requiring a password).
Encryption is not overkill when it comes to data security. Having 200-lbs armed security guards with no excess fat posted to protect each and every computer–now that’s overkill. Encryption, when it comes to computers that contained sensitive data is just good sense, perhaps even commonsense.
Related Articles and Sites: