A new data loss scandal originating from within one of the organisations governed by the NHS has come to light, once more involving the misplacement and subsequent discovery of a portable USB memory stick which was entirely exposed due to a lack of encryption.
Members of the Forth Valley NHS board are being investigated by the Information Commissioner’s Office (ICO), after the media was made aware of the loss. It emerged that an employee had transferred data from NHS systems over to the device, which were personal items, before parting ways with them due to loss or theft.
The board’s chief executive Fiona Mackenzie has committed to a formal undertaking authored by the ICO, that will ensure the future eradication of any unofficial data storage devices from use within the organisation, with staff only being allowed to transfer data on sanctioned, centrally controlled devices.
The board will not be taking a passive stance, but will rather increase security and block any personal memory devices from gaining access to systems.
The ICO’s Scottish representative, Ken Macdonald, reiterated previous statements made by colleagues by saying that, hopefully, this incident will make it clear to other organisations within the NHS that inadequate appreciation of data loss prevention policy amongst staff members, would lead to the leaking of confidential patient information – unless measures are taken.
Mr Macdonald said that he hoped the increasing emphasis on staff responsibility for the use of portable storage would not subsequently allow the heads of such organisations to deny their own part in protecting data when future incidents inevitably arise.
Security expert, Ander Pettersson, said that the portability and convenience of used USB storage devices was difficult to ignore and many businesses rely on mobile technology to increase productivity and flexibility. He recognises the potential for loss or theft posed by these devices and suggests that the NHS will need to invest in a secure USB system, that will retain the integrity of private data.
Mr Pettersson said that while organisations like the NHS have a responsibility for protecting the data of customers, the ICO would also have to use its own powers to police such organisations and impose penalties to prevent future debacles.