back to article 5,000 NHS records vanish with latest lost laptop

A laptop containing medical records for more than 5,000 people has been lost by a hospital near Dudley. The latest data giveway occurred on 8 January. The laptop was taken from an outpatients department at Russells Hall Hospital. West Midlands Police is investigating the theft and several thousand people have received warning …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    Passwords..

    Since when did a password on a pc or lapop provide protection - just pull the drive out and plug it in to another machine... Will need a special cable for a laptop drive, but they're not exactly rare.

    Passwords on a database? Unless everything's encrypted, there's no security at all...

    ONe has to ask why records like this are on a pc and not locked up properly on a server - is it because the NHS can't run reliable networks?

  2. Mark Sadler
    Thumb Down

    Crack, Smack or both sir...

    I know the area around this particular hospital. Its the sort of area where even the steel wheels on your morris minor aren't safe!

    Whoever left the laptop lying around deserves shooting!

    On a plus side, I can guarantee whoever stole it is only bothered about getting enough money to get off his/ her face so the personal details will be pretty safe.

    The laptop will be formatted by the scum bags preferred PC nerd who just wants a nice easy job, something along the lines of;

    'its password protected, i'm gonna have to format it & re-install windows... that'll be £30'

    Smack rat sells laptop for £100 > pays nerd £30 > goes to dealer, gets wrecked, goes out and steals another laptop. Hey presto, the life cycle of a scum bag begins again.

  3. James Anderson
    Coat

    Laptops not safe.

    Lets put all our data into a lightwieght portable box thats worth £200+ to someone down hte pub, leave them lying around -- oops its gone missing!

    There should be a blanket ban on issuing laptops to brainless public employees.

    Something I have always wondered is who are these trusts? Who apoints them? What do I need to do to get control of a budget thats 10% of Britians GDP?

  4. Andy Worth

    Shit......

    .....they found out (whoever has the laptop) about my piles

  5. Anonymous Coward
    Unhappy

    Massive improvement over the norm

    Not only is the device password protected but so is the DB!

    It still begs the question: Why is this DB on a laptop anyway?

  6. Anonymous Coward
    Thumb Down

    Wow I'm amazed

    password/login protected. Whoopie doo

    So one boot disk later, Admin password changed, bish bash bosh. Jobs a good 'un.

  7. Anonymous Coward
    Joke

    Any suprises?

    Maybe government departments should start reporting non loss of data, say along the lines of:

    NEWS!

    Minister takes unencrypted, unpassworded laptop home, leaves it in his unlocked car for the weekend with a sticker on the windscreen saying personal details of 10 million people on this pc on the seat and then returned to work with all the data intact on Monday morning.

    Security has to begin with the physical security of devices, don't the NHS realise that the people who use them cannot afford to go private and as such the sight of an unsecure, unattended laptop lying around is just too much temptation.

    Joke icon, just in case.............

  8. Jon
    Flame

    Oh, that's just *so* secure...

    "The database is password/login protected and a separate trust login and password is required to operate the laptop." - So windows password to logon and that's it? Seriously - do these people have any understanding of what "Secure" actually means?

  9. Slaine
    Unhappy

    Dudley dunce dumps doctors' data.

    What I'd really like to know is why; given the money currently being spent (wasted?) on further designing and re-implimenting a national database of patient records; a central store of personal details; a repository of useful information with a secure (debatable - I know) system of access... WHY oh why does the information keep finding itself on laptops that are about to be stolen? Carrying paperwork in a discrete brown bag would be a more effective method of data protection. Here's another clue - don't let staff take laptops home with them. If they cannot get their job done at work - then they are trying to do the job of two people.

  10. Tony Pottrell

    Better than Gov't security??

    OK, so all they need to do to get into the data is take the drive out of the laptop, connect it to another machine, copy the database off then run a brute force password attack on it (or some other method).

    Real secure...

  11. Anonymous Coward
    Coat

    Latest?

    "The latest data giveway occurred on 8 January."

    That was over a month ago, I'm sure they must have lost more data by now.

  12. Alexander Hanff
    Paris Hilton

    Privacy?

    Forget CCTVs, forget Vehicle Tracking, forget number plate recognition, forget gait recognition, forget facial recognition, forget data retention and forget mobile phone logging. All of the above takes way to long, we have over half of the population exposed to ID theft purely from the government "losing" it.

    Who needs all the big brother tactics when the government will just give it away. Hell why not just expose the other half of the population and be done with it, at least then everyone will be on an even playing field.

    37M people's data "lost" in the last what 18 months? Outstanding job, they couldn't have done better if they had -tried- to give the data away, too much red tape and all that crap.

    Revolution anyone?

    Paris because the government has now officially fucked more people than she has.

  13. Dave
    Go

    Dream Product

    A Piece of software that prompts for a password after every time a screen saver runs, every case open and close, every insertion of a disk, floppy, CD or otherwise.

    This will unerypt the hard drive and allow running of the laptop as is, possibly as a virtual machine. The Virtual Machine is created by a backup prog or disk copier.

    Total time to secure a laptop = an hour or so.

    Does anyone know of such a product?

  14. Anonymous Coward
    Anonymous Coward

    @ world + dog

    The point isn't whether the data is encrypted, password protected or whatever, it's that anyone downloading or extracting medical records to a laptop, memory stick or some such should be escorted to their desk by a security bod bearing a bin bag, having been told to pack up and fuck off. While we're at it, how about bringing back dumb terminals?

  15. Anonymous Coward
    Dead Vulture

    Why the database was on a laptop

    Because Doctors and such are often working at sites where they don't have access to the main NHS network.

    Also, the WAN links between different NHS sites can be a bit flakey.

    The Vulture because it looks like it needs a check-up.

  16. Anonymous Coward
    Anonymous Coward

    Database on a laptop?

    It's Access isn't it? "The database is password/login protected" Access password? Protected? Ha.

    Still, as said, it's better than nothing.

  17. Tony
    Unhappy

    Security & Lies

    I remember reading the Bruce Schneier book "Security & lies" - part of the pre-sales blurb had the phrase "system administrators who read this book will quickly lose the will to live".

    I think you may have to start putting the number for the Samaritans at the top of the page whenever you have yet another one of these reports of yet more gevernment data loss.

  18. Richard Hicks
    Thumb Down

    Database Password Protected..?! rofl.

    If its Access like most of these things that means nada.

    Hold shift, right click open with -> notepad.

    Scroll a bit...

    Voila you'll see every field seperated by a strange yp character combination, All the rest of the information is held totally in plain text.

    Great security.

  19. Anonymous Coward
    Go

    @Dave

    There pretty much is - Vista with full disk encryption and VMware consoles. Won't stop the users from saving the passwords or writing them on stickies on the screen though.

  20. Matthew Hale

    Phew, don't panic...

    It's Windows, it's password protected :/....let's just hope they are out for the hardware and not the data eh... Never mind a few piddly med records - soon ALL our data will be in the hands of whichever employee of whichever dubious government/corporate organisation that wants it, anywhere around the world (oh yes, not Just Europe, check the SHAM that is NIS), in a few clicks. "All of your data are belong to THEM"...and like THAT, we were all OWNED.

  21. KarlTh
    Paris Hilton

    You can lead a horse to water.

    "I'm a doctor and I want my sausages".

    This'll be some doctor who's been "clever" and "knows more than his IT department" and has "solved" the problem of not having access to this database all the time by creating an Access DB, hitting the "import data" button and, well you can guess the rest.

    The "real" database will be Oracle, MySQL or SQL Server, or hosted by a clinical supplier somewhere in Birmingham in a data warehouse. The problem will be (and always is) the chair-keyboard interface. Even if you only give 'em a web interface so there's no data source for them to misuse the buggers will cut and paste it "because I need it to screw up^h^h^h^h^h^h^h^h do my job"

    Paris because in one way she's a dream user. Too thick to copy secure data to anywhere it shouldn't be.

  22. Anonymous Coward
    Boffin

    Downward spiral

    This problem has been going on for many many years despite the many infosec standards and will continue to get worse now the flood gates have opened and people's eyes have been opened.

  23. KarlTh
    IT Angle

    It'll get worse

    until people realise that when their IT department tells them that something is a bleedin' stupid idea, whether it be carrying around confidential data on laptops, sticking their passwords on post-its, sharing usernames and passwords around like biscuits and every other brain dead thing that they do, it actually *is* a bleedin' stupid idea, and they shouldn't do it. But no. They'll trust some spotty kid to solve their IT problems, but the professionals in their IT departments know nothing.

  24. Anonymous Coward
    Anonymous Coward

    To nickj

    Noooooo! People keep saying "anyone downloading to USB sticks should be shot" or "anyone taking a laptop outside should be hanged". That's NOT your call to make. There are perfectly acceptable reasons for certain users to move data around on sticks and laptops - and there are perfectly good solutions to manage the risk in doing so.

    The problem isn't necessarily people moving data around - although it could be, we don't know what their jobs entail - but that the risks have not been properly assessed and suitable solutions put in place to mitigate them.

    I carry a USB stick between home and work every day full of sensitive data which I work on at home and in work. Both machines and the USB stick are encrypted transparently and require a key to be present on the machine. For me it "just works". For anyone else the stick is unreadable and has no valid filesystem installed.

    Other risk assessments include malware, espionage, kidnap and torture - you go as deep as needed until the total cost of mitigating the risk outweighs the total cost of the risk itself. The above works fine for me - no shootings or hangings required.

  25. Mudslinger
    Stop

    NO EXCUSE

    >Because Doctors and such are often working at sites where they don't have access >to the main NHS network.

    >Also, the WAN links between different NHS sites can be a bit flakey.

    Laptops with built-in 3G cards are available. It's sheer laziness on the part of the health professional (or worse their IT dept) not to have done a proper risk asssesment.

  26. RW
    Flame

    Work at home?

    I keep seeing the lame excuse "I needed that data so I could work at home."

    And what, pray tell, is the difficulty with doing your job during normal working hours at your normal place of work? *Especially* when the data is so sensitive? One suspects that it's just an ego-stroking exercise: look at me, how important I am, *I* have to use this laptop full of Important Data while I travel." To use a charming old Briticism, bollocks.

    Color me "not convinced."

    At least some of this carting data by hand around the landscape must be intended only to justify a seat in first class "so they can work in peace and quiet."

    An anonymous coward wrote "Doctors and such are often working at sites where they don't have access to the main NHS network."

    What sites are these where they don't have network access? And what kind of work is it that requires so much data that it can't be transferred via a good old-fashioned PPP dialup, available anywhere there is a phone line. For that matter, you could do PPP over a cell phone, no? [Excuse me if my technology is out of date, but I'm retired and no longer fret over details. The rest of you can just suffer.]

    If the volume of data is too great for dialup to handle, then that doctor (or such) is doing too much work in the wrong place—precisely the same issue all over again.

    PS: and what are these "and such" folks who are categorized with doctors?

    It smells like a lot of ego-masturbation going on, the laptop full of Important Data being the new status symbol, never mind the potential consequences of forgetfulness, stupidity, or sheer bad luck.

  27. KarlTh
    Paris Hilton

    But in reality

    What actually happens is either:

    1. High-ranking user asks about access via 3G or somesuch, is told it will cost X, and says "bugger that, I'll do it this way"

    2. High-ranking user doesn't bother to ask, he just does it.

  28. Anonymous Coward
    Anonymous Coward

    It's very easy

    Work during the hours of nine to five, in the office, on the office network.

    During the hours of five pm to nine am have some sort of other life, which does not require anything whatsoever from the office.

    Data security increased. Life quality increased.

    And don't try to tell me it isn't possible. It is.

  29. Ishkandar
    Boffin

    "Wonder why they ever called them NHS Trusts."

    They are named after a medical apparatus used to give support to failing parts !!

  30. Ishkandar

    Obviously

    "HMRC twice lost 25 million records relating to child benefits, the DVLA lost 6,000 records for vehicle owners, and the MoD misplaced a laptop containing details of 600,000 applicants to the armed services."

    And you wonder why the Russians have canceled their spying budget for the UK ??

  31. BitTwister

    @nickj

    Absolutely spot-on. The information should not have been taken off-site in the first place.

  32. Anonymous Coward
    Coat

    Not Security by Obscurity but...

    Security by Publicity!

    Make the whole damned lot public, then it will be of no value to anyone.

    That's obviously the plan here!

  33. Anonymous Coward
    Anonymous Coward

    Class Action Suits

    I think that is the only solution - all those who have had their data compromised sue the various NHS Trusts on mass.

    Surely there must be some lawyer out there who can see the pound signs.

  34. Stuart Halliday
    Alert

    Not just the government run sector?

    Oddly enough my Insurance company I've been with for years has recently started asking me to fill in a form to confirm my address, policy number, other details are correct.

    I could be paranoid and think they've lost some of my policy details.... :-)

  35. Anonymous Coward
    Anonymous Coward

    What take the data off site?

    Dunno about this case, but we certainly have occasions when the data is COLLECTED off site - outreach clinics etc. so I can see a reason for laptops with personal data. I don't ever put clinical information on my laptop, and the colleagues who do have PGP-style encryption on the drives (not sure how that works in terms of hardware/software, but the Trust IT people are sufficently convinced to actually spend money on it, which given out overspend is a pretty conviincing argument to me).

    But the hard part is getting users to appreciate that "security" isn't an on/off thing. They all think "password protected" = secure. Don't these guys EVER go to the cinema? I mean, if Tom Cruise can do it, how hard can it be?

    Posted anonymously so I can say things about the Trust!

  36. Anonymous Coward
    Stop

    Do they know the data isnt protected?

    How many Joe Nobodys in any organisation care about the data on their machines, and indeed laptops. "If it gets stolen, I'll get a new one and a wrap on the wrist". How many heads have rolled? IT departments believe they have policies in place, but how are these communicated to the staff who have the data on laptops?

    Mobile data is inevitable for the foreseeable future, more and more people are working wherever they are. Securing all this data is impossible unless you have a full disk encryption tool. Users need educating and even penalised when they loose a laptop or any device which contains date. During this process, something is needed to ensure any organisation in this position is 100% certain the data has been removed and not been accessed. There are tools on the market, one we have been looking at is Backstopp (www.backstopp.com).

    We are taking the approach of while our data is mobile we will protect it anyway we can. If it falls into the wrong hands, we can ensure that we know they cant access it. All this while working to ensure data never leaves the servers, going back to the old centralised computing model.

  37. Rob
    Go

    RE: Laptops not safe

    "There should be a blanket ban on issuing laptops to brainless public employees"

    That'd be everyone then.

  38. Graham Bartlett

    Bollocks indeed

    Wow, all these people who've never thought that you might need to work somewhere else. Particularly people who can't imagine why someone might want to work from home - dudes, where have you been for the last 20 years?

    In the specific case of healthcare workers, consider consultants. Many consultants have a private surgery somewhere and come into the hospital a few times a week. That means they need the information about their patients in two places - or maybe three if they plan on researching the case at home - and no, they might not have NHS network access at their surgery or at their home. Is their primary concern going to be data security? I doubt it - their primary concern will be making sure that their patients survive.

    Or better, consider what happens when the network goes down. Do you truly think you can guarantee no network outages, ever? The rest of us know that networks can and do go down. For us, a network outage might just mean 10 minutes without web access, or inability to do some coding. For a doctor, it means they don't know what blood type their patient is, what their allergies are or when they last had a shot of opiate-based painkiller. Get these wrong and your patient is 200lbs of dead meat on a stretcher.

    The "and such" people classified with doctors would be surgeons (call a surgeon "Doctor" and watch the reaction), nurses and anaesthetists as a minimum for professional care. It might also include admin staff who need to order enough rare blood groups for the next week's surgery cases, for example.

    Most of the people commenting here are seeing IT as an end in itself, and failure to follow what they think of as "best practise" as a sign of stupidity. For the rest of us, IT are merely servants whose work enables us to do our jobs more efficiently. If their "best practise" will impede us doing our jobs then we need to check whether we need to do it that way - so if the result of IT's grand plans would be that people die, as in this example, then IT can go screw themselves. It doesn't mean completely ignoring data security - remember that the laptop and the database need passwords, and one would hope the database password includes encryption since this is trivial - but it does mean choosing how much is worth having.

  39. James Pickett
    Paris Hilton

    Arses covered

    "The database is password/login protected and a separate trust login and password is required to operate the laptop"

    In other words, it's not encrypted.

    Still, I suppose it might just cover the spokesman's arse, as the management won't know any better unless/until the data make an appearance.

    PH - you know why.

This topic is closed for new posts.