Data Security Requires More Than Using An Archaic Storage Format

Moments when you're glad you're not in charge of this IT department: health service executives in the UK say that no-one should be too worried about a disk full of patient data going missing, because it's highly unlikely anyone will have the gear required to read it. Oh dear.

Picture: EAMS

The East Midlands Ambulance Service (EAMS) has misplaced a disk containing scans of 42,000 forms used by patients of the service between September and November 2012. While chief executive Sue Noyes appears very contrite about the loss, she also suggests that it's quite unlikely anyone will be able to exploit the data:

We are certain the data can only be read via specific hardware which we have in our premises and which is no longer in production - i.e. it is obsolete. Therefore it is unlikely that the information stored on the missing cartridge can be viewed by anyone outside of the organisation.

I don't imagine too many criminal types are rocking Plasmon 5.2in cartridge drives -- the company itself closed back in 2008. But with that said, I bet there are other hospitals and institutions in the UK still using those readers. So the risk might be remote, especially as there's apparently still a chance the disk is on the premises, but it's not non-existent.

The lessons? Guard physical media carefully, and try and move away from ancient formats that offer no possibilities of encrypting data.

EMAS [via BBC News]


Comments

    Obfuscation is not security.
    -___-'

      I suspect that their security does not rely on obfuscation, and that the statement actually refers to the consequences of the incident, rather than the means they use to secure their data. If I understand the origila article, their security is based on disks being kept locked away.

    I bet you there's health insurance companies with that gear or who could get it that would love the information.

    You can pick up a refurbished Plasmon 5.2 Optical drive on Amazon for <$300.
    Maybe it's not exactly the right hardware, but I'm sure the right one would be out there.

    I may be wrong but <10 seconds on google brings up this amazon page
    http://www.amazon.com/Plasmon-201900-000-201900000-Refurbished-Specifications/dp/B00329SBAC and im sure there are more places still selling them.

    Also if the drives were really hard to get hold of i hope they have a bunch in the store room to replace ones that die or they lose all their data.

    A quick search on eBay turned up 3 or 4 of these drives. If someone wanted to read this data, it's certainly possible and quite easy to do, for me at least. For someone who actually values this information, it's laughable to call this secure.

Join the discussion!