NHS manager suspended after losing laptop

1

Why wasn't he sacked?

03 Jul 08 14:54

What reason did this person have for taking the data outside of the secure, I hope, hospital environment? Why was it not encrypted as per DoH guidance? Even if he didn't have McAfee's solution, Safedisk or similar software is relatively cheap . What kind of medical information was this - surgical, mental health, infectious disease?

After all the furore about the other data which has gone missing, why has there been no change in the apparent apathy held towards data security by the majority of NHS staff? Yes, I am angry about this, after all the misleading and twisted commentary by NHS staff about the security of central records, people are still bimbling about with unencrypted PI data or sending data unrecorded through the post.

Mr Murphy's confidence is horribly misplaced - any thief able to to hack past the laptop's password protection will most likely check for any financial details he could take advantage of before wiping it. I was able to find the software on the net to crack the password protecting in less than ten minutes; looking through all the temporary files on the laptop won't take very long, and then there's all those interesting files to look at... Would anyone care to guess at the personal impact of these medical plans being spread around the community?

I look forward to the result of the IC's investigation, and can only hope this person is penalised to the fullest extent possible.

---

2

Deary me number 1

03 Jul 08 15:40

Why don't you go the whole hog and call for burning at the stake. You know nothing of the circumstances surrounding this case. It might be simple to encrypt data, but management and access at a corporate level is quite a different thing. That is why it will take months to roll it out. One can only assume that this person had a reason to have the data on a laptop and that risk had been assessed. This of course does not allow for leaving in a car unless there are mitigating circumstances of which we are not aware. Most thieves are not hackers and my assumption would be that the data is safe and why go creating a huge storm over it. Let's not forget the simple fact that the NHS is very good at protecting data, especially considering the amount it handles. I have heard a lot of talk of theoretical loss, but not a single case of actual disclosure has been reported as far as I am aware (and that includes the DWP stuff) Calm down!

---

3

My only objection to burning at the stake is the carbon footprint

03 Jul 08 16:14

I don't think I've overreacted at all. Having been the victim of identity theft, I know just how difficult it can be to clear up the aftermath. Were I suffering from some infectious disease with a social stigma, and that had become public knowledge, then my personal life would have been ruined too.

How can you defend the idiocy of leaving records of this kind unprotected? This person's actions has put the well being of patients at risk, along with their families. Can we see the risk assessment of leaving unencrypted data in a car? What factors were seen as mitigating the risks to an acceptable level? Even if the person who took the laptop wasn't a hacker, you can be sure there is a market for stolen computers in the identity fraud fraternity.

Your comment about the NHS being very good at protecting data was truly inaccurate. Just ask all the GP practices who've lost HA download disks (sent in plain text files on floppy disk), or system backups sent for validation to their suppliers. Even if your claim that no harm has been done, the potential is staggering and it needs stamping out. The best way to do that is to make each and every person with access to confidential aware of their responsibilities and exactly what will happen if they fail to meet them.

---

4

Assumptions ?

03 Jul 08 16:54

Interesting that the previous comment uses the assumption word twice in relation to data security. This is not a sensible state of mind, and would lead me to being quietly led out of the door in the environment that I work in.

I do wonder why a senior hospital manager on holiday needed to take a 'work' laptop on holiday with them. Surely a holiday is away from the pressures of everyday life ?

While I would not press for the stake, I would suggest that this is more than a simple error of judgement, and the seniority of the individual makes it worse. Anyone who has not been aware of the risks of carrying a laptop with unencripted confidential data on it has their head somewhere else, and should live with the (probably grave) consequences.

---

5

Please think through your reaction

nhsperson@yahoo.co.uk

03 Jul 08 22:24

First of all - people make mistakes, always have done - always will - and it is these mistakes that we learn from - as well as through risk assesments and learning from near misses.

So in your view - everytime someone makes an unintentional mistake - we sack them. Would you admit to making a mistake if you knew that you would be sacked ? You would end up with a culture of staff being to afraid to identify mistakes/problems - and we would be in an even worse position - of not knowing that somthing had gone wrong, not learning from mistakes - of covering up.

Can you imagine how this individual feels right now having messed up big time. Is there any more punishment that we can inflict to change his mistaken bahaviour. Maybe he took work with him because he was facing a deadline - and like many NHS managers was under pressure. Maybe as a general manager and not an IT specialist - he thought like may people that the password of your laptop or PC makes it secure - or that a file password makes the file secure. Is this his fault or a lack of communication in the Trust he works in.

To jump in with such extreme views in my opinion is unhelpful - and actually will not help the NHS on this continual journey of getting better at handling confidential information. Huge progress has been made in the last 10 to 15 years in terms of awareness and behaviour. Information Governance as a term was new in 2001 within the NHS and now we have annual IG assessments.

So please - think through your reaction and remember where we have come from and where we are trying to get to - and that we must use these incidents not to castigate but to learn what has gone wrong and to put it right.

---

6

what about the paper going off-site in car boots?

keith.baldry@nhs.net

04 Jul 08 09:13

Whilst I cannot condone this individual having sensitive information on an unencrypted laptop, I think that those baying for his(her) blood should raise their eyes and take note of the realities that happen every day in the health service - how many consultants take paper case notes home with them in their cars? How many health visitors and other mobile health workers carry paper case notes with them in their cars as part of their day-to-day job? Why do we not hear the same level of condemnation of these individuals - after all I am not aware that anyone has yet managed to find a way to encrypt a paper medical record (if one discounts a clinician's handwriting)?

---

7

Beggars Belief

04 Jul 08 09:15

Again another case from the public sector that defies all logic. Firstly there should be no circumstances where a NHS manager or clinician for that matter needs to have on their laptop the clinical records of 20,000 patients. Secondly in those cases where it is absolutely necessary to have patient identifiable information on a portable device then this needs to be encrypted. All organisations need to create a culture where the security of patient information is paramount and staff at all levels need to be aware of the consequences of breaching defined security standards. I am not sure that I take too much comfort from the chief executive's statement that "we have reminded our staff not to store this kind of data on laptops in the future", it is the responsibility of the trust to limit the possibility of storing such vast amounts of patient information on portable devices while at same time facilitating remote access to patient information for those staff that need it to perform their duties.

---

8

No excuses....

04 Jul 08 11:25

I am disappointed that many comments were offering excuses for the data loss; it implies to me that many still do not understand the critical importance that the public attach to their data. NHS Managers must be aware of the data security issues - not just from their jobs but from the furore and comments from the public, press and politicians when data loss occurs in any professional organisation (many recent recent examples given a public airing). As one of the comments states - Information Governance has been with us since 2001 so is not new - and we have annual IG reviews and assessments. Given this environment - any manager who takes unencrypted data off site is either demonstrating an inability to learn (because the mistakes have already been made) - or an arrogance that the rules don't apply to him/her! Lap tops have been a popular target of thieves - especially in cars, for as long as I can remember. As a patient I don't want my data 'lost' and there are no mitigating circumstances (deadlines; work pressure; the perpetrator feeling sorry and remorse - as stated in one comment) if un-encrypted data is taken off site. This is the NHS's new working environment and yes encryption will slow process's down and will add time to some tasks and some jobs will get more difficult because portable data storage devices (writeable CDs DVDs, USB-memory sticks) will be denied access to many organisations networks to control data flow and access - but it is what is required at a minimum in this IG 'new age' if data is to be moved around. Perhaps rightly so after years of lack of the security of paper records by many organisations in the past - but then you couldn't easily access the data in 20,000 paper records could you (or take them on holiday in your car) - and stealing 20,000 of them in a matter of seconds is nigh on impossible!

---

9

Thank God I'm perfect

04 Jul 08 12:04

Life is easy when your perfect. All those baying for blood should remember that this person owned up. They could easily have denied that they had the database, no one is ever going to find or use the database and there would be no way of proving otherwise. Even if the database was found how are you going to prove a particular manager was the source? You have to have good evidence to sack people, we don’t live in the dark ages, yet.

If you think this type of hysterics are not causing damage then think again. I already know NHS hospitals that are now refusing to send diagnostic images between multi disciplinary teams on CD because they cant be encrypted. This is delaying care and preventing shared discussion of the case, this despite the fact that the paper records are sent (obviously) unencrypted.

All decisions, no matter how well meaning, have consequences. But I don’t need to worry about that, because I'm perfect.

---

10

it's hard to be humble when you're from Yorkshire

04 Jul 08 14:14

Anyone working with confidential information within the health service should have been made aware of their responsibilities with regards to data security. Ideally, they should have signed, or accepted conditions of service which included strict guidelines on the storage of data, and even if they haven't there's the data protection act. Ignorance, as they say, is not an excuse. Even if he had not owned up, asset records should identify the missing laptop, so keep one's gob shut is not an option; it could be argued that stepping forward and taking it like a man was only an exercise in damage limitation.

My colleagues are enjoying the comments criticising my perfection,or expressing horror at my bloodlust. Take a step back, remember your horror at the records lost by the DWP, or the Irish driving license authorities. Now apply this fairly to all the data loss occuring daily in the NHS.

A solution to all this has been offered only to be shot down by the BMA, ironically, as insecure. Use remote access to data centres, then it wouldn't matter if the laptop were stolen (unless he'd also left his RSA token and passwords with it).

How can people defend this person's actions, or the attitude that it would be ok to take patient data out of the hospital unencrypted? I actually approve of teams refusing to send data, at least they're thinking about this, instead of making snide comments about paranoia.

---

11

Number 2 here

04 Jul 08 14:33

Ineresting split of opinion but I stand by what I said.

1. "paramount" = supreme = NO. Information security is not paramount. Patient safety is paramount and the two are often in conflict. If this were not so we would never put a PC on a network unless it were all encrypted from end to end. This is a management and usability, hence patient safety, nightmare. Once again not an excuse for information in car but there may be mitigating circumstances like they were on call or something.

2. Not only have I not heard of a SUI where data has been used (merely mislaid), I have never heard of any patient clinical harm coming from data "loss" whereas there are plenty of examples unfortunately of patient care being compromised by not having access to the right data in the appropriate setting. This is the dilemma we are working with in clinical IT, and if those proposing their draconian ways were to have their way, we might as well pack up for another five years until it's all perfect......oh! Let's just learn from our mistakes and continually improve, which we are doing, and continue also to provide people with the information they need to do their job.

3. I assume (sorry) that 20,000 records are in a database, so, not only does the thief have to break into the laptop password or mount the hard drive, they have to load the database management engine and crack that password too. Even if it's only Access this makes it all very low risk. Don't we all battle with much higher risks than this every day? Oh and 20,000 is a big number, but not a lot of records. A hospital index will hold millions of basic patient details. This is a subset so some amount of selection has clearly been done, but I know what you are going to say about that, what if it was your mum etc etc.

---

12

No Mistake

04 Jul 08 15:32

To me a mistake is something you make due to an oversight or slip of some type. Mistake is often used in the context of being a bland word.

Ignoring the rules around data security is not in my opinion a mistake. It is far more than something we can shrug our collective shoulders at and say "Ahhh, he made a mistake, lets all learn".

Reading the original article it seems to me this is not a failure of the employers or their systems that has caused the problem, it is the intentional actions of an individual.

No one working in health care can be unaware of the importance of protecting data, and i'm very sure the individual was completely aware of the risks they were taking. No, this is not a mistake, it is foolhardy risk taking by one who should know better. I see an eariler poster saying "think how they must feel?" - what has that to do with anything? This is not an issue we should forgive, or try to dilute by invoking sympathy.

There are few "lessons to learn" here, except that maybe, if you do something so stupid you will go down the road.

---

13

Why wasn't he sacked??

04 Jul 08 23:17

First off, No 1 makes a rather naive assumption about the availability of encryption software (yes CfH has procured a solution but every laptop needs to be recalled and is out of use for at least 2 working days). In the NW of England only 2 Trusts have so far started encrypting laptops en masse - I would guess the same is true elsewhere.

Why didn't he load an alternative - even had he wanted to most Trusts lock down the desktop to prevent unauthorised software being loaded.

This only explains a little of the background ...

Two questions:- * did the Trust make staff aware that loading person-identifiable data onto an unencrypted laptop, CD or pen drive, was a breach of local IG policies, NHS guidance and legislation? * does the Trust's Disciplinary policy include a breach of the DPA or IG policy as an example of gross misconduct?

If the answer to both questions is yes, the manager in question should be subject to a Disciplinary investigation

If the answer to either question is no, the Caldicott Guardian, IG Manager and IT Security Officer should all be should be subject to a Disciplinary investigation.

Unless and until the NHS takes IG seriously (and by seriously, I mean sacking people on a regular basis for misconduct) the public at large will quite rightly mistrust us.

---

14

Astonishing

05 Jul 08 10:30

To see ANYONE defending this loss of OTHER PEOPLES ***confidential*** data is simply astonishing. This is happening again and again - I don't care if it's a hospital manager or my own GP - it the data refers to me then I expect it to be treated with respect......and this is why we have the Data Protection Act etc.

It's about time the NHS grew up and took responsibility for something - the trust involved should be prosecuted, and the people who's data has been lost on that laptop should be informed and the door opened for them to take legal action against the trust (and individuals involved) - only then will things change.

Because someone reports here that they have not seen any adverse effect to individuals due to loss of personal information does not mean that it's not going on now (or in the future)?

....again - such naive views are simply astounding.

---

15

ASTONISHING

07 Jul 08 17:05

So investigate/sack every manager who makes a mistake. Investigate/sack everyone who hasnt had time to update a policy. Investigate/sack every member of staff who hasnt read the policy, even though the policy says they should read the policy. Investigate/sack every nurse, doctor or carer who makes a bad decision which results in any negative impact on anybody. Investigate/sack any investigator who isnt thorough or makes a mistake. Pritty soon the NHS will be doing nothing but investigating and sacking people. This is getting worse than the Salem Witch trials.

Im with 2 on this one (thus showing there are at least 2 of us causing outrage).

---

16

Please think through your reaction - 2

nhsperson@yahoo.co.uk

07 Jul 08 21:49

I know the world I live in - it is a world of incredible pressure where many NHS managers and clinical staff struggle with workload and a long hours culture, where the vast majority of staff do all they can to preserve confidentiality - and yes when it comes to data security - some do make mistakes.

The flaw in the thinking of the angry brigade on this story is to somehow think that all staff within the NHS have an understanding of the language and complexity of IT - where they do not. I suspect the ‘angry brigade’ live in a different pace to the vast majority of NHS staff that get into the press, probably have an IT or information background (why else use this site) - not ordinary NHS employee.

The ease of use of PCs and PC apps means that the vast majority of staff can manipulate data in a spreadsheet - but have absolutely no idea about topics such as encryption, 2 factor authentication etc etc. I have read many NHS IM&T security policies that I am sure the ‘angry brigade’ would understand, applaud and point to when mistakes such as this occur. However these are often meaningless to many staff. Staff do pick up and understand phrases like 'secure by password' and think - well my PC/laptop is password protected - so that’s all right then – but understand little else.

We, who understand the language and issues, should get off the 'sack ‘em all' soapbox and work out how to ensure that every single person within the NHS has a good enough understanding not to make these kind of mistakes. Now if the manager concerned had wilfully disclosed information - different matter - but I bet this is not the case.

I repeat, we have made huge strides in the NHS to get across not just the importance of confidentiality and data security - but to get across a sufficient understanding of what this means in day to day NHS life. The last thing I want to create is a climate of fear where mistakes get hidden. Organisations that encourage openness and learning from mistakes/near misses are far more likely to learn and improve than organisations that take the approach suggested by some in this discussion thread.

I repeat – think about what you are trying to achieve before sounding off – will it achieve the outcome we are all looking for – improved data management in the NHS – or not. Its not complacency or making excuses – its just living in the real world and knowing how to bring about change.

---

17

More From - 12

08 Jul 08 12:36

Surely the salient point here is this was a senior manager. Had this been a junior member of staff in training for their first post, we could understand their naivety and look to their managers.

This is however a senior manager. If we are being asked to believe by other posters they would not know better then that speaks volumes about the whole organisation. Of course a senior manager should know better. This is not a new area of concern, its been in the forefront of the press and peoples minds for years.

As for acheiving the outcome we all desire, a high profile result would make everyone much more aware and careful in the future.

Lets not be afraid of punishing the guilty, if they should have truly known better.

---

18

Zealots

08 Jul 08 17:51

Most of the spleen venting going on here seems to be centred around mob values than genuine rational reason or desire to improve things. Statements such as "high profile result" and "punishing the guilty" are pure rhetoric straight out of the Daily Ma!l. I'm surprised nobody has suggested putting the offenders head on a spike outside the tower. Where is the moderation and balance in your minds? When will you all realise that security is compromise with usability and people make decisions in their daily lives that can be made to look very foolish when something like this happens? Some of us may be hurling this rhetorical abuse, but a good many I suspect are thinking there but for the grace.... etc

---

19

Re Zealots ........

10 Jul 08 08:29

PUT THE OFFENDERS HEAD ON A SPIKE OUTSIDE THE TOWER I SAY!!

Come on people lighten up and although not a religious man I can quote a famous bloke who once said "let he who is without sin cast the first stone" can't remember who it was but it was a long time ago!!

Okay, so it's a serious breach of the DPA and Information Security standards. However, some serious points have been made here too.

Yes, given the recent high profile events, the NHS manager should have known better. But, in mitigation, the Trust should have taken steps to ensure he was aware of the issues. It is also not known if the Trust had previously taken any action to raise awareness, provide encryption facilities (ideally full disk encryption but, as a minimum file and folder - possible with WinZip.

We have above a fantastic Daily Mail/Grauniad headline, but unless we're in that Trust and are fully aware of ALL the facts I think that calling for the manager to fall, or be pushed onto his sword, is a bit premature and pious.

---

20

If you can't understand how it happened, you're obviously not a senior manager!

10 Jul 08 12:02

Let's face it, even if the laptop had been encrypted with the latest "approved" McAfee solution, how many people here really think the reaction to its theft from the great unwashed would have been much different?

Contrary to some comments e.g. #7, there are numerous legitimate reasons for carrying pt identifiable data. The real issue is the lack of physical security of the laptop left in the car boot, and the reasons why the senior manager had to be carrying it in the first place whilst on holidays. If you can't understand that, you've obviously never been a senior manager!

I can completely identify with how it might have happened, even though I have faced the same choice, and chosen NOT to leave the laptop in the boot (probably went something like "I'm on bloody holidays but need to get this work done tonight, buggered if I'm going to carry this lump around all day while out with the Mrs").

In my previous job (internationally) as data manager for a public health cancer screening service, it was often necessary to work from home or weekends to get major national reports completed; in those cases I carried our own complete client database (approx 90k clients), along with the state cancer registry records for _every_ person diagnosed with breast cancer in the previous 10 years. These datasets needed to have complete patient-identifiable details to enable cross-matching between the two systems.

We only had basic (read insecure) encryption tools available to us, so like old fashioned human-readable paper, the only way to keep the info truly secure was "just don't lose it!". Because of the nature of our systems I was able to at least maintain some physical separation of the pt identifiable data and the clinical data, by keeping the clinical data tables on the laptop, and pt identifiable data (i.e. list of names and addresses and modified UR numbers) on separate password encrypted USB keys for each database. The USB keys went into different trouser pockets, and were never kept with the laptop, and the patient identifiers were deleted from the laptop whenever it was not in use. Worst case scenario is I lose the laptop with a list of names and addresses (most of them in the phone book anyway), or a usb key with list of identifier numbers attached to snomed codes, tumour sizes and clinician names etc). I would have to have been exremely unlucky to lose both! Needless to say this was very cumbersome, and may not be practical where the information is in a more modern databases.

---

21

Good to see...

stewart.smith@cd-tr.wales.nhs.uk

11 Jul 08 10:37

It's good to see that the criminal has more regard for personal data than the Trust - "We believe the data will almost certainly be wiped by the thief for a quick sale." Yeah, right.

---

22

Physical Security

11 Jul 08 13:54

Whilst waiting for systems to be updated with encryption software, why don't trusts look at offering enhanced physical security for laptop users?

This would be cheaper to administer and supply than software encryption, would have zero downtime for end users and would probably prevent 99% of laptop thefts.

By physical security I mean toughened security bags, metal cases or cable mesh bags that can be easily locked into a boot.

I use one for my laptop and camera equipment and it would require special tools and much more time for a thief to be able to remove, neither of which are likely to be available to them. Cost? about £40.

---

23

CLINICAL data

11 Jul 08 16:43

Why does an NHS _MANAGER_ need all that clinical information? That's for clinicians to use. Caldicott Principles 1 and 2 should apply here.

---

24

Trust CEO's need to take this seriously

max.lock@live.co.uk

13 Jul 08 08:26

Its time NHS staff started taking responsibility for the equipment and data in their possession. No wonder the public have no confidence in the NHS securing their data, when you have staff taking their laptops on holiday with them, incompetence!

Staff losing loan equipment should be fined 4 weeks money and if NHS staff cannot be held accountable, then the NHS trust CEOs should. After all, their IT department was too slack to encrypt the laptop, train the manager on security for the equipment, and copy patient data to the laptop.

---

25

Re: CLINICAL data

13 Jul 08 20:26

But don't NHS clinicians report to NHS managers who are ultimately responsible for what their Trusts deliver? So perhaps they do need to know?