Five National Health Trusts have been found in breach of the Data Protection Act. Most of these breaches could have been avoided via the use of disk encryption software like AlertBoot. However, they hadn't used the correct data protection programs--if at all--and have had to undergo formal undertakings with the Information Commissioner's Office. The five trusts and the nature of their breaches are as follow: Royal Free Hampstead - 20,000 patients' info on a CD Chelsea and Westminster - 143 patients' info on a USB disk Hampshire Partnership - 607 patients' and staff info on a laptop Surrey and Sussex - 23 patients' info on paper documents, left on a bus Epsom and St. Helier - Undisclosed number of patients' data stored insecurely for two years after a data transfer (paper? Computer disk?)
Five National Health Trusts have been found in breach of the Data Protection Act. Most of these breaches could have been avoided via the use of disk encryption software like AlertBoot. However, they hadn't used the correct data protection programs--if at all--and have had to undergo formal undertakings with the Information Commissioner's Office.
The five trusts and the nature of their breaches are as follow:
As you can see from above, most of the thefts involved the loss of hardware with sensitive data (assuming, of course, that the last one affected 20,000 patients or less). The first step of not having a data breach is...don't lose stuff. (A side benefit is that one doesn't have to go through the process of filing paperwork. Also, what if there's nothing in the budget for a new whatever--laptop, server, etc.? Not losing stuff usually pays off.) Not losing stuff ever is not a realistic approach to data security, though. If history has shown us anything it's that anything can be lost: USB flashdrives. Cars. Entire naval fleets. Ancient cities. The track record for not losing stuff is lacking, at best. So, when it comes to a data breach, if one cannot guarantee that items won't be lost, the next best thing is to prevent access to the data even if that item is lost. There are two ways of doing this: the right way and the wrong way. The wrong way is to provide data security that only looks like it works. For example, most people consider password-protection to be adequate data protection. But, people involved in stealing data know that such protection measures can be easily defeated. And who are you protecting your data from? People who are involved in stealing data. So, the logical conclusion is that password-protection works to protect your data from yourself. The right way to provide data security? Despite all the criticisms, the only way to do so--at least for digital data--is to use encryption software. Which is why the ICO has reprimanded the above trusts for not encrypting their data.
As you can see from above, most of the thefts involved the loss of hardware with sensitive data (assuming, of course, that the last one affected 20,000 patients or less).
The first step of not having a data breach is...don't lose stuff. (A side benefit is that one doesn't have to go through the process of filing paperwork. Also, what if there's nothing in the budget for a new whatever--laptop, server, etc.? Not losing stuff usually pays off.)
Not losing stuff ever is not a realistic approach to data security, though. If history has shown us anything it's that anything can be lost: USB flashdrives. Cars. Entire naval fleets. Ancient cities. The track record for not losing stuff is lacking, at best.
So, when it comes to a data breach, if one cannot guarantee that items won't be lost, the next best thing is to prevent access to the data even if that item is lost.
There are two ways of doing this: the right way and the wrong way.
The wrong way is to provide data security that only looks like it works. For example, most people consider password-protection to be adequate data protection. But, people involved in stealing data know that such protection measures can be easily defeated. And who are you protecting your data from? People who are involved in stealing data. So, the logical conclusion is that password-protection works to protect your data from yourself.
The right way to provide data security? Despite all the criticisms, the only way to do so--at least for digital data--is to use encryption software. Which is why the ICO has reprimanded the above trusts for not encrypting their data.
Related Articles and Sites:http://www.networkworld.com/news/2009/071709-five-nhs-trusts-slammed-for.html?page=1