Lanarkshire NHS has admitted to a catalogue of losses of IT and medical equipment.
A Freedom of Information request by the Wishaw Press found that six computers and a hard drive had gone missing from NHS Lanarkshire buildings since 2008.
The NHS trust confirmed that the laptops were fully encrypted and an exercise had taken place to remove all information from hard drives and desktop computers to store it on central servers, as they were not encrypted. In addition, the IT systems do not allow users to store anything to the computer's hard drive.
NHS Lanarkshire said: “We have robust procedures in place governing the loss of any data or equipment lost or stolen. All incidents must be reported so that a full investigation can take place.”
Stephen Midgley, global marketing vice president at Absolute Software, said: “Whilst NHS Lanarkshire are emphatic that patient confidentiality has not been breached, with these laptops in unknown hands the data they contain could be vulnerable despite encryption.
“Whilst the health board has undertaken measures to mitigate the risk of data loss, they cannot pretend that encryption is uncrackable. Despite safeguards preventing users from saving documents to the hard drive, many users cache passwords that could well provide access to the server via VPN. Remote data wiping is an area of security that has been neglected here and without remote governance the NHS will have no way of knowing whether its procedures were enough.”
A recent report by the Information Commissioner's Office on audit outcomes within the NHS found that 67 per cent fell within the reasonable assurance range, while one high assurance rating was awarded, indicating a year-on-year improvement in the assurance ratings awarded.
It also said that within the NHS, there were good information governance frameworks in place and clear management strategies for information governance and data protection, as well as training programmes, information governance strategies and incident security management policies in place.
Louise Byers, head of good practice at the ICO, said: “While the NHS and central government departments we've audited generally have good information governance and training practices in place, they need to do more to keep people's data secure. Local government authorities also need to improve how they record where personal information is held and who has access to it.
“The results of these reports show why we have requested an extension to our compulsory audit powers to cover the NHS and local government sectors. Organisations in these areas will be handling sensitive information, often relating to the care of vulnerable people. It is important that we have the powers available to us to help these sectors improve.”