Altirium logo

Time someone guarded the guards?

The NHS London “Serious Untoward Incidence Report Summary for 2008-2009” makes rather interesting reading, showing how many minor incidents have resulted in large amounts of data being “mislaid”, potentially in to the hands of persons who would use it for nefarious purposes. You can currently find the incident summary here.

What seems clear is that whilst information storage has undergone a massive technological development, the care of information has been neglected to a shocking extent.

In one case 18,000 staff payroll records on disks were “placed in a post tray” but never arrived. In another an unknown number of records relating to children and their families were on a notebook that was stolen from a car outside a staff member’s home. It is scary enough that those records were on a notebook (it is not mentioned whether any encryption was in effect), that the notebook was left outside in a car, but what really is damning of the system is that the number of records is unknown.

Our data recovery group recently undertook a data security test for a company (not part of the NHS) as a risk assessment exercise following a data loss, when they wanted to demonstrate that if a backup tape was stolen it could not be of any value. Three days later we invited them to observe how we had full access to their applications and data, to the point that we could have acted as a backup operation for their main office. Whilst this did require considerable technical skill and ability in Computer Forensics and data awareness it very clearly highlighted the potential risk. Subsequently the company implemented a straightforward data encryption process into their backup strategy and the potential for the problem was significantly reduced.

The temptation is to condemn the persons who commit the act immediately leading to the problem, “what idiot left the laptop…”, but often these are well intentioned and hard working professional persons who are struggling under increasing case-loads and just trying to do the best that they can. Accountability needs to be at the top of the system, action needs to be in advance of a problem not “in the light of these incidents we are tightening procedures”.

Secure internet access is available from almost anywhere for remote access. Encryption software is available at zero cost that will protect against any random attempt at accessing data. Data can be managed so that it is known who has what records and that they only have what they need. It is all pretty simple stuff yet data security seems to be an issue that our political “masters” care little about or just do not understand.

Fear of a national identity database is probably based upon many misconceptions, but also one proven underlying principle which is that we cannot trust the people who want to store our data to keep it secure and free from abuse.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)

2 Responses to “Time someone guarded the guards?”

Leave a Reply