The impact of the theft of a laptop from Aberdeen Royal Infirmary recently could have been avoided.
Mark Fulbrook, Cyber-Ark's UK and Ireland director, claimed that the incident was the result of poor security policies at the NHS authority. The laptop was stolen from a locked office at the hospital and contained more than 1,300 north-east patients' personal details.
Fulbrook said: “Granted, the laptop was protected using a standard Windows password, but this level of security can easily be circumvented by an IT professional. You have to question why the data was stored on unencrypted basis on the computer in the first place.
“Not only will the patients affected by this laptop theft be worried about their data being made public, but the worry of the situation could actually make their problems worse. The fact that the problem was totally avoidable makes this data loss situation a lose-lose event for all concerned.”
NHS Grampian bosses today apologised for the ‘stress and anxiety' the security breach would cause and insisted only an expert could access the password-protected files, which include patients' names, addresses, dates of birth, as well as details of diagnosis and medication.
Richard Carey, chief executive of NHS Grampian, wrote to the patients affected five days after the theft was discovered. His letter said: “I am very sorry to inform you that some of your personal details may have been compromised by a theft that occurred from Aberdeen Royal Infirmary. NHS Grampian deeply regrets that this incident has occurred and the anxiety and stress that this will cause people.”
Fulbrook claimed that patient data of this type should never have been stored on a portable computing device, but stored instead on a computer server in encrypted format, accessible to laptop users on a remote - and encrypted - VPN basis.
Using this approach, with the master passwords only accessible to a few senior offices using a data vaulting approach, would mean that access to the patient data was available on a fully audit logged and authenticated basis.