Looks like people are starting to take notice…

Viewing 13 reply threads
  • Author
    Posts
    • #2719
      RoleReversal
      Participant

      Just read this on El Reg that I thought I’d share.

      Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records.

      The PC – which was stolen from the unnamed manager’s car in June – contained copies of the personal details and treatment plans of several thousand patients. Thieves took the machine after breaking into the car, which was parked in Edinburgh at the time, where the unnamed manager was holidaying.

      The computer was password-protected but the data was not encrypted.

      Colchester Hospital University NHS Foundation Trust said that the manager involved was dismissed following a disciplinary panel last Friday. “The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality. I again apologise for the distress the theft of this laptop may have caused,” said Peter Murphy, chief executive of Colchester Hospital University NHS Foundation Trust.

      Perhaps threat of unemployment might make employees take more care with client data. Don’t fancy filling in his next job application form: Reason for leaving previuos position?….

    • #19213
      oneeyedcarmen
      Participant

      Best precedent EVAR!!!

    • #19214
      Michael J. Conway
      Participant

      I can see it now here in the US though. Some employee has his work laptop stolen and then sues his employer for unjustly firing him even though he failed to take proper care of employer owned assets. I’m proud of that hospital for taking the action they did. I just have trouble seeing it work here in the states.

      What do you all think?

    • #19215
      Anonymous
      Participant

      About bloody time. What the hell was a manager doing with patient data? He no doubt broke the rules if not the law in storing it on a laptop in the first place.

      I’m a fan of mobile computing like most people here, but why does everybody seem to need a laptop? What justifies this manager having a laptop for the day to day work? Perhaps there was a good reason but it’s just as likely the they simply wanted one.

      Confidential data + mobile device = FAIL

      Jimbob

    • #19216
      oneeyedcarmen
      Participant

      I don’t think the issue is taking care of the employer owned asset of the machine itself, but of the customer-owned data.

      It’s not mentioned in this article whether or not the hospital had an encryption policy (one would assume that they’d at least have some form of security policy, though). 

      Should the laptop have been encrypted?  Duh.

      Should the employee have NOT stored EPHI on the unencrypted laptop?  Double Duh.

      As Jamie Cowper of PGP is quoted in the article:

      “Technologies such as encryption should be implemented and managed on an enterprise-wide basis, not left up to the individual. Unless there is evidence of grievous misconduct, the responsibility for data security should lie with the organisation as a whole – and that means that in cases such as this, punishment should be top-down rather than bottom-up.”

      However, I do see it as a step in the right direction.  Seems to me that there is more than one party at fault here.  It sucks that this one person had to be the fall guy, but with any luck he’ll hire a good lawyer who can take the case and make a greater precedent.  i.e. “Should my client have been dismissed from his possition when there was no enterprise policy to protect the data in the first place?” 

      Jimbob’s got it right…there is NO reason for this data to be on a manager’s laptop (should he even NEED a laptop anyway), but it is the responsibility of upper management, the board, and us security geeks to see to it that this doesn’t happen in the first place.

    • #19217
      RoleReversal
      Participant

      @jimbob wrote:

      About bloody time. What the hell was a manager doing with patient data? He no doubt broke the rules if not the law in storing it on a laptop in the first place.

      I’m a fan of mobile computing like most people here, but why does everybody seem to need a laptop? What justifies this manager having a laptop for the day to day work? Perhaps there was a good reason but it’s just as likely the they simply wanted one.

      Confidential data + mobile device = FAIL

      Jimbob

      I think the first problem is why he was able to have so much data transfered to his machine? Surely there have been enough high-profile precedents (especially in the UK) that should have made people at least think twice about leakage vector.

      The PC … contained copies of the personal details and treatment plans of several thousand patients.

      Even if the manager in question had a legitmate reason for requiring the data (possible), and on a mobile device (less likely but still possible). What reason did he have for taking the data to a different country, over 400 miles away whilst on holiday?

      It is ashame that this guy is going to take the fall for what is commonly a non-issue, just using the UK as an example several high-ranking government and security services personnel have been in similar situations with nothing other a slapped wrist.

      Regardless, it is nice to see an organisation taking tough action to lacking security controls, whether or not the hospital had sufficient procedures/policies in place to make the dismal fair is another matter.

      Either way it will hopefully increase general awareness of the problem which can only be a good thing of those of us having to protect against and clean up after end-users get their hands on shiny toys.

      Think Jimbob put it best@jimbob wrote:

      About bloody time.

      RR

    • #19218
      dalepearson
      Participant

      This sets a good president, and is also good publicity.
      I know I shouldnt think like this but I know companies, and I wonder if they have done the following:

      Set Up role based access so people can only access data they should be able to.
      Educated users on the risks, do and donts, and incorporated this into their policies, ensured users are constantly reminded of the responsibility they have sign to understand and adhere.
      Provide secure / encrypted mechanisms for transportation of site for staff who are allowed.

      People should know better, and users rarely put themselves in the position of the customers / patient who might suffer.

      Lets hope they have done some of the following, or I imagine the manager in question might have some form of case for unfair dismissal.

    • #19219
      Don Donzal
      Keymaster

      Maybe I’m just nuts here, but I hear all these stories and see statistics on the number of laptops stolen or lost, and I simply can’t wrap my brain around it. Maybe it’s because I am a little paranoid and keep a close eye on my stuff. On the other hand, maybe it is because I pay for most of my stuff and can’t fathom having to pay again.

      Either way, I’ve never had a laptop stolen, and I’ve had plenty of them and travelled quite a bit. I always lock my door before leaving my office even if it’s just to hit the john.

      Maybe he should be fired for lack of care of company property let alone the data it contained.

      Am I alone on this in thinking that it simply is just carelessness? How many of you have had a laptop stolen or lost?

      Don

    • #19220
      oneeyedcarmen
      Participant

      @don wrote:

      How many of you have had a laptop stolen or lost?

      Not this guy. 

      You’re probably right about the carelessness, Don.  But at the same time, that doesn’t excuse his employer from neglecting the oversight to prevent such a thing from occurring.

      Although, even if they had…

      Sarah Chambers wrote:
      Artificial intellegence is no match for natural stupidity.
    • #19221
      dalepearson
      Participant

      I also have never had a laptop stolen, personal or business.
      However I put this down to working in IT, working in Security, and not being a total numpty 😀
      I say this as ever organisation I have worked in loss and theft of business laptops, pdas, blackberry’s are common place.

      I think its due to not enough awareness, but more generally the human race not giving two hoots about someone elses property. I think people are careless, and are not to bothered about a company machine, they thing ah well though probably got it cheap, and can replace it easily, just a pain I need to own up about it.

      I fear many laptops are lost and stolen with customer data on, but the individual wouldnt not divulge this information, and companies may not have the tracking and logging in place to identify either.

      Oh well keeps us in a job I guess, I just wish companies would be more proactive with security.

    • #19222
      RoleReversal
      Participant

      @dalepearson wrote:

      I also have never had a laptop stolen, personal or business.
      However I put this down to working in IT, working in Security, and not being a total numpty 😀

      Well, I was about to reply to Don’s question saying something similar but I don’t think I can put it better than that 😀

      As many have said, the dismissal may have issues depending on the actual policy in place. But I know most places I’ve worked have had a general policy that states (paraphasing):

      Don’t be a muppet with our stuff or we wont be happy

      So they may have him on a broad do stupid things, get sacked basis.

    • #19223
      Michael J. Conway
      Participant

      I saw a scary stat one time. the number one unclaimed item from an airport’s lost and found is a laptop. What are people thinking these days?

    • #19224
      dalepearson
      Participant

      @sgt_mjc wrote:

      I saw a scary stat one time. the number one unclaimed item from an airport’s lost and found is a laptop. What are people thinking these days?

      I am thinking I know where to go when I want a new laptop 🙂 Just kidding of course.

    • #19225
      RoleReversal
      Participant

      @sgt_mjc wrote:

      I saw a scary stat one time. the number one unclaimed item from an airport’s lost and found is a laptop. What are people thinking these days?

      I’m thinking some people have too much money. I struggle to afford my kit in the first place, nevermind replace kit I forget to pick up when my brain stops working

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?