South London Healthcare NHS has signed an Undertaking with the UK’s Information Commissioner’s Office after the loss (and recovery) of two USB memory sticks, as well as the loss of paper documents. The former is the type of data security incident that can be easily prevented with the likes of drive encryption software like AlertBoot.
Undertaking for Two Incidents
South London Healthcare’s data travails are, digital data-wise, twofold: in one incident, a USB flashdrive was lost with information on 600 maternity patients. In another, 33 children’s information was lost.
The information of the maternity patients were lost when an employee downloaded the data “to a personal memory stick” (ico.gov.uk) so he/she could work from home. The Undertaking notes that the underlying reason for the breach was that,
“Due to not having received up to date information governance training, the employee was unaware that an encrypted device issued by the data controller should have been used”
Sounds a little like hogwash to me. Why? Well, how not up-to-date can this employee possibly be? The issue of renegade USB sticks has been a problem for many years. In fact, the problem is so prevalent that people not working for the NHS know about the need for encryption on USB sticks when saving NHS data to them. The fact that the employee should have used an encrypted device issued by the data controller is beside the point. Some kind of encrypted storage device should have been used, period.
If such a device was not available at the time, the data should not have been copied. I mean, was that not part of the last information governance training?
The incident involving children was associated with a device that contained names and dates of birth for 30 children, and audiology reports for an additional three children. The nature of the USB stick was not declared (private v. company-issued; backup solution v. data shuffling from one computer to another; etc).
There is an easy solution to cases like the above, where an employee (inadvertently) causes a data breach due to the use of personal storage devices: encryption software that will automatically encrypt any data device that is connected to a USB port. (Such an option is available for free to any computer hard drives that use full disk encryption from AlertBoot, as part of extending data security beyond the original protected computers.)
There are pros and cons to this approach. Pro: Information is guaranteed to be protected. Contra: any device that uses a digital storage device will be encrypted, including smartphones, which will be bricked. Of course, if your smartphone gets bricked, you’ll probably remember not to stick USB devices to work computer very fast.
Another repercussion of the above contra is that USB data sticks, if encrypted, cannot be read at a computer without the correct software. Of course, the flipside is that if an employee is stealing data, he’s prevented from using this data anywhere but at the office.
Related Articles and Sites: