Stolen unencrypted hospital laptop causes discussions on data encryption

An unencrypted laptop belonging to a Yorkshire hospital was stolen potentially impacting 1,500 patients.

According to the Huddersfield Daily Examiner, the laptop was used as part of an electromyography (EMG) scanner in the hospital and had no data encryption deployed.

At a recent meeting of Calderdale and Huddersfield NHS Foundation Trust's board of directors, medical director Yvette Oade said that discussions were ongoing with manufacturers as to whether data could be encrypted to prevent information being accessed if such an event occurred again.

She told the Examiner: “They wanted us to put software on to the computers to create the encryption but the information service was anxious not to disturb the functioning of the equipment. The patients were all written to and a number of queries were raised, we responded quickly and they appeared to be reassured.”

A letter received by patients described the computer that formed part of the EMG machine and confirmed that they had tests on the machine that contains personal information, names, dates of birth and addresses.

Sean Glynn, vice president at Credant, pointed out that unlike most NHS laptop thefts, the notebook was not used as a portable and/or standalone device, but apparently formed an integral part of Calderdale Royal Hospital's electromyography scanning system.

He said: “This probably means that the health trust didn't apply its usual risk management procedures to the device, since it ostensibly formed part of the EMG patient scanning system. The data on the system should, however, have been encrypted, if only to prevent prying eyes looking at the patient records, especially since this was a scanner looking for a potentially serious clinical condition.

“What the case highlights is the fact that patient data within the NHS needs to be protected at all times, preferably using encryption, but also where the IT system has components, such as a laptop in this case, much higher levels of security clearly need to be employed.

“The fact that the laptop was probably classed as a medical scanner component, rather than a portable device, did not matter a jot to the thief. A laptop is a laptop and laptops can, and do go walkabout with annoying frequency.”

Nick Lowe, Check Point's head of Western European sales, said: “Even though the laptop was used as part of a scanning solution, it still contained patients' personal details and was a likely target for theft, so it needed securing. Security has to be applied automatically whenever the laptop is locked or shut down, so that users don't have to remember to apply it and can't work around it.”

Sign up to our newsletters