Personal data and flash memory sticks

7 May 2010 by Stephen Owen  
Filed under NHS and health

The need to encrypt personal data for security and privacy has long been acknowleged, and yet still stories come up in which stored data is made available inappropriately because of the failure to follow basic security procedures.

One of the most recent cases involved a lost USB memory stick containing names, addresses, and medical records of both patients and staff associated with a secure hospital in Stenhousemuir.  The memory stick was found by a twelve-year old boy in the car park of a near-by Asda store.

It’s clear why these things are near-ubiquitous: USB memory sticks are designed to be cheap, easy and convenient to use, and able to hold large amounts of data; they are ideal for transporting data from place to place.  These very factors are what makes them dangerous in environments where sensitive data is handled, as their familiarity makes them seem benign and their portability (and losability!) serve to heighten their threat to data security.

The lessons are sadly familiar:

Control access to sensitive data using hardware and software: if you restrict access to sensitive data, you lessen the possibility of data leaks and data loss, and can streamline people’s working practices too.
Consider and adapt practices which require data to be moved ‘outside of the system’: large software systems often have complex security controls build in, and while these might not be perfect (indeed might not even be adequate), controls can only be of use when they can be applied.  Once data is removed from the system, for whatever reason, new practices are needed to work with the existing in system controls – designing and implementing these practices can be non-trivial, but even recognising the need to supplement existing controls can be difficult.

Teach the people who must handle the data why controls are necessary: if everyone understands what the needs are and why they’re important then this can be a way to ensure that safeguards are both comprehensive and workable for those that must deal with them day-to-day.

Full story: “Lost mental hospital memory stick had health records”

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!