And still, even after all the accidental loses of data from the MoD, the NHSand the banks, people who hold sensitive data don't setup laptops containing data like that with decent encrypted filesystem setups...
OK so that isn't a perfect solution (the user could keep their passwords on a bit of paper clearly marked "passwords" in the laptop's bag, if the user loses their passwords the data is lost to them (unless a multi-key system is used and the IT dept keeps their own key so they can reset the user's access, though that probably requires the user sending the laptop into central IT for a time), data could still be emailed out to insecure places by the user, and so on) but it is a far better situation than leaving the data unencrypted on the easily liftable device.
It really does surprise me that after the last five or more years a proper encryption regime isn't mandated on laptops holding such data.
I work for a very-well-known-and-frequently-mentioned-in-the-press organisation in the UK healthcare sector and I can assure you that everyone here has encrypted laptops.
In many ways it's a pain in the ass, because almost exactly none of us will ever use Patient Identifiable Data but we have to put up with machines that run much slower than they should due to the on-the-fly encryption. We're also physically incapable of burning CDs/DVDs or using USB sticks etc.
Who exactly designed a system which allows a single laptop to store this many records at once? I could see couple of dozen or so at a time, even a hundred, if a doctor wants to download all his patient records for the week. But 8 million on one laptop? I don't even know what to say.
Based on my knowledge of what my wife does for a living, securing a hospital's reimbursement from Medicare/Medicaid, I think I can make a pretty good guess.
It's a single person, or small department, using some off-the-shelf tool like Excel or Access to massage data into the format necessary to integrate it with one of the various third parties that must process it in order to get full reimbursement while ensuring compliance with regulations. The problem itself demands that huge amounts of personal data are gathered together, and the way the system works generally forces it to be handled by a regular person, on their workstation.
Obviously this data needs to be shared with the payor (e.g., Medicare). The thing is that the reimbursement regulations change constantly (not just every year or something, but literally weekly in the Federal Register), and changing regulations demand different reporting procedures and formats. The constantly-changing nature means that it's not a very good candidate for automation: every hospital (and every other healthcare provider) would need to have IT staff constantly active addressing changes, or at the very least, providers of hospital ERP/records systems would need to be constantly addressing changes, and hospital IT would need to constantly be integrating software updates.
And it's not just the payor that's a problem. There are countless third parties that communicate this data. Because cases are handled as cases rather than people, when a case is transferred to another hospital, or sent out to a specialist, that must be tracked. But frequently it's not the hospital doing the checking, it's the patient himself that checks himself out and goes to another hospital. That means that hospitals are constantly downloading Medicaid records to cross-check against their own data, and negotiating with other providers to determine who gets "credit" for the cases. Since all of these third parties have their own systems, and the number of combinations of transfers between providers is astronomical, the communication of this data tends to turn into one-off projects, demanding that a human compile the data in a way that both sides agree to.
So it appears that part of the need to keep human hands in heaps of personal data, is driven by the nature of our healthcare regulation.
(I know the article is written about the UK, but I'm assuming that much of what I've said generalizes across the ocean)
I can second this with my knowledge of what my mother does for a living.
The hospital inputs their data into Epic medical software. The home care agency tracks their data in an 80,000-line Excel spreadsheet (less than 8,000,000, which is good, right?). My mother copies down the name and other personal identifiers like insurance numbers from the Excel spreadsheet, counts (with the end of a pen on the screen) the number of billable visits, and enters this by hand onto a printed form which receives minor changes as you noted. She then collates these forms into stacks for various insurance agencies, and faxes the piles to the appropriate numbers. She's an RN, has 20 years of experience, and this is what they pay her to do?
Oh, and her password for remote login to do this from home was (until last week when she told me because I was talking to my sister about password strength) literally abc123. This was the default set by the IT department about 2 years ago.
I will never work in medical IT due to real-life horror stories like this.
> I will never work in medical IT due to real-life horror stories like this.
I'd wager that there are real-life horror stories like this for just about any industry - they happen whenever non-computer-savvy people meet computers.
And it doesn't matter how hard you protect the data from your side, once it gets into an Excel spreadsheet, it will be e-mailed around unencrypted for anyone who wants to get at it.
The UK Government have never been good at IT. Whether it's poor security practices[1][2][3][4] or massively over-run budgets[5], they are really good at doing badly.
Why the hell do organizations keep putting this kind of sensitive data on a laptop?
Even if your process requires someone remote from the office to work with the data in desktop tools like Excel, etc., it seems like it'd be good sense to require them to do it over a Terminal Services or Citrix connection to a secured server.
OK so that isn't a perfect solution (the user could keep their passwords on a bit of paper clearly marked "passwords" in the laptop's bag, if the user loses their passwords the data is lost to them (unless a multi-key system is used and the IT dept keeps their own key so they can reset the user's access, though that probably requires the user sending the laptop into central IT for a time), data could still be emailed out to insecure places by the user, and so on) but it is a far better situation than leaving the data unencrypted on the easily liftable device.
It really does surprise me that after the last five or more years a proper encryption regime isn't mandated on laptops holding such data.