A Lancanshire NHS trust has announced that they've recovered four laptops that were stolen from different locations, under different circumstances. The trust ought to be congratulated and, yet, I feel conflicted because I know that, without the use of laptop encryption software like AlertBoot, they seriously risked a data breach if there was sensitive information on those machines.
The laptops was stolen from the boot of a car (or car trunk, for Americans), an employee's home, a hotel room, and from an NHS office. I wouldn't say that this is particularly indicative of the NHS's inability to keep security concerns at the top of the list. Rather, it just proves that people continue to lose stuff and that the NHS has a somewhat mobile workforce. (Well, with the exception of the laptop being stolen from an NHS office. What's that all about?) This is not an opinion shared by all. An IT security vendor quoted at publicservice.co.uk "questioned Lancashire's seemingly proud response to recovering the stolen laptops" and wondered why "staff were toting laptops that contained some degree of NHS data on them." The obvious answer to the latter seems to be because "they can," possibly because "they need to." (Of course, "because they can" is not a justifiable reason...but it tends to be the reason when you come down to it.) And, they really could find it necessary to carry around that data. I don't share the vendor's observation that "the days of having to store data on the laptop or netbook because of data transmission bandwidth issues are now long gone." I mean, have you ever arrived at a conference only to find that the sole internet connection you could find was spotty at best--requiring you to shift and contort your body every 5 minutes--and asked of you to work out of some weird, dark nook in the hotel lobby? It smells bad, too, but you jealously guard your position because you can see a bunch of hyenas eyeing you, waiting for their chance at that digital oasis....
The laptops was stolen from the boot of a car (or car trunk, for Americans), an employee's home, a hotel room, and from an NHS office. I wouldn't say that this is particularly indicative of the NHS's inability to keep security concerns at the top of the list. Rather, it just proves that people continue to lose stuff and that the NHS has a somewhat mobile workforce. (Well, with the exception of the laptop being stolen from an NHS office. What's that all about?)
This is not an opinion shared by all. An IT security vendor quoted at publicservice.co.uk "questioned Lancashire's seemingly proud response to recovering the stolen laptops" and wondered why "staff were toting laptops that contained some degree of NHS data on them."
The obvious answer to the latter seems to be because "they can," possibly because "they need to." (Of course, "because they can" is not a justifiable reason...but it tends to be the reason when you come down to it.)
And, they really could find it necessary to carry around that data. I don't share the vendor's observation that "the days of having to store data on the laptop or netbook because of data transmission bandwidth issues are now long gone."
I mean, have you ever arrived at a conference only to find that the sole internet connection you could find was spotty at best--requiring you to shift and contort your body every 5 minutes--and asked of you to work out of some weird, dark nook in the hotel lobby? It smells bad, too, but you jealously guard your position because you can see a bunch of hyenas eyeing you, waiting for their chance at that digital oasis....
Thankfully, none of the laptops lost by the trust contained patient data, so even if the contents of the devices had been accessed (it's implied that they haven't been), there would have been no cause for alarm. But this raises an interesting question: what if there had been patient data on those laptops? Where is the guarantee that the information wouldn't have been copied off and given or sold to a criminal? The technological safeguard seems to have involved software that tracks IP addresses, allows remote access, and remote deletion. All very well and good, but there's an Achilles heel: if the computer never connects to the internet, the tracking software can't work. So, it's not inconceivable that you can have tracking software and still have a data breach. It's also not inconceivable that you'll eventually recover the lost machine, arrest the offenders, and still have a data breach because they copied and sold the sensitive data before it could be deleted. I won't argue that tracking software is a great asset recovery tool, although I'm on the fence when it comes to calling it a data security tool. Security ultimately means keeping unrelated people out, and tracking software isn't based on such a concept. The use of encryption software solves the problem of keeping unrelated people out--that's the sole idea behind encryption. However, this poses a problem when it comes to asset recovery because...well, with no way to access the information, how can anyone find the proper owners? Tracking software would be useless as well, since the computer can't be booted up. When it comes to security, there are always compromises, such as more security vs. better user experience. I guess this is just one of those instances.
Thankfully, none of the laptops lost by the trust contained patient data, so even if the contents of the devices had been accessed (it's implied that they haven't been), there would have been no cause for alarm.
But this raises an interesting question: what if there had been patient data on those laptops? Where is the guarantee that the information wouldn't have been copied off and given or sold to a criminal?
The technological safeguard seems to have involved software that tracks IP addresses, allows remote access, and remote deletion. All very well and good, but there's an Achilles heel: if the computer never connects to the internet, the tracking software can't work.
So, it's not inconceivable that you can have tracking software and still have a data breach. It's also not inconceivable that you'll eventually recover the lost machine, arrest the offenders, and still have a data breach because they copied and sold the sensitive data before it could be deleted.
I won't argue that tracking software is a great asset recovery tool, although I'm on the fence when it comes to calling it a data security tool. Security ultimately means keeping unrelated people out, and tracking software isn't based on such a concept.
The use of encryption software solves the problem of keeping unrelated people out--that's the sole idea behind encryption. However, this poses a problem when it comes to asset recovery because...well, with no way to access the information, how can anyone find the proper owners? Tracking software would be useless as well, since the computer can't be booted up.
When it comes to security, there are always compromises, such as more security vs. better user experience. I guess this is just one of those instances.
Related Articles and Sites:http://www.publicservice.co.uk/news_story.asp?id=10867