Where has the common sense gone in Public InfoSec? – the NHS loses another laptop

As the NHS loses another laptop with millions of patient records (over 8.6 million this time), seasoned loss-watchers first question is always, was it encrypted? And no prizes for guessing what the answer was?

Various news wires have reported the machine was kept in a store cupboard with a number of others, 20 of which went missing 12 of which have been recovered. I have to ask the following:

1. (Obviously) Why was a laptop of any description not encrypted?

2. Why was expensive IT kit not left in a place where you can audit who goes in and out? How about a
locked cupboard with a key that only certain people have access to

3a. Why had nobody done a formal risk assessment on the dangers of a laptop holding on a local drive 8.63million patient records unencrypted

3b. Better still, why had nobody applied common sense to the idea that holding this volume of patient records unencrypted on a local drive was madness?

This isn’t to my mind an IT issue. It’s not an InfoSec issue. It’s a common sense issue. Holding that much data, unencrypted, on a laptop’s local drive, in a store cupboard that doesn’t sound like it was in a secure area is just daft. It doesn’t need a risk assessment. It doesn’t need formal policies and procedures. It just needs someone to say: that’s a bad idea.

InfoSec needs a huge dollop of common sense applied before we start using tools like formal risk assessments and gap analysis. I maintain that we need to take the Health and Safety approach to InfoSec and this case demonstrates to me why that assertion is true.

Advertisements

About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Cyber, Data Breach, Data Breach Fine, Government ICT strategy, Govt ICT Strategy, ICO, Information Security, InfoSec, NHS laptop loss, Security, Sophos. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s