Data loss prompts Dudley to spend on security
19 Feb 2008
The Dudley Group of Hospitals NHS Trust will spend £135,000 on new computer security software, following the theft of a laptop containing personal information on over 5,000 outpatients.
A trust spokesperson confirmed to E-Health Insider that following a board meeting called to discuss the theft of the laptop, the trust has decided to purchase and deploy new data encryption software on all trust owned laptops, effective from this month.
The aim of the software is to “scramble information on all laptops, desktop computers, hand-held computers and memory sticks,” she added.
The laptop was stolen from the trust’s anti-coagulant clinic which deals with people suffering from blood-thinning problems on 8 January.
A database in the laptop contained information including names, addresses, birth dates and clinic details, such as appointment times, of 5,123 out-patients.
A username and password is required to operate the laptop, and the database is also protected by a separate username and password.
The trust spokesperson stressed that the information did not include medical details, but acknowledged the theft was a “serious issue”.
In a statement, the trust said: “We take precautions to try to protect all the IT equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitable practical difficulties around security.”
“Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft. The police have made every effort to recover the laptop, but unfortunately have been unable to do so.”
Letters have been sent out to all patients affected, informing them of the theft and how it affects them.
IDC’s research manager for security products & services, Eric Domage, told EHI: “Continuing incidents like this clearly show that it is time for IT managers to be responsible for the data they are in charge of. Encryption should be compulsory on all computers, it is not expensive and as a bare minimum, they can use encryption embedded in Windows XP.
“Patients do not want incidents like this to happen, and after cases like HMRC, it is understandable that there are concerns. We must get serious about the importance of good quality secure data.”
© 2007 E-HEALTH-MEDIA LTD. ALL RIGHTS RESERVED.
|
1 On a laptop?20 Feb 08 12:38 The question that needs to be asked is, "Why on earth was this data held on a laptop in the first place?". Answers on a secure server please. 2 So the IT manager carrys the can again ...........21 Feb 08 09:06 Quote "it is time for IT managers to be responsible for the data they are in charge of" Unquote. These comments really make me quite angry. I would say this is the very root of the problem. If this sentence read "it is time for Trust management to be responsible for the data they are in charge of" then it would have some degree of credibility. Don't automatically point the finger at the IT Manager, how many times have they put in a budget bid for encryption software and hardware? How many times has that budget bid been rejected in favour of chasing another "quality" badge (IIP, Charter Mark)? Exactly how much budget has been put into data protection and information security? How much resourcing has been put into penetration testing security? Before people start castigating the Dudley IT manager, I suggest they take a good HONEST look at their own Trust, if they are absolutely water-tight then comments can be made. These issues ARE NOT "IT PROBLEMS" they are corporate problems as this link will highlight http://tinyurl.com/yu82d5. Oh and for the record, I am not an IT Manager, I am, however, an IG manager who received 12.5% of my budget bid last year. Regards, Mr Angry from Tunbridge Wells. 3 Change the Attitudedavid.pearson@nhs.net 21 Feb 08 14:14 I fully support the previous comment, but i would like to add that it is the individuals responsibility to ensure data is held and managed safely, It is individuals attitudes that need to change. 4 No need to off-line dataamehmet@maracis.co.uk 22 Feb 08 08:46 Given where we are technically in terms of un-wired connectivity, why are we still plodding around with devices which 'download' data? Surely it should be a requirement that individual patient data is only ever accessed in real time, the clinical / security benefits of such an approach should be self evident. 5 Change of attitude..25 Feb 08 14:59 In response to the comment regarding changes of attitudes amongst end users of the system, as a professional Trainer one of the first things that I say in my clinical system classes is that it is EVERYBODY's responsibility to ensure clinical data remains secure. You would be amazed at some of the poor responses that this has met with. It is really quite simple: If everybody plays their part in system security, security breaches will be much reduced (though, admittedly probably never eliminated completely). I expect it of myself and my students. I just wish that more people did... |
comments
comment
a friend