in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Disk Encryption Software Not Deployed On USB Disk Missing At Bradford Teaching Hospitals?

A health worker at Bradford Teaching Hospitals NHS Foundation Trust has lost a USB memory stick with patient details for 2,650 surgical patients and 3,000 patients on a waiting list.  There is no mention whether data encryption software like AlertBoot was used to secure the contents, although circumstances hint that it wasn't used.

The missing information may include patients' names, addresses, dates of birth, hospital numbers, and medical treatment.

Against NHS Policies

Needless to say, saving sensitive and confidential information unto an unsecured USB device is against NHS policies.  I know this is true because I must have covered at least 10 cases of NHS breaches this year alone.

You know, I'm amazed that so many hospitals still point out the above policy.  I realize the hospital has to do some damage control, and divert anger from themselves to an employee (at least, I think that's the idea).  But really, is this the best excuse they can come up with?

(By the way, I suspect the NHS knows that the policy is useless--their announcement to sign up for 100,000 encrypted USB flash devices pretty much proves it.  I expect "against policies" announcements to decrease in the future...)

The USB device was lost at the Leeds Metropolitan University library.  Based on what I'm reading here, it almost sounds like the health worker left it stuck into a USB port:

"The Trust has worked with the university to try to locate the device and students have been identified who logged on to the computer from which it was lost. All but one of these students has been contacted but the device has not been traced."[thetelegraphandargus.co.uk.  My emphasis]

Another favorite quote of mine:

"There is no ... evidence of the memory stick being stolen, or of the information being used or disclosed."

As if an identity thief sends out a clarion call before engaging in criminal acts.

Using Disk Encryption To Protect Data

There are several ways that this data breach could have been averted.

  • Have people follow the data security policy.  Yeah, right.  But, some--not many--do.  Well, there'll be more people following it now, since the aforementioned worker has essentially been fired.
  • Denying administrative staff access to sensitive medical data.  I mean, why do they have access to it to begin with?  I can understand names, addresses, etc.  But medical treatment?  As far as I can tell, the staff member was a "health worker" not because she was a nurse, but because she worked for a health trust.
  • Using encryption to secure data.  If all else fails, using encryption software to protect sensitive data is a great way of greatly minimizing the risks of a data breach.

Of course, there's no guarantee that a data breach cannot happen because encryption is in place.  For example, if the USB disk was lost while connected to a computer...well, that's problematic.

Chances are the password was provided to gain access to the disk: it's the only way to gain access to read and write to the device.  And if someone other than the owner happens on that still-connected memory disk, the potential perpetrator could, say, copy off the contents of the USB disk to the computer, and copy the files back to his own personal USB disk.

(On the other hand, if someone unplugs it from the computer, the contents will remain safe, since the password needs to be supplied the next time the USB stick is connected to a computer.)

Depending on whether file encryption or disk encryption was used, a breach may be contained or not. (Click here to learn about the difference between file encryption and disk encryption.)

 

Related Articles and Sites:

http://www.yorkshirepost.co.uk/news/Confidential-hospital-records-lost-by.5216361.jp

 
<Previous Next>

Managed Data Encryption Service: IRS Shows How Going It Alone Takes Forever

Laptop Encryption Software Not Used On Missing St John Regional Hospital

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.