If You Take the Time to Encrypt Medical Information – Don’t Tape the Passwords on the Container or Flash Drive – NHS Security Br
Posted May 24 2009 10:43pm
The NHS does a lot of things right, but a few of these types of incidents can’t help but leave egg on one’s face when they occur with lost and stolen computer hardware. Another issue below states a post it note was on the side of an encrypted flash drive. Why encrypt if you are going to put the passwords and log ons out there for anyone to get!
I guess progress is being made in the fact that encryption is entering the picture, and we have some of the same issues here in the US. Taping the password on hardware and flash drives could certainly make that job a little easier if any of the targets were included in the files.
One note in the article stated that insurance companies in the UK hire private detectives to find out information on patients, I found that interesting. Their issues seem to be stolen and lost hardware, not breaches with break ins to servers with stored data, so the key here it sounds like is to keep that information on the servers and perhaps stop the ability to remove the data to work on notebooks, flash drives, etc. This is something I see here too, and why hospitals and other health agencies still allow the use of flash drives and the ability to port around health care data is beyond me. If you do have to use a flash drive, encrypt it and buy one that has software included that will do that for you and stay away from unencrypted copy and paste methods. We stand a much better chance with the data on a secured server. BD
The personal medical records of tens of thousands of people have been lost by the NHS in a series of grave data security leaks. Between January and April this year, 140 security breaches were reported within the NHS – more than the total number from inside central Government and all local authorities combined.
The sacred principle of doctor-patient confidentiality is being compromised, Richard Thomas, the Information Commissioner, has warned. Britain's information watchdog has ordered an urgent overhaul of data security in the health service.
Some computers containing medical records have been left by skips and stolen. Others were left on encrypted discs – but the passwords allowing access were taped to the side.
In an interview with The Independent, the Information Commissioner's chief enforcer blamed the growth of a "cavalier attitude" among NHS workers across Britain for the exposure of the sensitive records. One GP downloaded a complete patient database, including the medical histories of 10,000 people, on to an unsecured laptop. The laptop was then stolen from his home and never retrieved. In another embarrassing breach, a memory stick containing the medical histories of 6,360 prison patients and ex-inmates of Preston prison was lost. Though the data was encrypted, the password was written on a Post-It note that was attached to the device.
The number of data security breaches within the NHS was only slightly lower than the total number of security breaches reported to the Information Commissioner from within the entire private sector. Stolen and lost hardware was the most common reason for information disappearing.