The need to encrypt personal data for security and privacy has long been acknowleged, and yet still stories come up in which stored data is made available inappropriately because of the failure to follow basic security procedures.
One of the most recent cases involved a lost USB memory stick containing names, addresses, and medical records of both patients and staff associated with a secure hospital in Stenhousemuir. The memory stick was found by a twelve-year old boy in the car park of a near-by Asda store.
It’s clear why these things are near-ubiquitous: USB memory sticks are designed to be cheap, easy and convenient to use, and able to hold large amounts of data; they are ideal for transporting data from place to place. These very factors are what makes them dangerous in environments where sensitive data is handled, as their familiarity makes them seem benign and their portability (and losability!) serve to heighten their threat to data security.
The lessons are sadly familiar:
Control access to sensitive data using hardware and software: if you restrict access to sensitive data, you lessen the possibility of data leaks and data loss, and can streamline people’s working practices too.
Consider and adapt practices which require data to be moved ‘outside of the system’: large software systems often have complex security controls build in, and while these might not be perfect (indeed might not even be adequate), controls can only be of use when they can be applied. Once data is removed from the system, for whatever reason, new practices are needed to work with the existing in system controls – designing and implementing these practices can be non-trivial, but even recognising the need to supplement existing controls can be difficult.
Teach the people who must handle the data why controls are necessary: if everyone understands what the needs are and why they’re important then this can be a way to ensure that safeguards are both comprehensive and workable for those that must deal with them day-to-day.
Earlier in January the Information Commissioner’s Office (ICO) announced that it had taken action against two NHS trusts after the loss of personal data. In each case, data had been stored in an unencrypted form on easily-removable, and so easy to lose, pieces of hardware. Whether or not the hardware and the data it contains are recovered, the effects upon those whose information is lost are serious. Stories like this attract media attention, and in recent times the media has become more alert to this type of story and the damaging effects of data loss on the people affected. These effects can obviously be worrying where financial or medical data are involved.
Stories of laptops being mislaid or stolen, and the increasing use of USB storage devices as convenient ways to store and transport data, make data governance an increasingly important issue. As technology advances, new developments in data transfer and storage encourage and enable new applications which would have been unthinkable in the recent past – the NHS National Programme for IT (NPfIT), with plans for sharing health and other related data country-wide, being just one example of such an ambitious system. However advances that make data more easily available are a double-edged sword, since accompanying the desire to store and distribute information is the need to control who has access to it, and what they can do with it.
One of the most complex parts of designing a large system can be controlling access to the data that it contains. Most people are familiar with usernames, passwords, PINs and so on, all of which serve to control access to a system, and which are then used by the system to determine what a person can see and do. In combination with such access controls, the underlying data within a system can be stored in an encrypted form which makes using the data much more difficult even if you can gain access to it through some unauthorised means.
What many (though by no means all) of the data protection stories related in the press have in common is that they concern data being lost OUTSIDE of the system: personal records stored on a USB stick, data downloaded onto a laptop to allow working away from the office, confidential papers left on a train – in these situations the data has already been removed from the system. Given that access is therefore compromised, it becomes particularly important that such data is protected in some other way – encryption can be used here too.
Encryption is a process by which data is altered through a known process which can be reversed when access to the data is needed. A secure system will typically use encryption internally to protect sensitive data such as passwords or medical history. It is possible to encrypt the hard disk drive of a laptop computer, or the contents of a USB memory stick; this would mean that in order to read any data, a password or some similar access control measure would be needed. Data in an encrypted form is of limited use, and so as long as access to the means of decrypting it is controlled, encrypted data can be considered relatively secure (’relatively’ as it is not impossible to access encrypted data, merely difficult; encryption serves to make unauthorised access to the data infeasibly difficult rather than imposible).
Unfortunately many of the examples of data loss featured in the media become such large stories because data has not been encrypted. A simple measure, which is accepted as good practice within the industry and promoted strongly by the ICO, but which is not routinely followed. The recent loss of data from Monster and a variety of losses from government departments serve to emphasise the need for strong access controls, routine encryption of sensitive data, and a greater appreciation of the worth of such data and the dangers involved in its distribution, even within carefully-controlled circumstances.