The Health Service Journal in the UK is reporting that the private details of NHS patients could easily go missing—and cause the next massive data breach.  I guess they mean something along the lines of the two disks that were lost by the HMRC last year, affecting nearly half the UK’s population.  I don’t know why the HSJ article should come as a surprise.  I’ve already covered many instances where inadequate data protection practices ended up in a data breach.  The use of encryption solutions like AlertBoot hard drive disk encryption could have helped in each instance.

It’s been revealed throughout this year alone that the NHS is lacking in many ways when it comes to data security.

• In August, a USB memory stick was lost at the NHS Dumfries and Galloway
• In July, another USB memory stick was lost at the NHS Lothian
• In May, the NHS at the Isle of Wight noticed a backup tape was missing
• In January, a USB memory stick was lost from the NHS in Manchester.  Ironically, the medical information was stored on that flash drive device as a security measure

What I’ve noticed is that—in a clear case of fixing the stables after the horses and other farm animals have fled—most of these NHS authorities start employing data protection measures after the fiasco.

Besides the above four, the NHS across the UK was involved in lost laptops, CDs, and other devices used for storing information.  Of course, since it made the news, the stored information was sensitive in nature (otherwise, no need to feature it in the news, right?), which actually raises a very good question: are these potential breaches the exception or the rule?  That is, what are the chances that one will have a potential data breach if, for example, a USB memory stick is lost?

If the Health Service Journal sampling is any indication, those chances are 74 out of 105, or 70%.  Turns out that 92 out of every 105 doctors surveyed carry around memory sticks, and of those, 79 carry around sensitive information on those flash drives.  The good news is that 5 had the information password‑protected.  Hmph, assuming that’s “good news;” After all, password‑protection is not encryption.  I guess the true potential of a data breach is actually 79 out of 105, or 75%.

A whopping 75% of someone’s information being compromised in the event of a simple misplaced memory device.  And, the number of people who could be affected will just increase in the future for three reasons:

1. USB memory sticks are getting cheaper by the day.  That means soon enough everyone will have one.  Hell, people will probably start buying them because it matches their pants; it’s encrusted in jewelry; or some other fashion‑consciousness/forwardness statement.  Oh, wait.  It’s already happening.
2. USB memory stick capacities are getting larger by the day.  The sheer capacity of these devices means that people will store more stuff—and the more stuff you’ve got saved, the harder it is to delete it…mostly because people don’t remember what’s in there (zounds!  What if I delete something I shouldn’t have?  But, at the same time, I don’t have the time or energy to cull through that data…I guess no data reaction today).  Of course, the longer you own something, the greater the chances of losing it by accident.
3. USB memory sticks are getting smaller by the day.  In terms of physical size, that is.  These things are becoming so small, I foresee a future where flash drives become something akin to the modern potato chip bag: nothing much inside, but needs to be oversized just to handle all the printed material.  Likewise, 25 years from now, you’ll crack open a flash drive and see that the actual memory is a spec of dust.  The case, however, is still “normal” sized because you need to grab it somehow in order to unplug it from the port somehow.

In conclusion, we have more information stored in disks with ever‑expanding capacities that are becoming smaller each day.  But the advances in technology haven’t done jack squat for preventing people from losing stuff.

What are the chances that there will be a massive data breach, when we consider the current trends, and the lack of disk encryption on data devices prior to a data breach?  According to the divination from my magic eight‑ball: “Most Likely.”

Related Articles:

http://www.hsj.co.uk/news/2008/09/data_risk_hides_in_doctors_pockets.html

http://news.bbc.co.uk/2/hi/health/7596447.stm