It may seem strange that someone who works so closely with ESET North America should keep writing about the UK's National Health Service, but then I do live there.
In fact, I've worked in that environment several times in the course of a depressingly long career, in nursing, in administration, and (most recently) in security management, which is probably why I sometimes get asked for press comment on NHS security news.
Unfortunately, in recent years, the news has generally been bad (and I'm not even going to do more than mention the collapse of the National Programme for IT...). Consider, for instance, the somewhat clumsily handled loss of data belonging to 1.6 million people within the purlieu of the Kent and Medway Trust. The Information Commissioner's Office must have a permanently active hotline to the Department of Health by now, given the number of times it has censured NHS staff for the loss of sensitive data.
Stephen Cobb, who recently joined ESET as security evangelist, has also drawn my attention to some health-related security breaches in the United States. While the numbers are a bit smaller in this case (20,000 patients at Stanford, 3,000 in Indiana), some aspects of these incidents are all too familiar: The Indiana data was probably collateral damage – it just happened to be on a laptop apparently stolen from a physician's automobile.
Well, it's not surprising that laptops are a common target for opportunistic thieves, but some of the figures are eye-watering. A survey conducted by Intel and the Ponemon Institute in 2010 polling 329 organizations estimated that 2.1 billion dollars were lost by those entities as a result of the loss of 86,455 missing laptops. Personally, I'm generally slightly skeptical about the kind of extrapolation that leads to cost estimates like that, but some of the data thrown up in that survey is more convincing and still relevant in 2011 to health care and related sectors. For example, statistics regarding loss by industry showed that the top three sectors were education and research (10.8 percent), health and pharma (10.1 percent) and public sector (9.1 percent). And nearly three-quarters of those 86,455 laptops were not protected by encryption, and 27,838 of those unencrypted machines carried confidential data. However, I don't know how many of those belonged to those top three sectors.
The Stanford breach also has a familiar ring: As Stephen pointed out, it highlights the particular importance of monitoring and enforcing outside contractor security: “Any organization that uses outside contractors, needs to make sure that those contractors adhere to the same standards of information security as the organization itself.” Or better…
Well, it's not rocket science. As Stephen also points out, incidents like this are at least “an opportunity to learn.” I recently came across a Microsoft article which neatly encapsulates into 10 tips many of the lessons that the laptop-using community needs to learn, some of which I'll summarize briefly here:
· Computer bags advertise the fact that you're carrying a laptop.
· Encryption is a good thing and strong passwords are a must, but keeping them with your laptop in transit isn't the best idea.
· Keep your eyes – and, as far as possible, your hands or knees – on your laptop in airports, hotel rooms (beware the Evil Maid!), using public transport, and so on.
· Make full use of laptop security cables, device location software, remote wiping facilities and so on.
I think I feel a white paper coming on…