A report has apparently revealed that the East Surrey Hospital has lost an unencrypted USB drive containing the details of 800 patients. According to the Crawley Observer, this data included details such as dates of birth and medical operation details (and as such would be considered Sensitive Personal Data under the Data Protection Act 1998). In addition to this, the Crawley Observer also reports that the hospital had 9 other incidents where data was “lost” but later recovered.

Interestingly, this admission has only surfaced in the Hospital’s 2010 / 2011 report – there is no obvious mention of it on the ICO’s site and it is not clear if any undertaking has been issued by the Commissioner.

From the Crawley Observer’s article:

The 800 affected people were never informed and nine other ‘near misses’, where information was mislaid but found, were also recorded.
Chief Executive Michael Wilson said: “We take the confidentiality of patient information extremely seriously. All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”

It is strange that the Hospital have chosen to not inform the data subjects (or apparently the ICO) about the loss, and this leads to the suspicion that the Hospital did not keep sufficient track of what data was stored to allow it to identify the individuals concerned. It is also likely that the number of data records lost is a guess but unless the drive is found intact we may never know the correct number.

Based on the comments made by the Chief Executive, it appears that the Hospital have decided the loss is entirely the result of a single member of staff failing to follow processes which apparently require use of encryption on portable media. It is not clear what further training, over an above “encrypt the disk” would help mitigate against this type of loss and the Chief Executive gives no further details.

In the vast majority of incidents where data is accidentally lost and it turns out staff have failed to follow process the root cause is very, very rarely a pure lack of staff training. If your employees are able to turn up to work, they should be able to utilise modern encryption technology.

There are two significant, yet simple, steps the Hospital could take to minimise the risk of this sort of event happening in the future – and these are the same steps any organisation can implement to prevent falling victim the first time – and neither really involve disciplining or retraining the employee:

Step One: Create a management culture which supports security. This has to happen from the top down and can not simply be the empty statements people so often see around their businesses. Management commitment to security has to be more than simply posting a statement of intent on noticeboards. Security, especially in organisations like the National Health Service, is vitally important (second only to actually saving lives) and all levels of management must not only say this, but actually believe it. Encourage all levels of management to be aware of security and the simple fact that it will take your employees a few seconds longer to encrypt / decrypt. Never, ever, place an employee in the situation whereby bypassing a security control makes it easier for them to achieve their job and never, ever, place an employee under so much time pressure they feel they have to circumvent safeguards.

Step Two: Implement technical controls to complement and enforce your policies. It is good to have a security policy which mandates encrypted drives. It is good to have processes in place which your staff should follow to ensure the encryption is applied. However, your employees are humans and people make mistakes. Even the most dedicated and well trained person can have an off-day, so wherever possible you must implement technical controls to catch the “unthinking moment.” In this example, it would have been trivial for the hospital to make use of endpoint encryption software (which they must have to allow for any encrypting of the disks) which prevented an unencrypted drive from being used. This simple act would have ensured that a loss of this nature could not have happened.

Instead of making use of two, very simple, very effective control measures which enhance both the overall security of the organisation but general staff morale, the East Surrey Hospital now has to go to the time, effort and expense of taking disciplinary action against an employee (and possibly reducing overall morale if the staff feel they are being made scapegoats) and the time and effort of providing re-training to an otherwise effective member of staff.

This really is a case where an ounce of prevention could have saved a pound of cure and you would think that a hospital would have known better.