Commenting on reports that the South London healthcare trust has admitted to losing two unencrypted USB sticks containing the medical details of around 630 adults and children, Cryptzone says that this comes almost two years after the deputy Information Commissioner gave an Infosecurity Show keynote in which he revealed that a third of the 30 major data breaches the ICO handles each month involve the NHS in one shape or another.


Grant Taylor, UK Vice President of the European IT threat mitigation specialist, says that this latest NHS data faux pas shows that we are almost certainly no further along in the healthcare security space from where we were two years ago. "What saddens me most of all that is that some of the data that went walkabout as a result of these USB sticks being unencrypted involved the records of children - as well as maternity patients. These are precisely the members of society whose interests we should be looking out for, as the kids almost certainly cannot look out for their own data," he said.???"I think it also speaks volumes that the data breaches took place in separate incidents, the first of which involved patient’s information being downloaded to an employee’s home computer and then saved to a USB stick, which is a clear breach of policy on several fronts," he added. The Cryptzone Vice President went on to say that the second incident apparently involved the names and dates of birth of 30 kids - as well as the audiology reports of three more children.


As the ICO says, he noted, in both cases the data was put at unnecessary risk and, of course, in the first incident, it was claimed that the member of staff had not received up-to-date governance training. But it is incidents like these, says Taylor, that show why the use of technology as a means of enforcing data encryption and protection are so very necessary.???The latest figures show that the NHS employs around 2.8 per cent of the adult population in England - and because it is simply not feasible to expect every single employee to buy into the reasoning why patient data needs to be protected, it is important that patient data is encrypted at its source – and then highly controlled access to that data only being granted on a record-by-record basis. Using this methodology, he says, would allow an endpoint access control system to be used and one that changes the levels of security – and enforcement to back up that security technology – depending on whether the data was, for example, being accessed on a local or remote basis.

"Coupled with suitable training and ensuring staff really understand what is both right and wrong when it comes to handling patient information, this approach would allow clinical, nursing and administrative staff within an NHS environment access to patient information when they need it, but block access – such as when a member of staff tries to download the data from home – in inappropriate circumstances," he said. "The important take-out from these latest NHS data loss incidents is that, even if health care staff have had a particularly taxing day, the deployment of truly effective encryption and security technology – allied with suitable awareness training - would have gone a long way towards helping to prevent this situation from happening in the first place," he added.


"These two incidents – when taken against the ongoing backdrop of a constant stream of NHS data losses and breaches – also show why the government needs to appoint an NHS data protection czar, with the specific aim of liasing with the ICO and helping the many NHS trusts get a better grip on their levels of data encryption and protection," he added.