NHS must wake up to preventable data loss

Earlier this week it was revealed that the NHS lost 800 patient records on an unencrypted memory stick. This was just the latest in a series of data blunders that the NHS is known for. Critics say losing last set of records was wholly preventable, and excuses about resources or education do not carry much weight.

Kingstong Technology sells secure options to large organisations which by their nature handle sensitive data. Including USB sticks – which it actively dares hackers to crack. With this in mind, TechEye had a chat with Bernd Dombrowsky, Inside Sales Director for the EMEA region.

“You will find within the NHS and local councils and other public entities, as well asp rivate corporate environments, you will find really serious efforts to make sure that data is secure on USB stick,” Dombrowsky says. “Many NHS trusts have bought password protected USB sticks by the hundres and thousands.”

What, then, is the problem? Dombrowsky isn’t sure, either. “I cannot speak for the NHS in general,” he says. But it certainly is puzzling when “they spend money on, admittedly, a significantly more expensive USB storage device and buy that by the 100,000’s, then allow someone to go to Sainsburys and buy a USB that also works in their environment. It’s very likely not a budget and money issue.”

According to Dombrowsky, it’s probably an oversight. Or maybe, a “really, really poor compromise with users, who are saying – but I want to have the data where I have my family photos or whatever else.”

Then, if you let people bring in their own, private devices into the corporate environment, there’s automatically a gaping hole for it to fall out of sooner or later. “You download the data, and this wide open door is open in both directions,” Dombrowsky says. “We’re mainly concerned today about the data loss issue, that if you allow non-approved devices and non-managed devices to be plugged in and connected to the organisation’s network, it’s an open invitation for malware and viruses to be brought into the organisation.”

At least part of the answer is endpoint management, so you can see what ports or open, where and why. It’s a necessary partner to encrypted devices. What, exactly, is the point of buying the secure hardware if the IT system in place renders it moot? Dombrowsky believes without a proper network – especially for an institution that carries as much sensitive information as the NHS – simply checking the secure kit off a civil-service drafted shopping list won’t do.

“This trust, another one that just allows people to use drives that are non-secure, which then can be read if they get dropped in a car park or a pub,” Dombrowsky tells us. “Though they have taken steps, and spent money to buy secure drives, that is not good enough. You need to do both things. You need to buy secure drives and put the software in place.”

Not only that, but to Dombrowsky there are some other questions that need looking at. And it goes beyond someone dropping a USB stick and someone else picking it up – “what the heck are you doing carrying around my personal data?” and “why are you taking this out at all?”

“I can relate to the need to have data portable within the organisation, maybe between different buildings, but you need to address this in the staff training up front,” he says to TechEye. “Would you have any justifiable reason to carry hundreds or thousands of patient data sets home? I don’t think so.”

The NHS trust this time, for Surrey and Sussex, claims it does train staff and it takes patient information extremely seriously. When the story broke, a representative from privacy advocates Big Brother Watch claimed the training is “clearly inadequate”. There’s another way to look at it, according to Kingston’s Dombrowsky, and that lies in the relatively recent nature of working with USB in a professional capacity – for the average member of public.

“Kingston started selling USB sticks in 2004,” he tells us. “You go back only a decade – anyone who becomes a consultant today started their medical training when there were no USB sticks around. So where in their medical training have they heard about where the danger with the technology begins?

“The benefits are obvious to you. It’s intuitively obvious. But I think you need to make an extra effort as an organisation to trade on the risks and the risk management.

“I was amazed just how many stories there are from just the last two or three months about these organisations having their data loss issues”.