Recent repots of laptops lost by doctors stolen from hospitals appear to indicate that medical records on personal computers are less secure today than when the NCC Microsystems Centre tested six systems under contract from the DTI over 20 year years ago. Why?
The United States had a wake-up call when the loss of a laptop containing the records of the Veterans Administration reminded lawyers that the Federal Government might well have unlimited liability for the consequences – and that any attempt to fight such an interpretation would go all the way to the Supreme Court. So much for the view that the US does not take Data Protection as seriously as we wonderful Britons and/or Europeans.
The result was the widespread deployment in the US of systems like the laptop guardian for use by nurses and doctors making housecalls and therefore at risk, for example, of being mugged for their laptop. This particular system was among the examples of existing good practice in information security demonstrated on June 10th at a parliamentary showcase . The visitors included two Home Secretaries, the shadow spokesman for Immigration and the officals responsible for the security of a number of high profile public sector systems. Most of the other exhibits are also available case studies ,
One of the questions raised was the quesiton of professional responsibility for the failure of large organisations to provide their clients’ records with security akin to that of organisations like Barnados, Citizens Advice or the Salvation Army who need to prioritise and ration every penny.
We have also had publicity for the break-in at a ministers’ constituncy office. Over the years I have lost count of the number of MPs, including past and present minsiters, who have asked for advice on how to reconcile easy access/use with security on their constituecy systems and personal laptops. I have also lost count of the number of security “experts” who have offered assistance and failed to deliver. Most have failed to even understand the need to reconcile, not just prioritise, ease of use and security – let alone the conflicting pressures on the politicians of today, catching up on their workloads late at night and early in the morning when support is not available.
The EURIM Personal Identity and Data Sharing Group, which organised the showcase, is about to change its name to “Information Governance” with the aim of working with the relevant professional bodies and trade associations (accountants, lawyers, company secretairies etc. not just information systems and security) to establish what is good practice and what is prima facie evidence of misconduct and/or recklessness. The aim is to secure the production, publication and use of guidelines that not only command credibility but can be used by auditors and regulators to ensure that good practice is indeed being followed.