IT news: Industry leaders urge the NHS to improve data protection after laptops are stolen from London trust

NHS North Central London has called in the Metropolitan Police after discovering the theft from a lock-up run by London Health Programmes, which analyses patient care in the boroughs of Barnet, Camden, Enfield, Haringey and Islington. It has since found eight of the computers, but the remaining 12 are still missing.

The data was deleted from the laptop after it was analysed and we currently believe there is a very low risk that any data could be recovered from the laptop or that patients could be identified from the loss of this data

While the trust admits the data held on the computers was unencrypted, which goes against Department of Health regulations, bosses say the mobile devices were password protected and claim it is unlikely any private information could be accessed.

In a statement, a trust spokesman said: "London Health Programmes routinely audits a large amount of data to track the care that patients receive. The data did not include patient names. The data was deleted from the laptop after it was analysed and we currently believe there is a very low risk that any data could be recovered from the laptop or that patients could be identified from the loss of this data. We take any potential data breaches very seriously and a full investigation is underway."

But the incident has led to renewed calls by the IT industry for improved security among NHS trusts, which under the health service reforms are to carry out more services in community and outreach settings. As a result, mobile devices such as laptops and smartphones will increasingly be used to record and check patient details while on the move, increasing the potential for them to fall into the wrong hands.

The latest incident emphasises there are still dangerous flaws in the way some health authorities manage their IT security

Mark Exley, general manager for product development at LapSafe Products, said the industry had responded to the potential for data loss with a number of low-cost solutions available.

He added: "Unfortunately, theft of computer equipment appears to be a growing trend within the health sector. It was only in February that Calderdale and Huddersfield NHS Foundation Trust revealed that 1,500 patient details had been lost when a laptop was stolen from Calderdale Royal Hospital. Although security has since been improved at this hospital, the latest incident emphasises there are still dangerous flaws in the way some health authorities manage their IT security. Laptop theft can have serious consequences, especially if confidential data falls into the hands of blackmailers, and it must be stamped out to protect patients' safety and ensure that NHS resources are not wasted on costly fines for breaches of the Data Protection Act."

Commenting on the NHS North Central London theft, he said: "There are ways in which London Health Programmes could have acted differently to mitigate the consequences, or even prevent the theft. Speed is everything when it comes to data, and this is even more important when data has been stolen, but it took NHS North Central London three weeks to report the potential theft to the police. If the police had been notified sooner, they may have been able to recover the laptops, leaving less time for sensitive information to be removed.

Laptops are an invaluable tool throughout the NHS, but can compromise patient safety if they fall into the wrong hands.

"In addition to logging the theft earlier, the authority may have been able to keep records away from thieves and blackmailers by simply encrypting its data. Although the department followed the policy of deleting information once it had been processed, this procedure would not protect data if it was taken before personnel could remove it from the system. Encryption can protect records by scrambling data to make it difficult for unauthorised personnel to determine its meaning, often rendering it useless to thieves."

With regards to the laptop devices themselves, he advises: "Simply locking them in storage rooms will not keep them safe. Laptops and tablets are best protected in a secured lockable cabinet that can be bolted to the wall or floor. This cabinet should be constructed of reinforced steel, not wood or plastic, and be designed to resist crowbars, cutting equipment and lock pickers. While laptops are in use, they should be locked to desks or secured to fixed furniture with security cables to prevent unauthorised visitors walking away with them. Staff should never leave equipment unattended and avoid discussing IT assets on their websites, social networking sites or in the local press.

"Laptops are an invaluable tool throughout the NHS, but can compromise patient safety if they fall into the wrong hands. Implementing IT security does not have to be time consuming or expensive. More importantly, securing mobile IT can protect patients and health professional must take steps to guard against laptop theft, or suffer serious consequences."

A holistic view of IT systems will be imperative to ensure organisations have the vision to act on what is facing them at any given time and the vision to plan for the future

Don Smith, vice president of engineering and technology at IT supplier Dell SecureWorks, warned that the responsibility for IT security needed to be accepted at all levels. He told HES: "Personal data is not an abstract commodity and the onus should be on organisations to create the proper culture, policies, processes and procedures for data handling and protection.

"At the moment there are a variety of techniques that can be employed to help look after data; ranging from firewalls, database security and access control to email encryption and additional network segmentation.

Laptop theft can have serious consequences, especially if confidential data falls into the hands of blackmailers, and it must be stamped out to protect patients' safety and ensure that NHS resources are not wasted on costly fines for breaches of the Data Protection Act

"Data loss prevention will only become much more complex, challenging and costly for the public sector as it continues to grow its online offerings. The online and offline worlds of this sector will become increasingly intertwined through remote working, cloud computing and virtualisation and as a result there will be a move towards outsourcing data loss prevention to external firms who have the specialist skill, resource and capacity to monitor systems fully. A holistic view of IT systems will be imperative to ensure organisations have the vision to act on what is facing them at any given time and the vision to plan for the future."

• Share
• X
• LinkedIn

• Companies:
• Lapsafe Products

See more