The Oxford University Hospitals NHS Foundation Trust suffered a major breach of confidential information in March when a member of its staff lost an unencrypted memory card that contained medical records and photos of three patients.
Memory card containing patient data was not encrypted
In a statement released recently, the NHS Trust admitted that even though the affected patients had consented to the use of their medical information, it had committed an error by not encrypting the memory card that contained such sensitive details. The staffer who lost the memory card had used it to conduct a presentation at a conference before losing it.
"The presentation used three patients’ information and their consent for this use had been obtained. The memory stick should have been encrypted, but was not and the member of staff has been reminded it is trust policy to use encrypted memory sticks.
"The member of staff has undergone refresher training on Information Governance in line with trust procedure. Again in line with the trust policy, the individuals (referred to by first name only in the presentation) have been informed, as has the ICO. The trust takes patient rights for their data to be kept confidential very seriously," the Trust said.
The data breach yet again highlights two main cyber security issues that the NHS has been trying to deal with: ensuring complete visibility over devices that contain sensitive patient information, and ensuring that such such devices are encrypted and secured from external access.
If the person who retrieved the memory card turned out to be a fraudster, he could easily sell off the said information to cyber criminals or share the same with third parties. In this case, the Oxford University Hospitals NHS Foundation Trust has placed the blame on the erring staffer, stating that the staffer should have used an encrypted memory card in the first place.
In order to prevent a repeat of this incident, the Trust will do well to impart refresher training on Information Governance to all staffers so that they remain vigilant and careful around sensitive patient data and do not fall victim to carelessness. It remains to be seen what steps the ICO would recommend the Trust to take to prevent the abuse or loss of patient information.
Lack of security around storage devices
This isn't the first time that organisations have lost sensitive personal information of employees or customers due to loss of company-owned devices. In November last year, the exclusive Oxford and Cambridge Club suffered a major data breach incident after thieves managed to get their hands on an external hard drive that contained personal details of as many as 5,000 members.
The hard drive, which was stolen in the communications room at the headquarters of the Oxford and Cambridge Club in Central London, contained names, addresses, phone numbers, dates of birth, financial details, and photos of Oxford and Cambridge Club members, as well as data belonging to as many as 100 staff members.
Earlier this year, the government's Cyber Security Breaches Survey of 1,519 UK businesses and 569 UK registered charities revealed that even though 98% businesses and 93% charities used digital assets to communicate with their customers or to accept payments, such businesses and charities were also highly vulnerable to cyber attacks and infiltrations.
The survey found that only 56% businesses and 55% charities that stored customer data had rules and controls around encryption, only 27% businesses and 21% charities had cyber security policies in place, and only 13% businesses and 8% charities had a cyber security incident management process in place.
Organisations have the ultimate responsibility of cyber security
In a guest article for TEISS, Matt Lock, Director of Sales Engineers at Varonis, wrote in June that even though organisations have the ultimate responsibility for the security of data on their systems, when it comes to keeping their own information and data secure, employees are often their own worst enemies.
"Ask any worker about their personal data management habits, and you’ll very likely find they have regularly used their work device to store personally identifiable information (PII) about themselves, either on the machine itself, within their emails, or on the company network.
"From event registration details to a forgotten scan of their passport, most devices are ripe with personal data that could cause a major security incident for both the individual and the company if it falls into the wrong hands," he said.
"A lack of awareness is the major cause of these employee-created risks. Most employees have no idea they can reach each other’s files until they stumble into them, and are not aware of the risks created by leaving PII on their systems. Collating important personal data in a single place is quite a useful and practical step – as long as it has been stored securely.
"Ultimately, the onus is on the company to know what data they have on their systems and they should take the initiative to inform their employees of the risks of unsecured PII – whether their own or that of customers – and provide practical advice on dealing with it correctly.
"For example, all work-related data on the system should be saved to properly secured areas or deleted as soon as possible. Additionally, whilst its now common place for companies to tell employees not to save personal information to corporate file shares, organisations should still regularly conduct searches of its file stores to identify, classify and flag any potentially sensitive information," he added.