A recent report by The Information Commissioner's Office (ICO) on an NHS trust's loss of patient data highlights a new challenge for businesses generally.
In the incident at the University Hospital of South Manchester NHS Foundation Trust, a medical student lost the personal information of 87 patients after mislaying an unencrypted memory stick.
The student, who had been on a placement at the hospital's Burns and Plastics Department, copied the data onto the personal device for research purposes. According to Chris McIntosh, chief executive of ViaSatUK, the incident demonstrates the risk of a complacent approach to data protection, as well as the need for training to be carried out across all levels within an organisation.
He said: “There is little point in having a policy in place if it is not adhered to by everyone. Sensitive information on patients needs to be secured and, if it is stored on portable storage devices, these devices need to be encrypted.
“Data protection training needs to be instilled at an early stage for those working with sensitive data in the same way that health and safety training is undertaken before staff begin work. It should also be transparent who has, and who has not, received this training so that presumptions are not made, rules are adhered to and the risk of further losses like these are prevented in future.”
Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said the story was "hardly encouraging" as the NHS holds the most sensitive of our personal information and the public expect it to adequately protect this data.
He said it was particularly disappointing that the trust assumed the student had received data protection training. “Given the importance and sensitivity of the information in question, this should have been checked properly and addressed immediately,” he added.
Christian Toon, head of information risk at Iron Mountain, said the case highlights the need for adequate information management training for staff at every level.
“The NHS needs to integrate corporate training and self-regulation into its organisation and build a genuine culture of 'doing the right thing', so that mishaps can be avoided. While no information management system is fool-proof, correct training and regimented checks as part of a cultural shift will ensure that the human factor is less of an influence and limit data-loss incidents,” he said.
Another worrying aspect of this incident is the negative implications of the ‘bring your own device' (BYOD) concept. Stephen Midgley, vice president of global marketing at Absolute Software, said this case was a prime example of the challenge companies face in light of the BYOD trend. “They must take appropriate measures to enable central management of devices, as this is the only way they can ultimately ensure the protection and integrity of their data,” he said.
Marc Lee, EMEA sales director at Courion, said the case illustrates the need for organisations to better understand the assignment of appropriate risk levels and user access rights to everyone accessing the corporate network.
He said: “Enforcing strict access rights management will help organisations control not only who is accessing sensitive data, but also how this information is being used and who is entitled to copy confidential data on personal devices such as unencrypted USBs. This will inevitably minimise the risk of inappropriate data use and will help organisations ensure that only the right people have access to the right information and are using it in the right way.”
This incident, then, has implications that go beyond simple data loss prevention and robust policy management. It is a clear warning about the perils of giving temporary staff access to data, the use of unapproved personal devices and a lack of training.