Stolen laptop prompts security reminder

Tags: PCT

17 Sep 2007

GP practices have been reminded of their responsibilities for patient information following the theft of a practice laptop from a GP’s home.

A laptop belonging to Dunstan Medical Centre in Bolton, containing patient data, was stolen from the home of partner Dr Thomas Lynch during a burglary this summer.

Following the theft the practice wrote to all patients to explain what had happened. The letter said all information stored on the computer was “held under the strictest multiple password security and unauthorised access would be highly unlikely”.

The letter added that policies regarding the use of laptop computers and how they should be stored were in place, and that none of them had been breached.

A spokesperson for Bolton Primary Care Trust told EHI Primary Care: “The practice told us straight away and consulted us right down to the wording of the letter sent to patients.”

Following the theft the PCT sent out a reminder to staff and GP practices about security and confidentiality when using laptops. The advice said that laptops should be locked away when not in use, that they should not be left unattended, that all files should be password protected and that there should be regular housekeeping of laptop files.

Dr Nicholas Norwell, a medico-legal adviser for the Medical Defence Union, said it was not possible to comment on specific cases but that the general advice was for doctors to ensure information is kept safely and securely, and that patient information remained confidential to meet both the requirements of the General Medical Council and the Data Protection Act.

He added: “Our advice is also that doctors need to keep use of their machines absolutely separate into practice computers and personal computers. That separation alone gets rid of a large number of problems.”

Reader's Comments

Laptop security

stewart.smith@cd-tr.wales.nhs.uk

19 Sep 07 09:09

As with any small device, laptops will be stolen despite all the measures put in place. The simple answer - hard disk encryption. Yes, I know encryption can be broken, but your average burglar won't have this facility available to him.

re: the simple answer

19 Sep 07 11:09

Central data storage with thin client access has to be the best answer to this i.e. no data stored on the laptop at all. CfH got the former right in its architecture (but selected many relatively bandwidth greedy solutions). Also I believe N3 as yet has no wireless WAN component but this has to be the ultimate goal surely?

Double the laptops-multiply the risk

angus.goudie@GP-A89021.nhs.uk

19 Sep 07 17:09

I've spent time with two laptops (not really practice and home) and was so glad to combine all the programmes onto one as not only was it inconvenient with 2, but much easier to leave one in the car while i struggled into meetings with one and books or lunch or whatever. The second laptop needed to be synched on the practice system for non patient documents and a single machine has always been much easier to keep with me all the time when not locked in the practice or my home. An altogether much more secure option.

Not so simple wireless

26 Sep 07 13:09

Aside from the lack of univeral coverage of wireless, 3G, or even GPRS in rural areas, there are other complications which render it highly unlikely that a CfH wireless product is forthcoming.

CfH use BT for the Network, and have a fixation on managed services being better than NHS internal (which is often an expensive fallacy). Applying the highest level of security to a Wireless network means encrypting the traffic, but importantly changing the key on a regular basis (at least monthly). This would mean recalling all the devices on a regular and a co-ordinated basis, and resetting everything. Any kit failed to be returned would stop working.

In the real world, we might be comfortable with using fairly static encryption keys for Wireless, or the public network for 3G, together with a token based VPN solution to encrypt. No product for BTN3 beyond existing VPN tokens, and no need for one.