back to article Council loses USB of patient records

Cambridgeshire County Council has had its wrist slapped for losing an unencrypted memory stick containing the details of vulnerable adults. The unencrypted memory stick contained the personal details of at least six individuals. The stick including case notes and minutes of meetings where staff discussed the care of the at- …

COMMENTS

This topic is closed for new posts.
  1. John Edwards
    Paris Hilton

    Monkeys

    Sack the monkey responsible. This will educate the staff quicker than anything else.

    Paris because she wouldn't do anthing as dumb as this. Oh, and because we haven't seen much of her lately.

  2. Syed
    Alert

    A solution...

    How about engraving the home address of council staff onto the memory sticks so that helpful members of the public know where to deliver the misplaced item?

    (And maybe deliver a good kicking too!)

    1. Anonymous Coward
      FAIL

      RE: A solution

      What happens when you are a bad guy. It goes from being "oh look a USB drive" to "oh look a USB drive from the council, I wonder what could be on it!"

      I wonder how people manage to lose USB drives.

      1. Syed

        @BarryBob RE: A solution

        I was being sarcastic.

  3. Peter Jones 2
    FAIL

    Had problems using an ecrypted stick?

    You mean she kept forgetting her password.

    And the council went with the cheap option of issuing encrypted sticks (+2 points) and trusting users to make sure they used only those (-20 points).

    The more expensive option would be to install software that prevents anything other than an encrypted stick from working. But it's still cheaper to pay the toothless ICO fine.

    Until the ICO can mandate that the offenders take specific steps to remedy the situation, these data breaches will continue.

    1. Gerhard Mack
      FAIL

      why even USB

      I don't understand why anything like that would be on a portable media to begin with. Data like that should never leave the office for any reason other than offsite backup.

    2. Mark 65

      User problems

      It would appear from the story that they "went back to using unencrypted" USB. In that case discipline the prick for breaching the internal rules.

  4. Test Man
    WTF?

    So then...

    ... that person should be disciplined for going against the policy that was established and subsequently explained to them. In fact, seeing as they deliberately ignored policy and subsequently caused the council serious problems when they did should have resulted in a sacking.

  5. Dave 15
    Thumb Down

    Dave

    This is yet another nail in the coffin of all those idiot 'if you've nothing to hide you have nothing to fear' appologists for government snooping.

    They can't be trusted with information - even obviously very sensitive information.

    I bet some other things are true here as well...

    a) The individual is still in a job

    b) The individual is still handling sensitive data

    c) The people affected have not been compensated to the tune of a couple of million pounds each to pay for a complete identity change

    d) The council haven't reported this to the locals who pay there tax (I know this for a fact as I am one of the poor souls which this council fleeces for massive council tax payments).

    1. Anonymous Coward
      Megaphone

      "The people affected have not been compensated to the tune of a couple of million pounds each"

      I'll go one further and bet that the people affected have not even had an apology, will never have an apology, and are not even being treated with basic human dignity or respect.

      You try getting an apology out of the council when they loose your data. You can't do it can you? It's not possible. Now imagine how much harder it would be to even try if you were a vulnerable adult.

      Of course they will argue that you are not owed anything, that you are their servant (and lucky to be so) and they are beyond reproach.

      It makes me literally sick.

  6. Peter Gathercole Silver badge

    I'm normally on the side of the employee

    but in this case, if the published policy was to use encrypted sticks, the worker was given an encrypted stick, and was told to use the encrypted stick, but subsequently didn't merely 'because they had problems', and then did not get the problems addressed, this should be a serious disciplinary issue.

    The employee should be reprimanded at the very least, and if the employment policies allow, held up in front to the rest of the work force to illustrate how important these things are. This is especially true if they are in any position of seniority.

    If this is not done, the excuse will always be that 'it is an education issue', and we will see these things happening more and more.

    1. Ian Stephenson
      Big Brother

      I disagree

      Serious disciplinary issue? No.

      Reprimanded at the very least? My arse!

      It is gross misconduct and grounds for immediate dismissal.

      No hearings, no appeal, do not pass go, do collect your P45 on the way out the door.

  7. N2

    Dear

    Cambridgeshire County Council,

    Kindly issue a memo that anyone handling sensitive data without using strong encryption will be hung, drawn then quartered.

    PS my £100,000 consultancy fee is on its way.

    1. Anonymous Coward
      Anonymous Coward

      You raise an interesting point...

      Back when I was a student I used to get my beer tokens by working in a bookies. We were regularly briefed on 'compliance' issues, to the point of tedium so that I couldn't play the thick card if I didn't comply. Also, if I were to be caught serving a 'vulnerable' (under-age or self-excluded) punter then I was personally liable to the tune of several grand and possibly prosecution.

      Dunno about you, but I think leaking the personal information of lots of people is far worse than accidentally serving a 17 year old that wanted to put a coupon on. Yet there doesn't seem to be any deterrent /to the employee/ for leaking data, aside from a potential sacking; if there is, it isn't enforced.

  8. Anonymous Coward
    Anonymous Coward

    Not-working

    Someone should invent a system whereby data can be securely transferred from one computer to another via means of an electrical connection rather than getting a man to physically carry a physical storage medium.

    They could call this fangled abstract invention 'networking' or something.

    Imagine it! One building could access the data on another system securely over some kind of network connection with no one inbetween to steal it, and no important consequences if it gets lost en route. It would just need to be sent again. A really clever dick could even make the protocols automatically re-send lost bits of data when they fail to appear in real time.

    Any dragons out there willing to buy into the idea?

    1. Jnemo

      ...and storing documents centrally

      They could also use this "net-work" thingy to store documents in a central place, too. They could call it "fog computing" or something like that

  9. Graham Bartlett

    Unsurprised

    As someone living in Cambridgeshire, the home of the hundred-million-quid footpath that was supposed to have buses running on it, the only reason I'm surprised is that it's only 6 people. More muppets than Sesame Street, Cambridge city council.

  10. Captain Underpants
    FAIL

    Yay ICO, once again doing...err...nothing to change the source of the problem

    *sigh*

    As long as the ICO doesn't do anything more than grumble at people, stupid data losses will keep happening.

    Yes, it's tedious when complex security mechanisms fail. It's still retarded for this to happen, not least in the context that the user who reverted to using unencrypted storage was aware enough of the reasons for needing encryption that they only went back to unencrypted storage after "having problems" with the encryption system - and yet then managed to be sloppy enough to lose the unencrypted storage!

    FFS! If you've had training sessions saying things like "DON'T stick data on a USB drive without using TrueCrypt/SomeOtherCryptoSoftware, otherwise if you lose it the data gets out and we're all in the shit", it takes being a bit thick to then go "Aw, but I don't like/understand TrueCrypt/SomeOtherCryptoSoftware, I'll just go on doing the same thing I always did. Oh, bum - where's my USB stick?"

    Is it too much to hope for organisations including mishandling of sensitive data as a disciplinary issue? (ie. do it once and you get a verbal warning, twice written warning etc). Seems like an approach that might actually stimulate a change in attitude.

  11. Buzzword
    Go

    Key-fob security

    Here's an idea so crazy that it might just work.

    Every USB stick issued by the council should have a big heavy key-fob, the kind that some hotels have on their keys to remind you that it's in your pocket. The weight of it should ensure that you don't lose it.

    (The weight might have to be on a chain, for desktop PCs where the USB port is some way off the ground. There should be no way to detach the weight - this thing would be soldered into the USB stick.)

  12. Anonymous Coward
    FAIL

    Cowardly other-Council Employee

    "...the loss wasn’t a failure on the part of security strategy"

    Exactly what part of allowing an unencrypted stick to be used is not a failure on the part of security strategy? "The user finds it difficult" is not an excuse and the Council should be treated as if no security policy was in place.

    1. Anonymous Coward
      Stop

      Re: Cowardly other-Council Employee

      "Exactly what part of allowing an unencrypted stick to be used is not a failure on the part of security strategy?"

      There's nothing wrong with the policy, it's just not being enforced correctly...

      Surely losing sensitive data, while going against established security protocols, is gross misconduct and the employee in question should be removed and shot (or I'll accept fired).

      1. Anonymous Coward
        Boffin

        A more fitting punishment

        I think they should be registered as a "vulnerable adult" (appropriate if it's the euphemism I think it is), have their personal details recorded on an unencrypted USB stick, and the stick left in a pub somewhere.

        AC because I live in Cambridgeshire.

      2. hplasm
        Go

        Which would help

        with deciding who should go due to the cuts that are expected...

  13. Anonymous Coward
    Anonymous Coward

    It will keep happening

    I work for a company providing clinical databases for the NHS. We need to handle patient data on a regular basis, as we are often converting it from one system to another.

    We still get emails from NHS staff containing large quantities of patient data, completely unencrypted, and then have to put up with them shouting at us when we refuse to return the processed data by the same route.

    We've even offered to help train them to use PGP (since we suspect that we'll be hung out to dry if anything goes wrong). Nope - ain't going to happen, since the IT departments will often refuse to install it.

    I have no idea what's going through the heads of the people responsible for all this - there seems a complete disconnect at all levels about what's really happening with the data...

    1. Anonymous Coward
      Anonymous Coward

      as of last time I was working with NHS IM&T...

      DfH had mandated nothing is to go via unencrypted email unless from and to nhs.net addresses, iirc.

      one approved solution is to use winzip and encrypt the files using aes256.

      1. Anonymous Coward
        Paris Hilton

        I'm *still* working with NHS IM&T

        (Also posted this on "Doctors warn on patient data", but it's totally applicable here too)

        I work on support for one of the NHS data applications - just yesterday, received this revelatory problem report :

        "We cannot log into [X], it is saying incorrect password on the system. This is for all users who use this password. "

        So not only is a whole department sharing a login, but none of them understand why UsernameX/PasswordY does not work even when they try it on someone else's pc...

        And you expect them to 'encrypt using aes256' ? Believe me, unless it happens automatically, it just ain't gonna happen.

        Paris, cos at least when she makes me blow my top, I have a smile on my face.

  14. Anonymous Coward
    Big Brother

    Fool Proof System Required to Secure Data

    The only problem with fools, is they can be so darned ingenious.

    If the council wants it's security policy adhered to, they only need to do one or possibly two things now.

    Issue a P45 to the offender, and make sure all current and future employees know what happened.

    (some people are stupid, or think they are above the rules that apply to everybody else, so they may need to a 2nd P45 to the next fool.)

    1. Olafthemighty
      Pirate

      Foolproof, you say?

      I forget who it was (and I can't even be bothered to find out, sorry) who said

      "Nothing is foolproof to a sufficiently talented fool."

      But they were spt on.

      ('cos I like pirates, m'kay?)

    2. Captain Underpants
      Boffin

      Here's a fool-proof system

      It's simple: harness people's inertia.

      Sounds like bullshit wordflappery, you say? Well, that may be, but consider:

      Given the choice between "learn how to use fiddly & complicated new encryption software for the Com-Puh-Tarr Majick Bocks that I use at work" and "ignore fiddly & complicated new software and continue using the Com-Puh-Tarr Majick Bocks in the same way I always have done because I can't be arsed learning new skills", the path of least resistance suggests the latter option.

      However, given the choice between "learn how to use fiddly & complicated new encryption software for the Com-Puh-Tarr Majick Bocks that I use at work" and "ignore fiddly & complicated new software, get sacked for gross misconduct, and then have numerous adventures exploring the fun world that is The Current Jobs Market", the path of least resistance suggests the former option.

      Being the public sector, it's not going to happen without the ICO also harnessing the inertia of those higher up the chain, by making them choose between "Enforce new standards with adequate disciplinary procedures" and "Get hit with massive punitive fines, including personal liability for those at the top of the management chain, for allowing non-compliance with new standards".

      But, you know, I say all this as though I expect the people involved to actually give a shit, when the truth is they barely manage to pay lipservice to the ideas...

      1. night troll
        Pirate

        Firstly..

        as you say they don't give a shit, what's the betting this will be forgotten (and possibly repeated) within six months.

        Secondly.. it NEEDS to be personal fines. The management don't care about fines to the council as it's not their money they will just take it out of petty cash (the council tax) and carry on as normal. If they were personally liable and had to pay for indemnity insurance in case they got fined then MAYBE they will think about enforcing the security on the information they are entrusted with. Also if the could not get the insurance, due to claims or being found to be incompetent etc. They would then become unemployable so it would gradually clean out the system of these couldn't-care-less fucktards.

  15. Anonymous Coward
    FAIL

    This relates to the news recently ...

    about private sector firms not wanting to hire ex-public sector employees.

    I'm struggling to think of any of the companies I have worked with allowing someone who disobeyed a direct instruction (not to use unencrypted media) to continue in their role. It would be gross misconduct, and they would leave the building immediately.

    It's in the culture.

    1. Anonymous Coward
      Flame

      not only that

      But the member of staff "having problems" with the computer system is the same member of staff "having problems" keeping an eye on their shit.

      Sound like an all-round winner don’t they?

      I hope that they are currently "having problems" looking for a new job. In reality of course the tax payer is probably lavishing them with gifts. Anything to avoid giving the job to a properly adjusted person.

    2. Anonymous Coward
      Thumb Down

      A story is required, and must contain rabbits and dinosaurs.

      Really?! I've worked in a number of private companies where incidents of this nature have been common place. It's nothing to do with public/private sector and everything to do with the nature of the individual.

      1. Anonymous Coward
        Anonymous Coward

        Even if employees actions

        had resulted in a fine and bad publicity ?

        1. Anonymous Coward
          Thumb Down

          Pfft

          Are you 'aving a bubble, matey?

          I used to work for a *large security firm* that had a large *computer forensics division* and advised massive clients on *IT security issues*. All of this massively confidential market-/life-/career-sensitive data was sent around in unencrypted email, everyone was walking in and using their own USB sticks, laptop hard drives were unencrypted and had passwords... FFS we couldn't even get people to stop letting strangers through the security doors without their own electronic keycards!

          It's not just underfunded, demoralised, overstretched social services workers that are crap at data security, it's the shiny corporate Big Smoke private sector workers too!

    3. Anonymous Coward
      Happy

      Ref: This relates to the news recently

      "I'm struggling to think of any of the companies I have worked with allowing someone who disobeyed a direct instruction (not to use unencrypted media) to continue in their role. It would be gross misconduct, and they would leave the building immediately."

      I can think of 2 managers (relatively senior) in different companies who violated the security policy of the financial firms on a regular basis.

      One used to walk away from his logged in computer, in his office, which could authorise payments of £10m+ (sat in his office waiting for him to return, on several occasions, I had to seriously resist the temption to give him a practical example of why the security policy was written that way)

      The other gave his User Id and password to a senior supervisor, so that she could counter sign large life insurance payments (something he was suppose to do as part of an audit controls)

      From personal observation, I would say the quota of security ignoring employees is about the same, it's just that private companies cover it up, where as public bodies HAVE to tell. The resolution to this would be to make private companies have to declare these on their annual report.

  16. Anonymous Coward
    Anonymous Coward

    having had experience of local authority IT contracts...

    ..they are pretty poor for the user in terms of actually enabling them to do their work.

    I would not be surprised if said employee was having problems with her encrypted USB stick only to find little or no help from IT. Faced with the choice of no records or insecure ones, they went with their job instinct.

    Its easy to point and blame but the real question is why was there problems.

  17. AbortRetryFail

    Safend Protector

    My current client's security policy is that *all* USB memory devices are encrypted and Safend Protector runs on all machines and actively blocks all attempts to write to non-encrypted devices.

    Why on earth are they not using something like this? Allow users to write to unencrypted devices and they will.

    As an aside, the employee should be sacked for Gross Misconduct.

  18. James Hughes 1

    One would have hoped

    That given most councils need to shed staff to keep within budget, this employee would be one who was right at the top of the list.

  19. Desk Jockey
    Stop

    Defending the indefendable

    I have actually briefly worked for Cambridge County Council (a very long time ago) and to be fair to them, their IT system was far better than most. They resourced it reasoably well and they had dedicated teams whose job it was to prevent muppets from screwing things up. It just goes to show that you can only do what you can, but you still need to deal with the idiots no matter how good the policy or the systems are. Idiots will find a way to break the rules no matter what you do, unless you lock the system down to the point of making it almost unusuable. I have worked with really restrictive systems that can still be abused if you know what you are doing, you cannot engineer for stupidity or willful negligence, unless you put a CCTV camera behind every chair!

    When I was there, their mentality for getting rid of incompetent people was rather weak "It is too hard to get a replacement" was one excuse I heard. Whilst I sympathise to a degree, as recruiting social workers is a nighmare, I hope they have improved and are actually willing to properly punish people for gross misconduct. There is no excuse for not only breaking the rules, but also for breaking the first rule - don't get caught!

  20. adam.c

    Title, title, who's got the title.

    I must confess that when I saw the badly formed para closing tag - </p - I initially thought it was some kind of emoticon representing the mental shortcomings of the user who can't handle operating an encrypted USB stick - something like a dunce cap paired with a tongue sticking out in extreme concetration.

  21. The BigYin

    Had problems?

    Really? Really, really?

    1) Insert encrypted stick

    2) Fire up TrueCrypt (or whatever)

    3) Select encrypted disc/file and mount/open it

    4) Bash in the passphrase/challenge-response

    5) Get some work done.

    If that really is beyond the employee, then they are not fit to fulfil their role and should either be given remedial training or be demoted. If they had some genuine problem (e.g. dodgy hardware) then they should been reported it and got a replacement.

    For breaching the rules like this, they should face summary dismissal. If they were unaware of the rules, dismiss their direct line manager. Repeat until you reach the first person who (suddenly) gives a shit.

  22. Fuzz

    enforce the policy with software

    It's not hard to do, when we implemented our data protection policy we had a look at software that prevented the use of unencrypted USB drives and found it was a function of our existing AV package. If you plug in an unencrypted USB drive then it is mounted read only by Windows.

  23. NaylsMahoney

    How would they like it

    What gets me is that I'm sure this fool would be outraged if his/her payroll details, DOB, home address and NI number were being carted around on an unencrypted USB stick. Yet they seem to think it's OK for them to carry sensitive data about others in such a manner.

    Personally I feel their details should be published in the press as it only seems fair. But I know the majority would disagree. But surely some form of disciplinary action is required when an employee clearly goes against policy?

  24. Anonymous Coward
    Anonymous Coward

    on the plus side.

    the didn't do this to people who weren't already vulnerable.

  25. Will Godfrey Silver badge
    Unhappy

    More Excuses

    In one place I worked, a breach of security was not only written into the contract as grounds for instant dismissal, you would be very publicly marched between two rather large gentlemen from the establishment to the main gate, without even time to pick up your coat.

    OK, this was in the days of floppies, but you almost never heard of any 'lost' disks.

    I see absolutely no reason why the same shouldn't apply here.

  26. oopsie

    print scanners?

    Does noone make memory sticks with finger print scanners on? If the data's inaccessible without the print i'd have thought they'd be reasonably secure and the odds of loosing all of your fingerprints seem low?

    1. The BigYin

      You can defeat...

      ...those scanners with a photocopier and some spit. Even the "good" ones.

      I kid you not.

  27. FordPrefect
    FAIL

    No excuse here

    No excuse could be plausable here. Its against the law and against the councils IT policies so as much as I dont like to see anyone lose their job its gross misconduct, with the only application sanction being immediate termination of employment. Can be no excuses here and organisations need to start sacking people that commit these sorts of acts. Then maybe people will do what they are told to do and use encrypted sticks or some other form of encryption like PGP or some of the corporate whole disk encryption packages like becrypt.

    Although maybe its time the council itself looked at something like becrypt across the council where they can enforce an encrypted disk and stick policy.

  28. Stratman

    title

    “What is clear is that in Cambridge County Council’s case, the loss wasn’t a failure on the part of security strategy, but rather one of employee education"

    The strategy STILL allowed unencrypted data to be removed from site. That's a pretty big failure in my book.

    It can't be beyond the wit of man, even Homo Cantabrigensis, to arrange permissions so any data which is to be transferred to external media can only be transferred via an encryption application.

    If some employees can't cope with this then get better employees.

  29. John Smith 19 Gold badge
    FAIL

    Great. So they mandated secure storage.

    No audit to find out how much stuff needed to be moved off insecure removable storage (or why it's there in the first place)

    No limiting downloading in the *first* place.

    No tracking to know *who* or how *much* data was downloaded to insecure removable storage.

    "We have a policy and told staff they shouldn't do this" is a f**king fig leaf.

    IT staff *seem* to have a slight clue but this is looking like one of those "responsibility without authority" situations

    This sounds like an immediate sacking offense in *any* other context.

    *all* bodies who keep this sort of information *should* be able to track it and find out whose got it, whose downloaded it (and why) and frankly should be working like b***ery to make it *unnecessary* to download it to *any* kind of device in the first place.

    Once in a lifetime acts of god I can cope with.

    Repeated *predictable* stupidity annoys me.

  30. Anonymous Coward
    Anonymous Coward

    It's the process, stupid, not the policy.

    It sounds so reasonable: "use encryption, stupid!"

    But just saying that, or even making it policy and threatening "disciplinary action" doesn't work. Even far too many commentards in here haven't read _Why Johhny Can't Encrypt_ (googling it and reading it twice is far easier than figuring out how to use encryption if you don't already know, and the paper is worth a read, so none of you have any excuse left not to have read it, hmkay) that even without full scientific rigour shows how painful it is to "use encryption" in the usually required "intuitive" fashion.

    That is not to say that the council or the employee aren't at fault. Yes, they tried but did so ineffectively, and the clerk still had to do her job so put her priorities there instead of meddling with that nebulous thing that she can't wrap her head around and maybe doesn't even have the tools to do nevermind the wherewithal to check if it was done properly.

    This means that nobody can expect them to succeed, and since it's a typical user/tech interfacing problem, we have our work cut out for us. For it is us that have to make it work. And by work I don't mean "provide a program like pgp, gpg, or openssl*", but to provide tools that easily integrate into non-techie people's workflows in a way that makes "using encryption" as easy as locking the door when leaving.

    I'm quite sure we haven't. It is painfully obvious from the various models used by various general encryption suites that the writers are pretty much living in their own ivory tower and have no idea whatsoever how to even talk to people that aren't crypto nerds. Even among general geekdom encryption isn't widespread because of it. Then pray tell, how on earth are council clerks going to understand how to "just use encryption"?

    I'm quite sure they won't, and lambasting them for it blithely ignores the obvious. If they haven't done their homework, it's because it was too hard, and that would be because we haven't done our homework either. So get on with it already.

    * Did you know that you can use the near-ubiquitous openssl cli tool for symmetric key encryption of a file, ie "putting a password on it", too? No? Does that have to do with you failing to try? Poor documentation? Severe obscurity? All of the above? What else?

    1. Argus Tuft

      @ It's the process, stupid, not the policy.

      spot on. Make it simple and it will be part of the work flow. Make it complex (for the basic user) and it won't.

      Simple for an IT worker is NOT simple for a middle aged clerk who uses PC's simply because they have to - not as a way of life... "just mount in Truecrypt" would leave 80% of users glassy eyed...

      So many posts here say "just lock down the USB ports". Those posters need to get out of their ivory data centres and into the real world where people do actually need to give data to others (eg customers) on unencrypted USB's.

      If the average user isn't doing what we them to -- it is OUR fault - not theirs, because OUR systems don't fit the real world work flow.

  31. Anonymous Coward
    Linux

    Council to blame

    The council are not blameless in this!

    There is software that will limit what USB sticks can be used on a given machine. Why did they not limit the system to only allow access to the encrypted stick?

    Also it appears they knew this user was using an insecure stick, so why didn't the disable this users USB access?

    Tux, because encrypted sticks often don't work on Linux.

  32. Spanners Silver badge
    FAIL

    It was a policy failure

    If you mandate that only encrypted USB devices should be used, the method of enforcing this is called PORT CONTROL.

    Sorry for shouting there but it is so obvious. You make it so that nothing but devices of your choosing actually work when plugged into PCs.

    If they didn't do this, that is the failure on their part. Users can be depended to do something you don't want.

  33. Silent but Deadly
    Megaphone

    Bigger picture people!

    There are many good ideas out there but unless you put a price on inaction, they will never get past the bean counters and more costly inactions. Fines for (and publication of) breaches puts a cost to inaction and should be welcomed.

    I am concerned about the need to use USB sticks in the first place. Where is the un-networked place that the data is to be taken to and what controls are in place there? Is it an employee's home PC? Another agency? Is the sharing of such data even authorised by the people under care?

  34. kain preacher

    Simple solution

    There is software that will auto encrypt all removable media.

  35. Brian Miller 1

    what about peoples lives?

    Is everyone hear really so blind to see that the already overworked doctors might need some potentially life-saving details contained on patient records REAL FAST to make use of them? Rather than plug 4 eternally rotated unique passwords into a keyboard just to be able to access that data.

    This is a classic example where the IDIOT MANAGERS chasing "data loss" prevention targets, at the cost of PATIENT CARE. The IT dept of the NHS work hard and have good intentions however are pretty toothless themselves. How about a unified password? Maybe biometrics (fingerprints?) presents a clearer solution than old fashioned rotating extra strength fantastically unmemorable password system for access to the PC's, and a unique key file for the encryption of any removable media (this way only computers that have been given the key file can decrypt the data i.e. the doctors' PC's) meaning no more password.

    How about using SOLUTION based thinking rather than throw a fit at someone who fails to operate under a flawed system.

    Get over it, someone has hemorrhoids oh, and there neighbour found out! OUTRAGE.

  36. Michael Dunn
    FAIL

    @Silent but Deadly

    Fines are all very well if applied personally to the employee/managers involved. If applied to the council as a body, they just go into next year's budget and are carried by the taxpayer so that there's no incentive to deal with the security issues.

    It is strange that an employee who was unable to use an encryption process was allowed access to sensitive data in the first place. If this employee was of sufficient seniority to require handling of such data, why was there not a career progression policy in place that required all such to demonstrate the ability and the motivation to implement security policies? Council fail here.

    It always puzzles me how employees who handle sensitive - commercial or personal - are allowed to work in the system without proper training and without having to demonstrate that they understand and carry out the processes involved. Would you want hospital cleaners to carry out your blood tests?

  37. Anonymous Coward
    FAIL

    Public sector? Sh*t 'em

    Public Sector - shit 'em! From 2004 to 2006 I spent 18 months supporting a very large QUANGO which was brought back under full Governmental control. The Regional Government in question issued strict IT guidelines about system and software specifications and we spent around five million pounds and six months on the upgrade. After the process was complete, we had some government staff come to work in our offices and they brought Windows NT 4.0 workstations! I had a rapport with some staff and as our printers were running on W2K3 in native mode, the NT 4 boxes couldn't print. One member of staff asked how can she print and I replied, go back to the office you came from, she understood this was an attempt to difuse the situation with some light humour (ok so you had to be there) but one of her colleagues overheard what I said, burst into tears and ran to the directors office! Needless to say the director had words with me, not her for listening to a private conversation but it is the nanny state in the public sector which allows idiots like this to work there.

    In the same place we had another luser who was registered blind and had been given a very large screen, high-visibility keyboard (all of which we had to replicate in the training room just in case she ever attended training) and she was given special dispensation when it came to the fixed policy of password resets for which a form had to be filled out and faxed to the helpdesk. Her eyesight prevented her from filling in this form, OK I understand people have disabilities, I too am registered disabled however, she was employed to check the receipts against the expenses so if she cannot fill in a password reset form, how on God's green earth is she able to check poorly printed till receipts against what the staff were claiming in expenses????

    The mind boggles, no more public sector for me thanks.

  38. Graham Bartlett

    @Brian Miller

    You probably don't care if your neighbour found out about your piles, no.

    However you might care if BUPA decided to revoke your medical insurance as a result of tests on your last blood sample which found some genetic marker that predisposed you to skin cancer. You might care if your teenage daughter's schoolmates found out about her bulemia and self-harming. You might care if your employer found out that you had schizophrenia controlled by medication and decided to get rid of you. You might care if you moved to a country where vasectomies are culturally unacceptable and you couldn't manage your workers when they found out.

    You might also care that this is absolutely not front-line healthcare, so your whole argument is bollocks.

  39. Simon B
    WTF?

    Sack!!

    Sack the prick!! All that person had to do was ask someone for FFS.

  40. IBALI2010

    Response to Chris McIntosh

    I would like to point an issues here...

    The statement from the chief exec of the encryption supplier isn't entirely water tight. I work as an IT Infrastructure Architect and this is an issue that plagues many companies, large and small. But the plain answer here is that if a proper security strategy was implemented using black and white lists for allowed USB drives, this would never have happened. If the IT department enforced this properly users wouldn't be able to put unsecured devices such as Ipods, usb drives into their business PC's.

    All of the training in the world can be done, but if you don't secure the mechanism that grants access to the system then i'm sorry, but THIS IS A FAILING of the encryption supplier. So rather than sitting on the fence and blaming the company, maybe the security company should take some of the rap and not doing their job correctly..

  41. Matt Hawkins
    Pint

    ICO Useless & Toothless

    Until the ICO actually take any action they are pointless and might as well be disbanded to save us all the cost.

    Every major DP act breach there has been has resulted in no action. Apart from the odd fine.

    Where someone has deliberately circumvented security processes they should be given the sack at the very least.

    It's funny how the council thought issuing new usb sticks was enough. How about making it impossible to use anything but the new usb sticks.

    I bet the council employee used their own stick because it was a nicer colour than the official one.

    The way to go is :

    1) encrypted usb/cd/dvd hardware/software

    2) an IT system that does not allow any other devices to be used

    3) colour coded sticks so that everyone present during the data transfer is aware if the stick is official

    4) the use of any other hardware to be considered data theft

    oh an the ICO growing a pair.

    Job done.

  42. Matt Hawkins
    Grenade

    Rubbish

    @Argus Tuft

    "Those posters need to get out of their ivory data centres and into the real world where people do actually need to give data to others (eg customers) on unencrypted USB's."

    Sorry but we are talking about Council data here. There is no need to pass anyone Council data about members of the public to anyone in an unencrypted form.

    If the recipient can't cope with it they are clearly not to be trusted storing or processing it.

    No exceptions.

    1. Argus Tuft

      @ Matt Hawkins

      the 'lock down all ports' comments were being made in a generic fashion relating to all users. That is simply not realistic. Even councils do need to pass data to people in unencrypted formats - tender documents to vendors etc.

      Yes this person should NOT have copied the data. No question. The solution though is not a knee-jerk 'lock down all ports on all machines for everyone' - but to look at why they worked around what was in place and make the process fit in a way that they can use (and is simpler to follow than to avoid).

      eg app that recognises the confidentiality level of the data and will only write it to appropriate media: unrestricted to clear usb, confidential to encrypted, secret blocked... - but that is dependant on useable rating system beyond the control of the user (or everything becomes unrestricted...).

      Sooo many of us loose sight of the fact that ultimately IT systems are not an end in themselves - they are only there to support the business process. The modern version of paper shufflers who see their forms as being more important than the process that the forms are meant to assist..

      If the systems are not supporting that business process (rather than being a process themselves) then they need work.

  43. Anonymous Coward
    Unhappy

    my guess is

    it was transferred by memory stick because it was too sensitive to send by email.

    pity they don't seem to know about dropbox or similar

This topic is closed for new posts.

Other stories you might like