Nmedia - Fotolia

East Sussex NHS data loss highlights insider threat

The latest loss of patient data by an NHS trust underlines research that around a third of data breaches are caused either accidentally or maliciously by employees

The loss of a memory stick containing personal data of 3,000 East Sussex NHS Trust patients highlights the insider threat to data protection, say security industry representatives.

The trust sent a letter of apology to all those affected after a member of the public found the memory stick that had been left by a member of staff behind a hospital building, reports the BBC.

The data on the memory stick was not password-protected, but the trust said it took data security "extremely seriously" and the loss was an "isolated incident".

East Sussex Healthcare NHS Trust chief executive Darren Grayson said the memory stick belonged to a member of staff and was not compliant with trust policy that mandates encryption.

Security experts have warned that such data is valuable to criminals who can use it to commit fraud and other crimes enabled by identity theft.

David Juitt, chief security architect at security software firm Ipswitch, said this incident illustrates that data breaches are often not the result of a sophisticated hack.

“The stark reality is that, according to the Online Alliance Trust, last year almost one-third of data breaches were caused either accidentally or maliciously by employees,” he said.

Juitt said the way that files are shared and moved is key in securing the data in transit. “A memory stick is as easy to lose as a pen. An unencrypted memory stick with personal and sensitive health data on it is more than careless, it is negligent,” he said.

By automating, managing and controlling all file transfers from a central point of control, Juitt said employees are able to easily send and share files using IT-approved methods.

“The IT department also gains complete control over activity. It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file-transfer technologies, security systems, processes and, most importantly, staff training,” he said.

Luke Brown, vice-president and general manager for Europe security firm Digital Guardian, said human error is something that many organisations forget about when working with sensitive data. “Looking within your organisation for potential threats to data security is imperative,” he said.

Brown said there are numerous technologies designed to combat human error and small investments can go a long way.

“When organisations deploy technology that protects data at source, it removes the risk factor associated with human error and insider threats. Furthermore, employees quickly become aware of the impact of their actions, leading to rapid behavioural changes,” he said.

According to Brown, within just a month or two of deploying data-centric security systems, organisations typically see a dramatic drop in staff-related data breaches.

Read more about insider threats to data security

Read more on Privacy and data protection