Welcome Guest | Login | Register | Why Register? |
Newsletter RSS Twitter
18 March 2010 | 21:46 GMT

E- Health Primary Care E-Health Europe E-Health Jobs (UK only) E-Health Insider Events
HOME | NEWS | DOCUMENT LIBRARY | FEATURES | OPINION & ANALYSIS | EVENTS | RESEARCH REPORTS | AWARDS | PODCASTS | VIDEO DIARIES

2008 'a year of data breaches'

Tags: A   Government   HIS   Information   Information Commissioner   iS   Office   US   USB sticks  

29 Oct 2008

Information Commissioner Richard Thomas has expressed concern about continued data breaches from the public sector – almost a year after HM Revenue and Customs lost the data of 25 million child benefit claimants in the post.

In a speech to a European conference on data security, Thomas says “2008 has undoubtedly been a year of data breaches and data losses.” He then goes on to reveal new figures, showing that the number of data breaches reported to his office since last November has “soared” to 277.

Seventy five of these relate to the NHS and other health bodies. Central government has reported 28 breaches and the private sector 80. The Information Commissioner’s office is investigating 30 of the “most serious” lapses.

In his speech to the RSA Conference, Mr Thomas says the number of reported breaches is “serious and worrying.” But he also recognises that “the number notified to us must be well short of the total” since many PCs and laptops will be junked with live data on them, and USB sticks and other devices lost without anyone being notified.

“Holding huge collections of data brings significant risks,” he says. “It is therefore alarming that – despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear guidance – the flow of data breaches and slopping information handling continues.

“Everyone must recognise that data breaches can cause harm, distress and hassle for the individuals affected, lead to serious financial losses and seriously affect the reputation of organisations. This is a central challenge for those who lead private and public organisations; they must earn and retain our trust.”

Thomas says organisations should minimise the amount of data they collect, and keep it for no longer than necessary. He also urges managers to think clearly about getting the right policies and procedures in place, and to build privacy into the design of new IT systems. Finally, he says there also needs to be a focus on people’s attitudes and behaviour.

“Those at the top, chief executives, permanent secretaries and so on, must be certain that the right framework is in place to address the risks of personal information and must be certain that responsibilities are clear,” he says.

The government has promised that the Information Commissioner’s office will get new powers to impose “substantial penalties” for “deliberate or reckless” breaches of data protection laws. Thomas wants these “as soon as possible”, arguing they will “concentrate minds and act as a real deterrent.”

The figures for data breaches reported to the Information Commissioner’s office from the NHS and healthcare over the past year show that one breach related to an email error, two to postal errors, 27 to lost computers, five to “inappropriate disclosure”, one to website security, 14 to lost paper records, 18 to lost computer disks and similar media, and seven to “other” incidents.

NHS chief executive David Nicholson recently issued a letter to chief executives and chief information officers reminding them of Department of Health guidance on data in transit and encryption, and urging them to check it was being followed.

Link: The Information Commissioner

Lyn Whitfield

© 2008 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.

Readers Comments
Add a comment
Readers Comments

1

We can end these Data Breaches.....

05 Nov 08 10:39

A solution is required to centrally manage, monitor and control precisely which removable storage devices and applications are permitted to run on government networks.

A system that minimises user access rights to data, applications and removable media by operating a whitelist of known, trusted and permitted applications and devices. By default, end users should have no access to removable media and where this is permitted, via centralised control of the user privileges, encryption can be enforced on the data or the device. This “default deny” approach will ensure clear lines of responsibility and accountability for data being transferred and fosters a culture of data security among personnel that are granted access to citizen data. All data transferred, as well as attempts to do so, shuld be centrally available for audit. This will allow for scrutiny of departments’ data handling procedures, aid reporting and answer the requirement for departments to keep records in the event of a spot check by the Information Commissioner.

Address these Data Breaches:

* Remove the risk of data loss through the unauthorised use of removable media

* Enforce encryption on removable media

* Remove the risk of data leakage or data theft as a result of unauthorised applications

* Prevent unknown or malicious code from running, including malware; zero-day threat and other destructive viruses that target systems and data; keylogger software or other spyware

* Audit device and application usage

* Maintain IT system integrity and improves system performance and network bandwidth

* Enable compliance with evolving directives or regulations governing privacy

These solutions exist today eg www.lumension.com, so there should be no more excuses.

Search
News Features Jobs Newsletters
EHI Tweets HIMSS10’
EHI Tweets HIMSS10’

Past: 24 hrs|7 days|Month

Most commented
Most commented
Tags
Tags
Top jobs
More
Top jobs

Featured_recruiters
Featured_recruiters
Contact | About Us | Advertise | Privacy Policy | Terms & Conditions | RSS Feed
E-Health Insider is managed and maintained by E-Health-Media.com ©2010 E-Health-Media Limited.