A break-in at Clapton's Nightingale Practice in the UK has resulted in a medical data breach that could affect more than 7,000 patients. A computer hard drive was stolen, as well as backup tapes, which were not protected with data security measures like data encryption software from AlertBoot.
According to the hackneygazette.co.uk, the break-in occurred on April 2 (a 19-year-old "youth"--I'd say at that age, one's an adult--was arrested and charged with burglary). The manager's office at the Nightingale Practice was broken into, and the hard drive and tapes were stolen. It should be noted that the tapes were "locked in a safe kept in a locked cupboard." The thief actually broke into a locked safe and was able to steal the backup tapes? That couldn’t have been a good safe. There is no mention of how the stolen hard drive was secured in the office, if at all. Since the burglary, the tapes in the safe have been removed and destroyed, according to NHS City and Hackney. It was also noted the health trust had "encryption on a computer backup on all Hackney practices since January" (of this year, I presume). I've got to be honest, I don't know what that last bit means. Does it mean that all computers at all medical practices under the supervision of the health trust are encrypted? Or does it mean that the one computer at the trust HQ is encrypted? Because if it's the former, obviously they missed one computer (or, rather, that computer's hard drive); if the latter...so what? Break-ins can happen anywhere. The health trust may as well point out that the CIA has guns: guns can provide security, but doesn't change the fact that there's data at risk out there, in the trust's backyard.
According to the hackneygazette.co.uk, the break-in occurred on April 2 (a 19-year-old "youth"--I'd say at that age, one's an adult--was arrested and charged with burglary). The manager's office at the Nightingale Practice was broken into, and the hard drive and tapes were stolen.
It should be noted that the tapes were "locked in a safe kept in a locked cupboard." The thief actually broke into a locked safe and was able to steal the backup tapes? That couldn’t have been a good safe. There is no mention of how the stolen hard drive was secured in the office, if at all.
Since the burglary, the tapes in the safe have been removed and destroyed, according to NHS City and Hackney. It was also noted the health trust had "encryption on a computer backup on all Hackney practices since January" (of this year, I presume).
I've got to be honest, I don't know what that last bit means. Does it mean that all computers at all medical practices under the supervision of the health trust are encrypted? Or does it mean that the one computer at the trust HQ is encrypted?
Because if it's the former, obviously they missed one computer (or, rather, that computer's hard drive); if the latter...so what? Break-ins can happen anywhere. The health trust may as well point out that the CIA has guns: guns can provide security, but doesn't change the fact that there's data at risk out there, in the trust's backyard.
The Information Commissioner's Office has stated to the hackneygazette.co.uk, that "storing unencrypted data in a safe kept inside a locked office would probably be regarded as sufficient" protection of personal information. Bollocks. What kind of safe yields to a 19-year-old? As can be seen from the NHS's actions (destroying the unencrypted tapes)--as well as the resulting burglary--a safe is not sufficient protection. Well, not unless it's the same type of safe you'd use to store hundreds of thousands of dollars. But, such safes will cost beaucoup d'argent. Plus, they're not exactly expandable/scalable: at some point you're going to run out of room, and what then? And, there's also a good chance that such a safe won't fit in a locked cupboard at the manager's office. That's what happens when you try to protect digital information using physical protection. A better solution may be digital protection for digital information. For example, if full disk encryption software had been used to secure the contents of the stolen (and now recovered?) hard drive, the thief wouldn't have been able to gain access to its contents. The other upside is that encryption software doesn't take up any physical space, since it resides within the hard disk (it's part of the disk's contents, in a sense). And, depending on which provider you select, the costs of such protection can be very cost-effective. Definitely cheaper than a hunk of metal that requires an industrial crane to be moved about and installed. Hopefully the cost of that is included in the price of the safe.
The Information Commissioner's Office has stated to the hackneygazette.co.uk, that "storing unencrypted data in a safe kept inside a locked office would probably be regarded as sufficient" protection of personal information.
Bollocks.
What kind of safe yields to a 19-year-old? As can be seen from the NHS's actions (destroying the unencrypted tapes)--as well as the resulting burglary--a safe is not sufficient protection. Well, not unless it's the same type of safe you'd use to store hundreds of thousands of dollars.
But, such safes will cost beaucoup d'argent. Plus, they're not exactly expandable/scalable: at some point you're going to run out of room, and what then? And, there's also a good chance that such a safe won't fit in a locked cupboard at the manager's office.
That's what happens when you try to protect digital information using physical protection. A better solution may be digital protection for digital information. For example, if full disk encryption software had been used to secure the contents of the stolen (and now recovered?) hard drive, the thief wouldn't have been able to gain access to its contents.
The other upside is that encryption software doesn't take up any physical space, since it resides within the hard disk (it's part of the disk's contents, in a sense).
And, depending on which provider you select, the costs of such protection can be very cost-effective. Definitely cheaper than a hunk of metal that requires an industrial crane to be moved about and installed. Hopefully the cost of that is included in the price of the safe.
Related Articles and Sites:http://www.hackneygazette.co.uk/search/story.aspx?brand=HKYGOnline&category=News&itemid=WeED05%20Jun%202009%2023:49:40:337&tBrand=HKYGOnline&tCategory=search