I have to admit, I find this sort of thing just irritating:
The Register last week reported that eight million patient records were lost on a laptop. Unencrypted records. No, really.
As a spokesperson for the UK's National Health Service (NHS) said: "We have set clear standards for NHS organisations to adhere to on data handling, and have issued guidance that sets out the steps they must take to ensure records are kept secure and confidential."
So that's all right then.
It's easy to throw stones when a breach occurs, and honestly, I get it – bad stuff happens. But really, 8 million records on a laptop that wasn't even encrypted?
Throwing gasoline on my simmering ire was this article, also this week, from NHSonline.com
As David Mount from NetIQ puts it: "The NHS organisations are frequently in the firing line for allowing information breaches of sensitive personal data and therefore need to do more to comply with the law.” No kidding.
The Deputy Commissioner and Director of Data Protection at Britain's Information Commissioner’s Office (who have the power to act on serious privacy breaches and levy fines) says: "The most frustrating aspect of investigating breaches is that many of them could have been prevented by taking very simple steps."
Here's the problem – breaches always happen because a number of things go wrong. They are never the result of a single mistake or failing. I'm pretty sure that no-one involved in this breach was doing anything other than trying to provide the best services to patients that they could – and that includes the security folks.
But that's the point; that's *always* the point: security isn't seen as adding value until all those mistakes and short cuts line up neatly and a breach occurs. It's only then that everyone suddenly feels a desperate urge to get security religion and start thinking about how they should have been following policy and how it's individual responsibility and how, well, you know the chorus, feel free to sing along. It's frustrating because, while we're all running in circles wondering who LulzSec is going to hack next, the real security problems, the day-to-day issues that cause big breaches, are not getting addressed.
This gem came from an 'anonymous source' inside the NHS security team: “If they want to be extra secure than by all means encrypt the data, but there would be downsides to it.”
"Extra Secure"? I'm pretty sure that if you asked those 8+ million patients, they'd generally agree that encrypting their records was more along the lines of "the least you could do, thanks."