{"id":253,"date":"2011-10-03T19:34:12","date_gmt":"2011-10-03T19:34:12","guid":{"rendered":"http:\/\/www.halkynconsulting.co.uk\/a\/?p=253"},"modified":"2011-10-03T19:34:12","modified_gmt":"2011-10-03T19:34:12","slug":"hospital-loses-800-patients-data","status":"publish","type":"post","link":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/","title":{"rendered":"Hospital loses 800 patient&#8217;s data"},"content":{"rendered":"<p>A report has apparently revealed that the East Surrey Hospital has lost an\u00a0unencrypted\u00a0USB drive containing the details of 800 patients. According to the <a title=\"Crawley Observer - Hospital loses patient data\" href=\"http:\/\/www.crawleyobserver.co.uk\/news\/local\/hospital_loses_details_of_800_patients_1_3100051\" target=\"_blank\">Crawley Observer<\/a>, this data included details such as dates of birth and medical operation details (and as such would be considered <strong>Sensitive Personal Data<\/strong> under the Data Protection Act 1998). In addition to this, the Crawley Observer also reports that the hospital had 9 other incidents where data was &#8220;lost&#8221; but later recovered.<\/p>\n<p>Interestingly, this admission has only surfaced in the\u00a0Hospital&#8217;s\u00a02010 \/ 2011 report &#8211; there is no obvious mention of it on the ICO&#8217;s site and it is not clear if any undertaking has been issued by the Commissioner.<\/p>\n<p>From the Crawley Observer&#8217;s article:<\/p>\n<blockquote><p>The 800 affected people were never informed and nine other &#8216;near misses&#8217;, where information was mislaid but found, were also recorded.<br \/>\nChief Executive Michael Wilson said: &#8220;We take the confidentiality of patient information extremely seriously. All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn\u2019t happen on this occasion and the member of staff has been taken through the Trust\u2019s disciplinary procedures and has received further training.&#8221;<\/p><\/blockquote>\n<p>It is strange that the Hospital have chosen to not inform the data subjects (or apparently the ICO) about the loss, and this leads to the suspicion that the Hospital did not keep sufficient track of what data was stored to allow it to identify the individuals concerned. It is also likely that the number of data records lost is a guess but unless the drive is found intact we may never know the correct number.<\/p>\n<p>Based on the comments made by the Chief Executive, it appears that the Hospital have decided the loss is entirely the result of a single member of staff failing to follow processes which apparently require use of encryption on portable media.\u00a0It is not clear what further training, over an above &#8220;encrypt the disk&#8221; would help mitigate against this type of loss and the Chief Executive gives no further details.<\/p>\n<p>In the vast majority of incidents where data is accidentally lost and it turns out staff have failed to follow process the root cause is very, very rarely a pure lack of staff training. If your employees are able to turn up to work, they should be able to utilise modern encryption technology.<\/p>\n<p>There are two significant, yet simple, steps the Hospital could take to minimise the risk of this sort of event happening in the future &#8211; and these are the same steps any organisation can implement to prevent falling victim the first time &#8211; and neither really involve disciplining or retraining the employee:<\/p>\n<p>Step One: <strong>Create a management culture which supports security<\/strong>. This has to happen from the top down and can not simply be the empty statements people so often see around their businesses. Management commitment to security has to be more than simply posting a statement of intent on noticeboards. Security, especially in organisations like the National Health Service, is vitally important (second only to actually saving lives) and all levels of management must not only say this, but actually believe it. Encourage all levels of management to be aware of security and the simple fact that it will take your employees a few seconds longer to encrypt \/ decrypt. Never, ever, place an employee in the situation whereby bypassing a security control makes it easier for them to achieve their job and never, ever, place an employee under so much time pressure they feel they have to circumvent safeguards.<\/p>\n<p>Step Two: <strong>Implement technical controls to complement and enforce your policies<\/strong>. It is good to have a security policy which mandates encrypted drives. It is good to have processes in place which your staff should follow to ensure the encryption is applied. However, your employees are humans and people make mistakes. Even the most dedicated and well trained person can have an off-day, so wherever possible you must implement technical controls to catch the &#8220;<em>unthinking moment<\/em>.&#8221; In this example, it would have been trivial for the hospital to make use of endpoint encryption software (which they must have to allow for any encrypting of the disks) which prevented an unencrypted drive from being used. This simple act would have ensured that a loss of this nature could not have happened.<\/p>\n<p>Instead of making use of two, very simple, very effective control measures which enhance both the overall security of the organisation but general staff morale, the East Surrey Hospital now has to go to the time, effort and expense of taking disciplinary action against an employee (and possibly reducing overall morale if the staff feel they are being made scapegoats) and the time and effort of providing re-training to an otherwise effective member of staff.<\/p>\n<p>This really is a case where an ounce of prevention could have saved a pound of cure and you would think that a hospital would have known better.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A report has apparently revealed that the East Surrey Hospital has lost an\u00a0unencrypted\u00a0USB drive containing the details of 800 patients. According to the Crawley Observer, this data included details such as dates of birth and medical operation details (and as such would be considered Sensitive Personal Data under the Data Protection Act 1998). In addition [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[3],"tags":[24,16,6,140,19],"class_list":["post-253","post","type-post","status-publish","format-standard","hentry","category-securitynews","tag-data-protection","tag-government","tag-infosec","tag-security","tag-srm","entry"],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Hospital loses 800 patient&#039;s data - Halkyn Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hospital loses 800 patient&#039;s data - Halkyn Security Blog\" \/>\n<meta property=\"og:description\" content=\"A report has apparently revealed that the East Surrey Hospital has lost an\u00a0unencrypted\u00a0USB drive containing the details of 800 patients. According to the Crawley Observer, this data included details such as dates of birth and medical operation details (and as such would be considered Sensitive Personal Data under the Data Protection Act 1998). In addition [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\" \/>\n<meta property=\"og:site_name\" content=\"Halkyn Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2011-10-03T19:34:12+00:00\" \/>\n<meta name=\"author\" content=\"Halkyn Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@HalkynSecurity\" \/>\n<meta name=\"twitter:site\" content=\"@HalkynSecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Halkyn Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#article\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\"},\"author\":{\"name\":\"Halkyn Security\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2\"},\"headline\":\"Hospital loses 800 patient&#8217;s data\",\"datePublished\":\"2011-10-03T19:34:12+00:00\",\"dateModified\":\"2011-10-03T19:34:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\"},\"wordCount\":832,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"keywords\":[\"Data Protection\",\"Government\",\"Information Security\",\"Security\",\"Security Risk Management\"],\"articleSection\":[\"Security News\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\",\"name\":\"Hospital loses 800 patient's data - Halkyn Security Blog\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\"},\"datePublished\":\"2011-10-03T19:34:12+00:00\",\"dateModified\":\"2011-10-03T19:34:12+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Halkyn Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security News\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/category\/securitynews\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Hospital loses 800 patient&#8217;s data\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"name\":\"Halkyn Security Blog\",\"description\":\"Specialist Security &amp; Risk Management Consultants\",\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\",\"name\":\"Halkyn Consulting\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"width\":\"990\",\"height\":\"170\",\"caption\":\"Halkyn Consulting\"},\"image\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/2329571\",\"https:\/\/twitter.com\/HalkynSecurity\"]},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2\",\"name\":\"Halkyn Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g\",\"caption\":\"Halkyn Security\"},\"description\":\"Halkyn Security Consultants.\",\"sameAs\":[\"http:\/\/www.halkynconsulting.co.uk\/\"],\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/author\/halkyn-consulting\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hospital loses 800 patient's data - Halkyn Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/","og_locale":"en_GB","og_type":"article","og_title":"Hospital loses 800 patient's data - Halkyn Security Blog","og_description":"A report has apparently revealed that the East Surrey Hospital has lost an\u00a0unencrypted\u00a0USB drive containing the details of 800 patients. According to the Crawley Observer, this data included details such as dates of birth and medical operation details (and as such would be considered Sensitive Personal Data under the Data Protection Act 1998). In addition [&hellip;]","og_url":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/","og_site_name":"Halkyn Security Blog","article_published_time":"2011-10-03T19:34:12+00:00","author":"Halkyn Security","twitter_card":"summary_large_image","twitter_creator":"@HalkynSecurity","twitter_site":"@HalkynSecurity","twitter_misc":{"Written by":"Halkyn Security","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#article","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/"},"author":{"name":"Halkyn Security","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2"},"headline":"Hospital loses 800 patient&#8217;s data","datePublished":"2011-10-03T19:34:12+00:00","dateModified":"2011-10-03T19:34:12+00:00","mainEntityOfPage":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/"},"wordCount":832,"commentCount":0,"publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"keywords":["Data Protection","Government","Information Security","Security","Security Risk Management"],"articleSection":["Security News"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#respond"]}]},{"@type":"WebPage","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/","url":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/","name":"Hospital loses 800 patient's data - Halkyn Security Blog","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website"},"datePublished":"2011-10-03T19:34:12+00:00","dateModified":"2011-10-03T19:34:12+00:00","breadcrumb":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2011\/10\/hospital-loses-800-patients-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Halkyn Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/"},{"@type":"ListItem","position":2,"name":"Security News","item":"http:\/\/www.halkynconsulting.co.uk\/a\/category\/securitynews\/"},{"@type":"ListItem","position":3,"name":"Hospital loses 800 patient&#8217;s data"}]},{"@type":"WebSite","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","name":"Halkyn Security Blog","description":"Specialist Security &amp; Risk Management Consultants","publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization","name":"Halkyn Consulting","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","width":"990","height":"170","caption":"Halkyn Consulting"},"image":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/2329571","https:\/\/twitter.com\/HalkynSecurity"]},{"@type":"Person","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/3cfcd2267f12bbcce6a10159022c3df2","name":"Halkyn Security","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4126abc936773e5e8bd38e030d54306e161190a7d6166dba7edadb6caf13b504?s=96&d=retro&r=g","caption":"Halkyn Security"},"description":"Halkyn Security Consultants.","sameAs":["http:\/\/www.halkynconsulting.co.uk\/"],"url":"http:\/\/www.halkynconsulting.co.uk\/a\/author\/halkyn-consulting\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9yHvD-45","jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/comments?post=253"}],"version-history":[{"count":1,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/253\/revisions"}],"predecessor-version":[{"id":254,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/253\/revisions\/254"}],"wp:attachment":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/media?parent=253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/categories?post=253"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/tags?post=253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}