According to zdnet.co.uk, a medical student lost a USB memory stick, breaching the data of 87 patients. The device was not protected with data encryption software like AlertBoot. It also turns out that the student was not trained on the issue of data protection, although I have to point out that not educated does not mean not aware.
Personal Devices Driving Breaches?
Recent trends show that the driving force behind many data breaches (if not most breaches) are personal devices: USB memory sticks, laptops, external hard disk drives, etc. These are brought into the workplace and data is stored in them — not for any wicked reasons, mind you, but probably for the convenience of it.
For example, let’s take our medical student above. According to the article, the information was used for research purposes at the burns and plastics department of the hospital. If the student wanted to work from home, he could conceivably need a copy of the data. What would be more natural than to copy it to a USB device?
(Pointing out that he could VPN into the hospital’s servers makes several assumptions: 1) That he would be given the credentials for VPNing. 2) That he has an internet connection at home, or wherever it is he is working from. 3) That said internet connection is stable. Etc.)
On the other hand, it is this “convenience” factor that increases the risks of a data breach: small things tend to get lost. If valuable enough, it gets stolen. It is for this reason that, if you’re handling sensitive personal information, data security instruments ought to be used, such as encryption software. (I should point out that using encryption means the size of the device becomes irrelevant when it comes to data breaches.)
Not Trained? Assigning Blame
The Information Commissioner’s Office looked into the issue:
After investigating the incident the watchdog [ICO] said that the hospital had assumed that the student had received data-protection training at medical school and therefore did not provide the induction training given to its own staff. [zdnet.co.uk]
I have mixed feelings about this. Obviously, training and educating people about the importance of data security, and how to go about in ensuring data security, is necessary in this day and age. Plus, it’s also a legal requirement to conduct such training in the UK — under the Data Protection Act — for any organizations (such as hospitals) that process sensitive personal information.
However, it should also be pointed out that most people nowadays know about the importance of data security. It’s kind of hard to miss, even if you’ve spent a good part of the decade working within a laboratory. Just because the medical student didn’t receive training doesn’t mean he or she wasn’t aware of its importance.
Plus, it should be pointed out that people who receive such training also cause the same type of breaches. While technology alone cannot stop all breaches from happening, the same can be said of training. Instead of blaming the oversight of training, and singling it out as “the reason” for the breach in this particular case, perhaps one should also take a look at whether the proper preventative measures were in place, technology-wise.
For example, assuming that the information was originally stored in a computer that was protected with AlertBoot laptop encryption, the student’s USB device would also have been encrypted when plugged into the computer (automatic USB encryption), preventing the above breach from happening, despite the student’s lack of training.