To assume is to make an ASS out of U and ME (and to put sensitive data in jeopardy)…

Posted by: on Sep 13, 2011 | No Comments

Although we here at BlockMaster make it a point to not focus too specifically on scaring folks into considering the importance of USB management and security (we like to let our products speak for themselves), it is, still, sometimes hard to avoid mentioning the clear and blatant oversights, as reported by the media, that so often lead to the loss of sensitive data. In effect, all you have to do is read the headlines to understand our mission…and, well, the hits just keep on coming.

Last week in the UK, the Information Commissioner’s Office (ICO) was reported to have acknowledged the loss of an unencrypted USB flash drive by a medical student at the University Hospital of South Manchester. The drive contained sensitive, personal information and data regarding 87 patients, and its loss led to the finding of the University Hospital of South Manchester NHS Foundation Trust to be in breach of the Data Protection Act (DPA).

The medical student, reportedly, copied data onto a personal and unencrypted USB flash drive – a flash drive that was, in fact, provided by the Trust – for research purposes, and lost the flash drive during December of 2010. According to a report, it was revealed that the hospital did not provide data protection training to the student, and simply assumed that the medical student had received appropriate data protection training while at medical school.

The cumbersome upshot of the’s oversight is that they have signed a provision calling for all students to be made aware of existing data protection policies and procedures and, additionally, for all personal information accessible to students to be made secure. While we here at BlockMaster can’t help but wonder the overall financial ramifications of such an operational hand slap; one thing we do know for sure is that it could have and should have been easily avoided…

The Acting Head of Enforcement for the ICO, Sally Anne Poole, said in a statement: “This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organizations. NHS bodies have a duty to make sure their staff, both permanent and temporary, understands their responsibilities on day one in the job.”

And while that certainly is true, Sally, it should be fairly noted that the organization itself would do well to consider more in-depth its own policies and procedures, especially as they relate, specifically, to USB security and management.

Had the hospital made the decision, during a budgeting or technology session somewhere along the road, to invest in USB flash drives secured by encryption and password strength, the loss of actual data would have likely never occurred. And even though the loss of a sensitive USB flash drive, in itself (even with the data fully encrypted), would be embarrassment enough – the fact is that with the power of SafeConsole, the hospital would have been able to, from the get-go, gain complete and granular control over all the SafeConsoleReady USB devices within their system.

SafeConsole features Remote Password Reset and a secure challenge-response procedure that can bring back the encrypted data stored by the user. SafeConsole – feature rich and made for rapid deployment— would have gone a long way to prevent, or at the very least, greatly limit the very devastating nature of data loss such as the one that occurred at the University Hospital of South Manchester.
never assume your employees know about security

Leave a Reply