NHS Scotland has admitted over the weekend that they've lost the medical history of 137 patients. The information was stored on a USB memory stick. It appears that the information was not protected via full disk encryption like AlertBoot endpoint security software.
The above incident follows a report released by the BBC yesterday that the Scottish Government has lost over 200 digital devices with confidential data (including laptops, PCs, and memory sticks) in the past 18 months. The losses stem from numerous agencies and involve a variety of information. According to the BBC: Glasgow City Council: psychological services department loses details of students NHS Greater Glasgow and Clyde: seven laptops stolen, one of them containing details on over 5000 patients Aberdeenshire Council: pictures of school children on a memory stick The list goes on in the original article. It's pointed out that the Scottish Government has promised to do more about data security whenever a data security incident popped up, but it looks like not much was done. Something was done; it's just that it's not what they need: A government spokesman said that since the Scottish Government Data Handling report was published last June, it had "broadened its leadership role and acted as the source of centralised, authoritative guidance and assistance for Scottish public bodies." "We have, for example, worked to raise awareness of good practice in data handling and information sharing through a series of seminars for organisations with responsibility for handing a variety of sensitive information," he said. [my emphasis]
The above incident follows a report released by the BBC yesterday that the Scottish Government has lost over 200 digital devices with confidential data (including laptops, PCs, and memory sticks) in the past 18 months.
The losses stem from numerous agencies and involve a variety of information. According to the BBC:
The list goes on in the original article.
It's pointed out that the Scottish Government has promised to do more about data security whenever a data security incident popped up, but it looks like not much was done.
Something was done; it's just that it's not what they need:
A government spokesman said that since the Scottish Government Data Handling report was published last June, it had "broadened its leadership role and acted as the source of centralised, authoritative guidance and assistance for Scottish public bodies." "We have, for example, worked to raise awareness of good practice in data handling and information sharing through a series of seminars for organisations with responsibility for handing a variety of sensitive information," he said. [my emphasis]
A government spokesman said that since the Scottish Government Data Handling report was published last June, it had "broadened its leadership role and acted as the source of centralised, authoritative guidance and assistance for Scottish public bodies."
"We have, for example, worked to raise awareness of good practice in data handling and information sharing through a series of seminars for organisations with responsibility for handing a variety of sensitive information," he said. [my emphasis]
You know, one of the greatest qualities about Scots is that they're prudent people. And, raising awareness is certainly prudent. But not in this case. Pointing out that a fence is electrified is prudent because there are plenty of non-electrified fences. However, if all fences are electrified, the sign becomes useless, and just putting up a sign is not prudent anymore (people already know the fence is electrified). Likewise, raising awareness about data security is...well, if you don't know about data security and its importance, and you're old enough to work... My point is, raising awareness doesn't work. It just doesn't; at least, it doesn't work well. It may work for a short while, but in the long run, people tend to rationalize: I'm aware that if I lose this USB memory stick with tens of thousands of names, addresses, and other private information, it will be a catastrophe. So, I'm aware I shouldn't lose it. That's no good. Just being aware is not a security practice you can rely upon. In the story I mentioned at the beginning of this post, the NHS Scotland employee who lost the USB stick owned up to the loss. Obviously, he confessed because he was aware that losing a USB stick with confidential information is a bad thing. He was aware and yet here we have a data breach.
You know, one of the greatest qualities about Scots is that they're prudent people. And, raising awareness is certainly prudent. But not in this case.
Pointing out that a fence is electrified is prudent because there are plenty of non-electrified fences. However, if all fences are electrified, the sign becomes useless, and just putting up a sign is not prudent anymore (people already know the fence is electrified). Likewise, raising awareness about data security is...well, if you don't know about data security and its importance, and you're old enough to work...
My point is, raising awareness doesn't work. It just doesn't; at least, it doesn't work well. It may work for a short while, but in the long run, people tend to rationalize: I'm aware that if I lose this USB memory stick with tens of thousands of names, addresses, and other private information, it will be a catastrophe. So, I'm aware I shouldn't lose it.
That's no good. Just being aware is not a security practice you can rely upon. In the story I mentioned at the beginning of this post, the NHS Scotland employee who lost the USB stick owned up to the loss. Obviously, he confessed because he was aware that losing a USB stick with confidential information is a bad thing. He was aware and yet here we have a data breach.
The only way to prevent data breaches from happening is to gain control (again, because awareness alone doesn't work). The other way is to protect the data. And, because there are loopholes in any security measure, it may be a good idea to use both. An easy way to ensure that data does not get copied over to unauthorized devices is to use USB port control software. Such software controls which devices can exchange data with the computer. Stick in an unauthorized USB disk and...nothing happens. Excellent. Of course, you'll want to allow some USB disks to copy data to and from the computer. At this point, you lose control over the data: control is transferred to the user of the USB disk. What you have to rely on, then, is to protect the data. One way to do so would be to use encryption software. Allowing only authorized, encrypted USB disks to copy data off a computer will go a long way towards securing sensitive information.
The only way to prevent data breaches from happening is to gain control (again, because awareness alone doesn't work). The other way is to protect the data. And, because there are loopholes in any security measure, it may be a good idea to use both.
An easy way to ensure that data does not get copied over to unauthorized devices is to use USB port control software. Such software controls which devices can exchange data with the computer. Stick in an unauthorized USB disk and...nothing happens. Excellent.
Of course, you'll want to allow some USB disks to copy data to and from the computer. At this point, you lose control over the data: control is transferred to the user of the USB disk. What you have to rely on, then, is to protect the data. One way to do so would be to use encryption software.
Allowing only authorized, encrypted USB disks to copy data off a computer will go a long way towards securing sensitive information.
Related Articles and Sites:http://www.computing.co.uk/computing/news/2243278/nhs-scotland-loses-patients