Wednesday, March 25, 2009

London health authority put on notice over data breach

Copied shamelessly from the Register this morning

All text and comments can be found at the above link I am merely reposting it
None of this is my own work nor do I have any comments to add 10-11 people Ive never met have done it all for me.

I have put one comment in italics to show the kind of spin Camden engage in but remember its the other persons comment ( freely available here) that is being highlighted

A north London health authority has been given until the end of the month to improve its information security policies following an embarrassing information security blunder last year.

The Information Commissioner's Office has given Camden Primary Care Trust until the end of the month to pull up its socks following a breach of the Data Protection Act. The ICO's enforcement order comes after PCs containing 2,500 patients' names, addresses and medical histories were dumped beside a skip inside the grounds of St Pancras Hospital last August.

Data on the obsolete computers was left unencrypted. The machines were subsequently swiped without authorisation and never recovered.

Mick Gorrill, Assistant Information Commissioner at the ICO, said: "This incident highlights organisational error and will no doubt damage public trust in the NHS locally.

"I am increasingly concerned about the way some NHS organisations dispose of sensitive patient information. Organisations need to ensure they implement appropriate safeguards to ensure personal details about patients are disposed of in compliance with the Data Protection Act."

The ICO has ordered the Camden PCT to ensure personal information is removed from its computers as soon as they are decommissioned, and to report on its progress in achieving this goal by the end of the month. Failure to comply with the order would place the health authority in contempt of court.

Camden PCT chief executive Rob Larkman told the Health Service Journal that the incident that provoked the order was an aberration. He added that the health authority had reviewed its procedures and training as a result of the incident.

"NHS Camden sets itself incredibly high standards when it comes to patient confidentiality and data protection," Larkman said. "Unfortunately, on this occasion we fell below our high standards by inadequately disposing of a number of obsolete computers." ®

"NHS Camden sets itself incredibly high standards when it comes to patient confidentiality and data protection," Larkman said. "Unfortunately, on this occasion we fell below our high standards by inadequately disposing of a number of obsolete computers."

It's like saying you have incredibly high personal standards of honesty, but unfortunately on this occasion you fell below your high standards by lying.

You know, initially I thought this must be just the latest variant of that weird seizure disorder that afflicts the public sector when they get hold of a computer with sensitive data on it; you know, the one that renders them completely unable to keep hold of it, wipe it, find it or stop blabbing about it to other departments. Then I realised, it was an Information Sharing Order, it's just that the recipient part of the form was blank, so the ****wits thought that meant the ENTIRE BLOODY WORLD...

Seriously, DBAN. It's not hard FFS and it's free.

I worked in the NHS fifteen years ago, and we already had a chuffing great magnet for knackering hard disks back then - where have these people been?

The statement 'Failure to comply with the order would place the health authority in contempt of court.' - what does this mean exactly. Does it mean a fine and thus remove monies from healthcare or does it mean a stiff letter from some jobsworth in government?

really care about practices.

In this case, place the Chief Executive of the Trust in Contempt of Court, drag away in the public glare in handcuffs and lock him/her/it up for a while. Make sure it is not a nice place and make sure the whole world knows. Even if it only for one night. Then rack up the insurance costs and take it out of their bonuses.

These so called "leaders" must be held accountable and made take data loss seriously. A dose of prison will probably concentrate their minds and will be a lesson to others. Same with the senior bankers and dodgy politicos and their expenses.

but who is responsible?

By DR Posted Tuesday 24th March 2009 15:58 GMT

the guy in charge,

or the over worked IT guy who wasn't properly allowed the time and space to actually wipe the machines?

it's all very well to say use DBAN, but if you do that where the PC is set up then you will get complaints from the guys who see their desk space being used by a useless box sitting in the way of their upgrade.

And I doubt that the IT offices are large enough to store a mountain of computers whilst they were waiting for the time to get around to wiping them before disposing of them...

I'm not defending them, just suggesting it's probably not that the person who put these there was likely up against it and it was just something that was overlooked.

or perhaps this is a good call to have a situation where no data is actually on the machines, and is instead only accessed, from some kind of large centralised database

(bring on the big databases... umm no wait,, I can't believe I just said that).

Instead of the Trust being in contempt of court it should be made the responsibility of an individual when in a public organisation.

That way any fine or punishment would not be on the patient's and that individual would have some motivation to do their job!

It is fairly common practise in other industries to make individuals responsible... e.g. at Channel 4 a producer is responsible for their program right up to broadcast, so they have to chase idents and adverts and stuff. Funnily enough it works well that way!

Don't worry the NHS database will be different

People and organisations like this won't have access to the data so there will be no chance of it being lost or security being breached in any way

Oh wait...

feel that those reponsible for this breach be subjected to punishment by the patients, whose data they exposed.

Now, if I were one of those patients, I would get my hands on a bag of USED hypodermic needles, and use those f*tards as a dart board. Put the "bullseye" right over the groin.

but that means it's OK for them to make their huge database to track every bit of detail about us - as long as they "lose" all of the data before putting it in to the database it is now public information and isn't private and confidential any more, so it's OK

Disclaimer: What Camden get up to after I have left their employ is their problem...

No comments:

Post a Comment