As the NHS loses another laptop with millions of patient records (over 8.6 million this time), seasoned loss-watchers first question is always, was it encrypted? And no prizes for guessing what the answer was?
Various news wires have reported the machine was kept in a store cupboard with a number of others, 20 of which went missing 12 of which have been recovered. I have to ask the following:
1. (Obviously) Why was a laptop of any description not encrypted?
2. Why was expensive IT kit not left in a place where you can audit who goes in and out? How about a
locked cupboard with a key that only certain people have access to
3a. Why had nobody done a formal risk assessment on the dangers of a laptop holding on a local drive 8.63million patient records unencrypted
3b. Better still, why had nobody applied common sense to the idea that holding this volume of patient records unencrypted on a local drive was madness?
This isn’t to my mind an IT issue. It’s not an InfoSec issue. It’s a common sense issue. Holding that much data, unencrypted, on a laptop’s local drive, in a store cupboard that doesn’t sound like it was in a secure area is just daft. It doesn’t need a risk assessment. It doesn’t need formal policies and procedures. It just needs someone to say: that’s a bad idea.
InfoSec needs a huge dollop of common sense applied before we start using tools like formal risk assessments and gap analysis. I maintain that we need to take the Health and Safety approach to InfoSec and this case demonstrates to me why that assertion is true.