An Undertaking was recently issued by the UK’s Information Commissioner’s Office (ICO) to Cardiff and Vale University Health Board. The Undertaking is the climax of a medical data breach that was reported in November 2012, the event set off by the loss of a psychiatrist’s bag from his bicycle. The first time that I came across the story, everything seemed bucolic: bicycle, bag, CV’s…no mention of computer hardware anywhere. It sounded like one of those events where medical data disk encryption like AlertBoot would be out of place.
But then again, maybe not.
ICO Inquires About Encryption
Perhaps I’m reading too much into it, but this paragraph stood out to me (emphasis mine):
The ICO was informed about the breach on 26 November 2012 and upon contacting the health board was informed that alternative means of transporting the data, such as the use of an encrypted portable device, or remote server access was available. However these options had not been clearly communicated to staff and the staff member involved had not received training at the time of the incident.
Now, why would the ICO be inquiring about disks with encryption or remote server accessibility? The implication appears to be that a digital device – a laptop computer, a USB flash memory device, an external hard disk drive, or perhaps even a CD or DVD – was involved. I mean, if the ICO is asking for cryptographic solutions for paper documents, well, they’re really overreaching. Encryption software is one of the easiest ways of securing sensitive data, but only because computers have come a long way. Cryptographically securing paper documents – I wouldn’t wish that on my worst enemies.
On the other hand, check out this quote from ICO Assistant Commissioner Anne Jones (emphasis mine):
This data breach was entirely avoidable. Having measures in place to keep information secure only works if staff are properly informed of those measures. Staff should not be carrying round sensitive papers because they’re unaware they can remotely access a secure network.
Could it really be? Is the ICO honestly suggesting that people should choose electronic formats over paper documents when it comes to sensitive data? Me thinks that this is actually a scathing commentary on properly educating and training staff, and not criticism on paper itself.
However, that is one of heck of a quote. I can only hope that Ms. Jones was being quoted out of context.
Related Articles and Sites: