First we have:
The Mytob worm attack on the IT network used by three London hospital trusts knocked stories about NHS data breaches and missing mobile devices out of the headlines. The attack shows that NHS IT managers have to be aware of old threats, even as they tackle new ones. Stephen Pritchard reports.
The price of freedom is eternal vigilance, said Thomas Jefferson. Eternal vigilance is also the price of information security.
Just last month, three London hospitals were hit by a computer virus that shut down large parts of their IT systems. The Mytob worm somehow breached data security defences at Bart’s and the London NHS Trust and forced it to switch off computer systems and revert to paper records.
It was two weeks before the trust was able to announce, at the start of December, that: “The computer network has been stabilised and the trust’s 5,000 PCs have been screened and are clear of the virus.”
Information security experts point out that Mytob is not a new virus -- versions of the worm first came to prominence in 2005. But as Graham Cluley, senior technology consultant at Sophos, points out, older threats do not go away.
All it takes is one infected disc or USB thumb drive and systems can easily be attacked, if defences are not up to date. “Any chink in the armour allows systems to be infected,” he says. “Hackers could be doing this to steal information, or to meddle with information. The virus problem is still very real.”
The attack on the London hospitals also showed that it has mutated. The “classic” computer virus aimed to cause disruption and, in some cases, to damage IT systems. More recently, virus writers and other cybercriminals have become more financially motivated.
Lots more here:
Second we have:
08 Dec 2008
Seven BBC journalists have been told that information held on their Emergency Care Summary in Scotland may have been inappropriately accessed by a doctor.
NHS Fife wrote to the seven after discovering that a doctor working for it may have accessed the records. The health board notified Fife Police and the clinician involved has now been reported to the Procurator Fiscal.
Jackie Bird, a newsreader on Reporting Scotland, was among those who were contacted. She told the BBC: “I wondered why NHS Fife was getting in touch with me and when I read the letter, which was obviously intended to allay fears, the more fearful I became. It was a strange feeling that someone unknown could have accessed my private information.”
The ECS is uploaded from GP systems every night and holds information on demographic details, current medications and allergies for 5.1m patients. Information is uploaded using an implied consent model plus ‘consent to view’ at the time of each medical encounter, a system which has recently been adopted for the Summary Care Record in England.
In its e-health strategy published three months ago, NHS Scotland said the ECS is currently accessed on 25,000 care occasions a week.
There are lots of lessons here:
First the old threats never go away and new ones are always emerging.
Second the impact of breaches can be pretty significant and disruptive.
Third it is usually the people and not the technology that let you down.
The other thing I noted was just how far down the track they are north of the border in Scotland with their shared records!
Also, good stuff that they noticed there had been a problem.