.

Looks like people are starting to take notice...

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Aug 12, 2008 10:37 am

Looks like people are starting to take notice...

Just read this on El Reg that I thought I'd share.

Colchester University Hospital has sacked one of its managers over the theft of his work laptop, which contained unencrypted patient records.

The PC - which was stolen from the unnamed manager's car in June - contained copies of the personal details and treatment plans of several thousand patients. Thieves took the machine after breaking into the car, which was parked in Edinburgh at the time, where the unnamed manager was holidaying.

The computer was password-protected but the data was not encrypted.

Colchester Hospital University NHS Foundation Trust said that the manager involved was dismissed following a disciplinary panel last Friday. "The unanimous decision of the disciplinary panel sends out a clear statement about how seriously the Trust takes security and patient confidentiality. I again apologise for the distress the theft of this laptop may have caused," said Peter Murphy, chief executive of Colchester Hospital University NHS Foundation Trust.


Perhaps threat of unemployment might make employees take more care with client data. Don't fancy filling in his next job application form: Reason for leaving previuos position?....
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Tue Aug 12, 2008 10:54 am

Re: Looks like people are starting to take notice...

Best precedent EVAR!!!
Reluctant CISSP, Certified ASS
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Tue Aug 12, 2008 11:23 am

Re: Looks like people are starting to take notice...

I can see it now here in the US though. Some employee has his work laptop stolen and then sues his employer for unjustly firing him even though he failed to take proper care of employer owned assets. I'm proud of that hospital for taking the action they did. I just have trouble seeing it work here in the states.

What do you all think?
Mike Conway
CISSP
CompTia Security +
C|EH
<<

jimbob

Post Tue Aug 12, 2008 11:33 am

Re: Looks like people are starting to take notice...

About bloody time. What the hell was a manager doing with patient data? He no doubt broke the rules if not the law in storing it on a laptop in the first place.

I'm a fan of mobile computing like most people here, but why does everybody seem to need a laptop? What justifies this manager having a laptop for the day to day work? Perhaps there was a good reason but it's just as likely the they simply wanted one.

Confidential data + mobile device = FAIL

Jimbob
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Tue Aug 12, 2008 11:40 am

Re: Looks like people are starting to take notice...

I don't think the issue is taking care of the employer owned asset of the machine itself, but of the customer-owned data.

It's not mentioned in this article whether or not the hospital had an encryption policy (one would assume that they'd at least have some form of security policy, though). 

Should the laptop have been encrypted?  Duh.

Should the employee have NOT stored EPHI on the unencrypted laptop?  Double Duh.

As Jamie Cowper of PGP is quoted in the article:
"Technologies such as encryption should be implemented and managed on an enterprise-wide basis, not left up to the individual. Unless there is evidence of grievous misconduct, the responsibility for data security should lie with the organisation as a whole – and that means that in cases such as this, punishment should be top-down rather than bottom-up."


However, I do see it as a step in the right direction.  Seems to me that there is more than one party at fault here.  It sucks that this one person had to be the fall guy, but with any luck he'll hire a good lawyer who can take the case and make a greater precedent.  i.e. "Should my client have been dismissed from his possition when there was no enterprise policy to protect the data in the first place?" 

Jimbob's got it right...there is NO reason for this data to be on a manager's laptop (should he even NEED a laptop anyway), but it is the responsibility of upper management, the board, and us security geeks to see to it that this doesn't happen in the first place.
Reluctant CISSP, Certified ASS
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Aug 12, 2008 12:07 pm

Re: Looks like people are starting to take notice...

jimbob wrote:About bloody time. What the hell was a manager doing with patient data? He no doubt broke the rules if not the law in storing it on a laptop in the first place.

I'm a fan of mobile computing like most people here, but why does everybody seem to need a laptop? What justifies this manager having a laptop for the day to day work? Perhaps there was a good reason but it's just as likely the they simply wanted one.

Confidential data + mobile device = FAIL

Jimbob


I think the first problem is why he was able to have so much data transfered to his machine? Surely there have been enough high-profile precedents (especially in the UK) that should have made people at least think twice about leakage vector.

The PC ... contained copies of the personal details and treatment plans of several thousand patients.


Even if the manager in question had a legitmate reason for requiring the data (possible), and on a mobile device (less likely but still possible). What reason did he have for taking the data to a different country, over 400 miles away whilst on holiday?

It is ashame that this guy is going to take the fall for what is commonly a non-issue, just using the UK as an example several high-ranking government and security services personnel have been in similar situations with nothing other a slapped wrist.

Regardless, it is nice to see an organisation taking tough action to lacking security controls, whether or not the hospital had sufficient procedures/policies in place to make the dismal fair is another matter.

Either way it will hopefully increase general awareness of the problem which can only be a good thing of those of us having to protect against and clean up after end-users get their hands on shiny toys.

Think Jimbob put it best
jimbob wrote:About bloody time.


RR
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Aug 12, 2008 1:11 pm

Re: Looks like people are starting to take notice...

This sets a good president, and is also good publicity.
I know I shouldnt think like this but I know companies, and I wonder if they have done the following:

Set Up role based access so people can only access data they should be able to.
Educated users on the risks, do and donts, and incorporated this into their policies, ensured users are constantly reminded of the responsibility they have sign to understand and adhere.
Provide secure / encrypted mechanisms for transportation of site for staff who are allowed.

People should know better, and users rarely put themselves in the position of the customers / patient who might suffer.

Lets hope they have done some of the following, or I imagine the manager in question might have some form of case for unfair dismissal.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 12, 2008 2:05 pm

Re: Looks like people are starting to take notice...

Maybe I'm just nuts here, but I hear all these stories and see statistics on the number of laptops stolen or lost, and I simply can't wrap my brain around it. Maybe it's because I am a little paranoid and keep a close eye on my stuff. On the other hand, maybe it is because I pay for most of my stuff and can't fathom having to pay again.

Either way, I've never had a laptop stolen, and I've had plenty of them and travelled quite a bit. I always lock my door before leaving my office even if it's just to hit the john.

Maybe he should be fired for lack of care of company property let alone the data it contained.

Am I alone on this in thinking that it simply is just carelessness? How many of you have had a laptop stolen or lost?

Don
CISSP, MCSE, CSTA, Security+ SME
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Tue Aug 12, 2008 2:16 pm

Re: Looks like people are starting to take notice...

don wrote:How many of you have had a laptop stolen or lost?


Not this guy. 

You're probably right about the carelessness, Don.  But at the same time, that doesn't excuse his employer from neglecting the oversight to prevent such a thing from occurring.

Although, even if they had...

[quote=Sarah Chambers]Artificial intellegence is no match for natural stupidity. [/quote]
Reluctant CISSP, Certified ASS
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Tue Aug 12, 2008 4:39 pm

Re: Looks like people are starting to take notice...

I also have never had a laptop stolen, personal or business.
However I put this down to working in IT, working in Security, and not being a total numpty :D
I say this as ever organisation I have worked in loss and theft of business laptops, pdas, blackberry's are common place.

I think its due to not enough awareness, but more generally the human race not giving two hoots about someone elses property. I think people are careless, and are not to bothered about a company machine, they thing ah well though probably got it cheap, and can replace it easily, just a pain I need to own up about it.

I fear many laptops are lost and stolen with customer data on, but the individual wouldnt not divulge this information, and companies may not have the tracking and logging in place to identify either.

Oh well keeps us in a job I guess, I just wish companies would be more proactive with security.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Aug 13, 2008 6:15 am

Re: Looks like people are starting to take notice...

dalepearson wrote:I also have never had a laptop stolen, personal or business.
However I put this down to working in IT, working in Security, and not being a total numpty :D


Well, I was about to reply to Don's question saying something similar but I don't think I can put it better than that :D

As many have said, the dismissal may have issues depending on the actual policy in place. But I know most places I've worked have had a general policy that states (paraphasing):
Don't be a muppet with our stuff or we wont be happy

So they may have him on a broad do stupid things, get sacked basis.
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Wed Aug 13, 2008 1:15 pm

Re: Looks like people are starting to take notice...

I saw a scary stat one time. the number one unclaimed item from an airport's lost and found is a laptop. What are people thinking these days?
Mike Conway
CISSP
CompTia Security +
C|EH
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Thu Aug 14, 2008 3:37 am

Re: Looks like people are starting to take notice...

sgt_mjc wrote:I saw a scary stat one time. the number one unclaimed item from an airport's lost and found is a laptop. What are people thinking these days?


I am thinking I know where to go when I want a new laptop :) Just kidding of course.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Aug 14, 2008 3:52 am

Re: Looks like people are starting to take notice...

sgt_mjc wrote:I saw a scary stat one time. the number one unclaimed item from an airport's lost and found is a laptop. What are people thinking these days?


I'm thinking some people have too much money. I struggle to afford my kit in the first place, nevermind replace kit I forget to pick up when my brain stops working

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software