Four more organisations breach DPA
30 Apr 2009
The Information Commissioner’s Office has taken enforcement action against another four NHS organisations, taking the number rapped for data breaches to 14 in six months.
Cambridge University Hospital NHS Foundation Trust, NHS Central Lancashire, North West London Hospitals NHS Trust, and Hull and East Yorkshire Hospitals NHS Trust have become the latest organisations to sign legally binding agreements to abide by the Data Protection Act.
Laptop, desktop and USB-stick thefts and losses put patient confidentiality at risk at the four organisations. But the ICO’s office was particularly critical of NHS Central Lancashire, which reported the loss of a memory stick holding the medical treatment details of 6,360 prison patients.
The memory stick was encrypted; but the ICO’s office noted that: “the details could be easily accessed from a post-it attached to the device, listing the password necessary to read the information.”
Assistant information commissioner Mick Gorrill said: “It is a matter of significant concern to us that in the past six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches.
“In these latest cases, staff members have access patient records without authorisation and failed to adhere to policies to transmit information in transit. There is little point in encrypting a portable media device and then attaching a password to it.”
NHS Central Lancashire chief executive Joe Rafferty told the Lancashire Evening Post that his organisation had undertaken an “immediate and urgent review of policies” relating to USB sticks following the incident.
He said this had led to a recall of data sticks and staff being formally reminded about their responsibilities to handle personal data properly.
Cambridge University Hospital NHS Foundation Trust also reported the loss of a memory stick holding the details of 741 patients. A member of staff downloaded the information onto an unencrypted stick without the trust’s knowledge - and then left it in a vehicle from where it was recovered by a car-wash attendant.
North West London Hospitals NHS Trust reported the theft of two laptops and a desktop computer containing test results and hospital numbers for 361 patients. None of the computers were encrypted.
Hull and East Yorkshire Hospitals NHS Trust similarly reported the loss and the theft of a desktop computer and a laptop holding patient information that was not encrypted.
All four organisations have signed agreements with the ICO that could lead to legal action if they are not kept.
Link: Information Commissioner's Office
Lyn Whitfield
© 2009 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.
|
1 For the benefit if those that have not yet budgeted...andrew.clarke@lumension.com 01 May 09 13:31 Security lapses such as these are just becoming too frequent and data protection continues to be in the media spotlight. Access to devices that move in and out of an organisation must be managed and controlled, and any portable and mobile devices used to store and transmit personal data must be encrypted, mitigating the risk of data leakage. These organisations would also benefit from investing in layered security, restricting which applications can execute on an endpoint or server, with the use of Application Control (white-listing).
Data Protection solutions enforce organisation-wide usage policies for removable devices. Using a whitelist / “default deny” approach, administrators can centrally manage both devices and data, limiting the potential for data leakage and its impact.
Administrators can continuously monitor the effectiveness of device and data usage policies in real time and identify potential security threats by logging all device connections.
Organisations need to face up to the problem of data leakage, whether it be accidental or malicious. Application Control can offer these organisations enhanced, time-saving protection by both preventing the execution of malicious code and only allowing applications with authorised access to run on a network. It’s unfortunate that it takes something like these incidents to remind organisations of the duty they have to protect the confidential data of others, and of the repercussions that can occur.
This type of investment will actually save you money in the longer term and enable you to sleep at night too!
2 I couldn't be bothered to read01 May 09 22:44 But Mr Lumensiershion whatever you are. Let me get this right, you are selling something? Oh really 3 It's the wetware, not the technologya-ball@audit-commission.gov.uk 11 May 09 09:21 The memory stick was encrypted; but the ICO’s office noted that: “the details could be easily accessed from a post-it attached to the device, listing the password necessary to read the information.” This is the issue - with more and more passwords to remember (many of which have enforced requirements on strength) it is not surprising to learn that people are writing them down and carrying them around on post notes or recorded on phones and PDAs. The cultural battleground is where we have to focus attention. Eventually, authentication that does not require the use of various passwords will be routine but, until then, IT and information security staff need to do everything they can to support staff in trusts and help them to understand risks and keep their data secure. Technology can play its part but winning hearts and minds is an essential success factor. 4 A Plethora of Passwordsstewart.smith@cd-tr.wales.nhs.uk 11 May 09 13:45 I'm sorry but I have heard this excuse about passwords so often. I can remember numerous passwords - all with mixtures of characters, pass phrases etc etc. plus phone numbers etc. etc Writing them down is just sloppy! |
comments
comment
a friend