[SecurityRatty] tag: stress

CISSPs Lend me your ears

Tue, 18 Nov 2008 01:15:31 +0000

Art of Information Security endorses Dan Houser for (ISC)² Board of Directors

The CISSP is undoubtably one of the most, if not the most, important professional certifications in Information Security. Many organizations and practitioners rely on it as evidence of a solid foundation and track record in Information Security. But the CISSP is only one of the many ways that the (ISC)² attempts to fulfill its mission of developing the Information Security profession.

Board membership is a role of governance, guidance, and passion. Let’s briefly explore how Dan’s track record and past contributions demonstrate his qualification for this post, and possibly your vote.

Passion

Dan is someone who has a passion for promoting and developing the talent needed to continue to grow and mature our profession. Anyone who has seen Dan speak at conferences, local chapter meetings, or in one of his classes knows how passionate Dan is! But anyone who takes the time to approach him knows that he is no ideologue or zealot; Dan is always interested in improving his own understanding, and then sharing that knowledge with others.

Dan has a long track record as a contributor - as a “giver” - to the profession. In addition to teaching over a dozen CISSP review courses, he has also served on multiple (ISC)² committees, is one of the authors of the ISSAP Body of Knowledge (cryptography), and has published primary research on professional certifications. He is also the founder of the monthly Columbus, Ohio Information Security MBA (Masters of Beer Appreciation) meeting - a professional roundtable that attracts practitioners from across the state.

Governance and Guidance

In addition to past experience serving on (ISC)² committees, which I assume led to the current board’s nomination, Dan has served on numerous Boards of Directors including local and regional community organizations, ISSA chapters,and several Toastmasters clubs.

Personal Experiences

I have known Dan for almost three yeas. Dan and I have collaborated on a number or projects, including a half-day Cryptographic Controls Seminar and a full-day Identity Management Architecture class. It is my feeling that when you collaborate, work closely, and travel with someone, you really get to know them. You get to do more than hear about their College Sweethearts (which, for Dan, is Rebecca, his wife of 21 years), but you also get to understand their ethics, how they really conduct themselves, how they deal with stress, etc.

Given the entire picture, the understanding that I have of Dan Houser, I can think of no one better suited to representing, guiding and developing the (ISC)². I have voted for Dan, and I hope that you will consider doing the same.

Here is the voting link for (ISC)²: https://webportal.isc2.org/custom/votenow.aspx

Cheers, Erik

CISSPs… Lend me your ears…

There's just no helping some people

Wed, 05 Nov 2008 21:00:00 +0000

Even though we're a technology vendor, we always stress that, when considering the robustness of your information security strategy, technology isn't always the answer. It's upon the effective combination of people, process and technology that we must ultimately rely. That's why it pained me when this story appeared in the UK press last weekend...

Interop NY Keynotes: BlackBerry

Wed, 17 Sep 2008 11:07:39 +0000

David Yach, Chief Technology Officer of Software at Research in Motion rounded out the final keynotes of the morning as part of the Mobile Business Expo (MBX). David focused on how enterprise and mobility are tied together today.

Which of the following initiatives are likely to be a major telecommunications technology related priority for 2007? Mobility is a huge issue.

We’re starting to see traction with mobility.

The evolution of enterprise mobility:
- Voice –> messaging –> e–mail –> web, –> business applications –> instant messaging/presence –> what’s next?
Cell phone to Smartphone:
- 1G –> 2G –> 3G

Converging IT Responsibilities

Collaboration, Web/Internet, Desktop Computer, Deskphone/PBX, Mobile Phone and Applications. All of this is under the umbrella of IT. IT departments are not a single cohesive unit where everyone gets along. They have different motivations, budgets, goals, etc.

BlackBerry manages all of these responsibilities in one, forcing these departments to collaborate and work together. This is key for interoperability between these systems, knowing how they work together.

Desktop capabilities are expected in mobility:

Information
Collaboration
Voice
Transactions
Presence
Application

Mobile devices are fundamentally changing the pace of which we all work. You can reach anybody at anytime. This changes business.

All of this is working with data that is behind a corporate firewall.

The big change in IT is that for almost any industry now, the data that you have and you manage is a core corporate asset. It doesn’t matter whether you’re in manufacturing, logistics, or a bakery. Information is king. This has the benefit of moving IT up to a C-level position. You are a core part of your business success. This has benefits, and also added stress.

Voice is still the “killer app” for mobility. Deskphones and smartphones need to overlap into a mobile voice system.

Another up and coming technology is the mobilization of enterprise applications. This provides the ultimate user experience. For example, Blackberry has mobilized the SAP Business Suite on BlackBerry smartphones. SAP CRM access is as seamless and intuitive as email on BlackBerry and incorporates push, alerting, security, GPS, Wi-Fi and media.

Enterprise grade platforms will extend core competencies of enterprise systems to mobile environments.

Secure
Reliable
Manage
Control
Administration
Standardize

Conclusion:

Putting it together: integrating the wireless capabilities of today into the business tools of tomorrow.

ScienceLogics 5-Year Anniversary

Wed, 20 Aug 2008 18:39:16 +0000

August 2003. The largest blackout in U.S. history darkens the Northeast and Midwest, the Blaster worm has been unleashed and Madonna and Britney create a stir at the 2003 MTV Music Video Awards. In the midst of this hot summer madness, ScienceLogic was founded.

To kick off our celebration of our first five years, we asked ScienceLogic founders Dave Link, Richard Chart and Chris Cordray for their thoughts and memories on events leading to today’s milestone. How and why did they set out on this venture? What happened along the way – expected and unexpected? Why were they successful in times when other new (and established) businesses have come and gone?

How did you three put together this team?

We all worked together at a large Managed Service Provider for a couple of years before leaving to start ScienceLogic, so we all knew each other and knew our collective strengths. More importantly, each of us had worked with network management tools on some level (sales and marketing, engineering and product development), and knew first-hand all of the customer pain points, from every perspective. So we left and began rapidly figuring out how to build a better network management solution based upon our real world operational experience..

Dave: One interesting aspect is that our areas of expertise don’t overlap, which has contributed to our success. Chris is excellent with developing the product front-end and interface, Richard handled the backend architecture and engineering and I focused on the technical business side of sales and marketing. Our roles have been to build a product that works well and that provides real value to operations teams that experience the same day to day frustrations that we felt.

Whose idea was it to start the company?

Dave: It was really a collective effort. We were all passionate about “getting it right” and not just starting a company. We knew the industry need and between us, we had the knowledge and skill sets to address all of the right aspects of developing a product and a building a business around it.

What process did you go through to get started?

Richard: From the beginning we knew the type of solution the market needed and we knew that we wanted to build it as an appliance. From different vantage points, we had each experienced the effects of long, difficult and expensive installations that still exist with traditional network tools. Every install has unique variations: there are always different server types, varying hardware and software versions, different patches installed, and on and on. Every installation was time consuming and unpredictable. We knew that an appliance model would address all of these variables and save a lot of time on how quickly customers could achieve immediate value.

The harder decisions were around actually starting the business, assessing the market and of course determining the product pricing.

EM7 completely flips the traditional model of complex, lengthy and expensive deployments. How did you convince others that the EM7 Meta-Appliance product was valid?

Dave: Yes, EM7 totally disrupts the traditional model for network management. While others take a narrow approach, we intentionally designed EM7 to focus on the broad problem – managing the data center. How do you cover a variety of technologies and make sure they work seamlessly together? The vision was to make it easier, not harder, for customers.

Chris: I have to give it to Dave – very early on, he realized the power of a demo. If Dave could get in front of someone, he’d make them a believer. He’d use the Peter Falk/Columbo technique of “let me show you one more thing.” It was very effective. It’s getting easier, but even today people sometimes have to see EM7 in action before they become believers.

Can you describe the early days of running a new business?

Dave: ScienceLogic is a classic case of entrepreneurship. For the first year we worked out of our basements. We kept the costs low in every conceivable way and spent the first year developing the product before we even made a sale.

Chris: We stayed at lots of odd places when we were on the road, took cheap flights with multiple layovers and purchased lots of our first test equipment on eBay. This was during the dot-com bust so there was lots of equipment for sale on eBay, really cheap!

Richard: The amount of equipment I had in my house was absolutely crazy. Back then, servers were huge – I had a Cisco 6509 Catalyst, a Compaq Proliant DL380, Brocade switch, IBM Netfinity 4500R, and tons of other machines.

Chris: I had to install a new circuit box at home because I was blowing breakers. I remember when that 6509 crashed, we revived it and it died again. The second death was final.

So you started in your houses – what was your first office space?

Dave: My friend, the CEO at Ernst & Young Technology had a few extra cubes and a data center in their office that they graciously allowed us to use. Their help was an important step in helping us really formalize the business. We started doing well and adding people, but ironically, their company was downsizing. Before long, many of their original YET people were gone and the ScienceLogic team kept growing in to the open cubes.

Our first leased space was converted warehouse space in Chantilly, VA that once housed an internet radio station. It was cool – it had a large salt water fish tank, a loft, a spiral staircase and a Star Trek door that retracted into the walls with the customary lights and “whooshing” sound.

We outgrew the Chantilly space, leading to our current office in Reston, VA.

Who was the first ScienceLogic customer?

Our first paying customer was Martins Point Health Care. We deployed there in July 2004 and are pleased to say they continue to be a ScienceLogic customer. Other early (and still) EM7 customers include Navy Knowledge Online and the Department of Transportation. Nearly all of our customers are still actively using EM7 and renewing their maintenance.

Where do you see the company in the next 5, 10 or 15 years?

Well, our revenue has doubled year-over-year in each of the last three years, so of course we’d like to continue to grow like that or even faster. In five years we’ve gone from three founders to the point where Dave does not know everyone’s fondest childhood memory. We’ll continue to scale our growth to cover the demands of our growing customer base.

Where do you see the industry going over the coming years?

Chris: IT is always moving and gaining in complexity, so network management is also becoming more complicated. There’s increasing diversity, new standards, virtualization and cloud computing. All of these are today’s technologies. Customers have a mix of the old and the new, so EM7 has to accommodate and support both.

Richard: Each generation of products has a new set of ways to monitor, but the “old” doesn’t go away. Even when a new, hot technology comes along, the old technologies still need to be supported. We work to ensure EM7 keeps up with both.

Dave: After five years we’re just hitting our stride and we’re just now reaching the tipping point in awareness of ScienceLogic and EM7. We’re all still passionate about the product and as Chris and Rich said, there’s still a lot do. We’ll continue disrupting the market with EM7. Our vision hasn’t changed, and with the increasing levels of automation that customers demand, the market needs are greater than ever. Our future is as bright, or brighter, than ever and we’ll continue to be looking for smart ways to automate traditionally manual IT Operations processes.

What’s your advice for someone interested in starting their own business?

Chris: Be passionate. That’s what has gotten me through the tough times. I didn’t really appreciate this thought when I heard others say it before. But it’s very true.

Richard: I agree. We met and talked with lots of people who told us, “That’s been done before.” But we kept going because we truly believed in what we were doing and we knew that while our approach was different, that it would be successful.

Richard: Be fearless. You can’t be too nervous and you need to be able to expect and handle the stress because it will be there. You have to learn to accept the stressful times as a necessary part of the process of starting out on your own.

Dave: Know your niche from the beginning and give potential customers a compelling reason to trust you and really benefit from your solution. You have to know the problem, see the gap and have a clear and consistent vision of how to solve the problem. Then you have to execute. If you don’t build your team with “doers” you won’t make it.

Chris: It helps to have friends. ScienceLogic was built on friendships and relationships, starting with the three of us. If you look at our team, most of our hires are referrals – people who developed and maintained great connections with other great people throughout their careers. Maintain your connections and keep in touch with your network of friends.

SSO Summit Wrap Up

Fri, 25 Jul 2008 09:41:07 +0000

More notes from SSO Summit - to recap I can't stress enough how a 50-200 person conference comprised of around 50-60% enterprise folk (instead of just vendors and *cough* consultants) is ideal. Real, in depth conversations instead of just "where is the party" a la RSA. Also, this conference has a laser focus on SSO, so all 150 of us are able to look through the prism from lots of angles.

Some additional takeaways

Dave Kearns has serious moderator skillz.

You can tell all the Mac users because they have to have their laptops plugged in at all times (Mr. Jobs paging Mr. Clayton Christensen)

Eve Maler can really sing

One of the prettiest drives through Colorado is here

I did my presentation on Security Token Servers today. Bob Brandt from 3M spoke on Federation at 3M, its quite interesting to think about the mix of all these technologies the same way 3M's products are composed from a grid of technologies. I see STS playing role here, enabling us to get interop across multiple token types. Bob also mentioned that the business doesn't _ask_ for SSO any more; they expect it. He mentioned (and I have seen the same) much greater SAML adoption and awareness by customers and partners. And I quite liked his quote - "If you are a SAAS vendors and you are not supporting SAML you won't be in business very long."

Kent Beck says programs are not things, they are shadows of communities. If you look at a big vendors' IDENTITY AND ACCESS MANAGEMENT SUITE - its not a cohesive product so much as a shadow of the big vendors' Visio org chart. Ping's SSO community is fast, light and Ninja; SSO functionality enabling real pros to get stuff done for real use cases.

Its a lot of fun to be at a 1.0 conference, I am pretty sure this will be 2x-3x next year.

Collaboration in the Cloud, Virtual Worlds and the Hacker Mindset

Thu, 17 Jul 2008 11:51:24 +0000

Collaboration in the Cloud

Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers. Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to - especially if you get paid to “do security”. One major focus area is Virtual Worlds.

Teleporting Virgins

The big news in the Second Life research community is that avatars (”virtual people”) have successfully teleported between distinct virtual worlds. The virgin teleporters went from a Second Life Preview Grid - an experimental grid completely disconnected from the Main Grid - to a virtual world running IBM OpenSIM.

At this stage there is intentionally no asset transfer going on at all - in other words, you can’t take your “stuff” from one world to another - but that will come in time as the Open Grid Protocol is extended. Today just login and teleport are supported. No stealing those trade secret “assets” yet ;-).

Linden Labs speaks to this issue:

Q: How will Linden Lab prevent property from being copied into other virtual worlds?
We’re paying extremely close attention to that question. We will be designing this with the Second Life community to ensure their needs are met. We want to stress that when it does become possible to move avatars between worlds, we will take the utmost care to protect the rights of Second Life property owners and creators. Linden Lab will not design a system that lets people openly violate the permissions of SL goods and take them to other worlds. We recognize that intellectual property is the engine that drives Second Life, and we are completely committed to preserving the qualities that make Second Life the unique, innovative and dynamic place that it is today.

With my “hacker-vision” ™ enabled I see *all kinds* of opportunities for mischief here. I’m betting we’ll see imaginative attacks as the usual cat and mouse game of vulnerability research and vendor response plays out. “Sorry boss, someone hijacked my avatar and now I’m stuck on this desert island for who knows how long!”.

Threat Profiling Second Life

Getting back to reality, people are already exploring Virtual World security. Michael Thumann of ERNW in Germany is a pen-tester and security researcher and in this 10 minute video, Michael shares the result of his security research on Second Life.

He covers:

In-game cheating
Identity theft
Attacking 3rd party servers using Linden Scripting Language (think about the liability issues and the providers ability to track abusers)

For those interested in more detail, the full presentation he gave at BlackHat Europe 2008 in Amsterdam is here (pdf).

Of particular note, Michael applied a formal threat model approach to the research - STRIDE from Microsoft.

In a future post I’ll talk more about threat profiling in the context of Cloud Computing vulnerability research and specific API security vulnerability classes we can expect to see exploited.

Finished? Where should I start?

Mon, 30 Jun 2008 20:00:00 +0000

Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing.

It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected.

Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?...

In-Flight Broadband Flies Tomorrow in Test

Tue, 24 Jun 2008 15:51:25 +0000

American Airlines will fly its first commercial round-trip with Aircell's Gogo service active tomorrow: On Wednesday, 25-June-2008, in-flight broadband briefly flickers back to life with a JFK to Los Angeles round-trip flown by American on which passengers will get free use of the onboard, in-flight Internet service via Wi-Fi. The test flight is a kind of soft launch, which will be followed in a few weeks by full-on service.

American will offer Gogo on its 15 Boeing 767-200s, which means all JFK-LAX routes and some JFK-SFO and JFK-MIA (Miami) routes. The test will likely stress the system because more people will get on than on a typical flight since they won't be paying, and I would guess a lot of people will immediately try streaming video just to see if it works.

The full-on launch is still a pilot project even though it involves so many planes, routes, and passengers.

BoingBoing's Xeni Jardin asked me to participate in an interview call today with execs from Aircell and American Airlines, and I've written up the full account for their site.

Among other interesting tidbits I learned today, the onboard systems have 800 GB of capacity for future expansion--streaming media, most likely--and the AA-configured 767-200 has power outlets scattered around coach, and at every seat in first and business class.

1st Source Bank reissues all debit cards in response to breach

Thu, 05 Jun 2008 05:09:56 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
1st Source Bank

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Debit card information including Track 2 data contained on magnetic stripes and some PIN numbers

Breach Description:
"South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion"

Reference URL:
Digital Transactions News
WSBT TV News
South Bend Tribune
The Journal Gazette

Report Credit:
WSBT TV News

Response:
From the online sources cited above:

South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data.
[Evan] I wonder how many debit cards are in its "entire portfolio". I'm guessing that the number is in the tens of thousands.

a hacker broke into the system from the outside and compromised the system.

No fraud has been discovered as a result of the intrusion

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. "We immediately saw that and shut it down," says Seitz.
[Evan] It appears as though the bank employs a managed security services provider for intrusion detection monitoring and alerting (and possibly more). Using a third-party provider as a part of information security strategy is probably a good idea for organizations that do not have, cannot afford, or do not want to build in-house expertise. Managing third-party service agreements can sometimes be quite a challenge.

The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

"The server that holds our debit card information they were in there and they transferred information out. But we can't really tell if it was 10, 20, or 30 percent of our card holders," said Seitz.

They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases. "They got some PIN numbers, but a very small percentage compared to the debit card base that we have," says Seitz.

Exactly how the hackers tapped the server isn’t publicly known.
[Evan] This will be determined as part of the forensic investigation, but publicly this may never be known. We can only speculate. The information that was compromised is very sensitive and should have never been accessible from the "outside". Who knows if the server was actually compromised directly or through another avenue of attack. See, I am speculating. Thankfully, the bank had detective controls in place.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity.
[Evan] As people should anyway.

"Out of an overabundance of care, we’re reissuing new debit cards to all our customers"
[Evan] We could argue "overabundance".

the bank is reissuing all cards, which are MasterCard-branded, as a precaution

1st Source also is offering customers free credit-report monitoring for a year.

He adds that he couldn’t comment about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.
[Evan] The Visa U.S.A. Cardholder Information Security Program (CISP) "List of Compliant Service Providers - All" is here (a little different, but good information nonetheless).

"We are working with law enforcement to find these bad guys, and we didn't want to tip them off," said James Seitz
[Evan] Chances are that the "bad guys" already know what the have.

"Our number one priority is our customers. We shut everything down right away and hired the best people we could get our hands on to see what happened here and to make sure it doesn't happen again," said Seitz.

1st Source began working with law enforcement and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.
[Evan] 1st Source should be commended for not hesitating to bring in outside help.

It has taken a while to get all the information out about the breach, Seitz said, since the bank had to spend time going through all of its laptops and computer systems.

"You've got to understand what you have," he said.
[Evan] A high-priority task for information security governance is to understand what you have. During an incident response is not a good time to figure out what you have.

Though the breach is something rather new for 1st Source, Seitz said these types of breaches seem to be hitting businesses in general more and more this day and age.

"Certainly, it's never happened to us before," Seitz said. "But it's becoming more prevalent. Daily, banks are going through this."
[Evan] Breaches are as prevalent or more prevalent than they have ever been. I agree with Mr. Seitz. Recognizing this fact, what excuses do organizations have for not investing in and properly managing information security programs? I am not saying that 1st Source does not, I am writing in general terms.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach. Seitz called it a "considerable cost."

"Actually, our customers have been very understanding," he said. "Obviously, this is something that puts a little stress on that relationship."

Customer Reactions:
"My main worry is that my money is going to be gone tomorrow when I got to my account," said Jeremy Reinke, a 1st Source Bank customer.

"Is my money still in my account, and can they correct this so it doesn't happen again?" asked Chris Stump, another customer who hadn't heard about the May 12 security breach. "I guess in some ways I would have liked to know by now."

Commentary:
Judging from the customer comments I have read, people are concerned about the breach, but not angry with 1st Source Bank. I think this is because they perceive the bank's response to be open and genuine. The bank did employ proper controls to identify this breach early on and provided notice to customers in a timely manner. The fact that the bank took additional steps like re-issuing cards and providing credit monitoring only adds to the favorable perception.

I am still interested in knowing more detail around how an unauthorized outside entity was able to access this sensitive information in the first place.

Past Breaches:
Unknown

Sandown Health Centre backup tape is missing

Tue, 27 May 2008 09:14:16 +0000

Technorati Tag: Security Breach

Date Reported:
5/19/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)

Victims:
Patients

Number Affected:
38,650

Types of Data:
Medical records

Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."

Reference URL:
Isle of Wight NHS Primary Care Trust News
The Press Association
BBC News
eHealth Insider

Report Credit:
The Press Association

Response:
From the online sources cited above:

The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.

The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.

They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.

Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.

Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.

The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.

A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."

It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.

The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.

It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.

It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".

the risk of the tape being misused is extremely small

The tape requires specialist computer equipment to run it and the data is password protected.

In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted. Is the "specialist programme"? If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.

The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.

a dedicated telephone helpline has been set up and can be contacted on 0845 602 6834 between 8am and 8pm from Monday to Friday

The Interim Chief Executive of the PCT, Margaret Pratt, said: "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.

"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening. It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."

"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing. However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."

Dr Peter Randall, Senior Partner at the Sandown Health Centre, added: "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."

"My own view is also that the risk of any harm resulting is minimal. My own family are registered as patients at this practice which means their details are amongst those on the tape. I have no worries about the information falling into the wrong hands and being used improperly."

The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive. Better late than never. He should be commended in regards to the directive. My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).

Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement. The encryption mention comes in the eHealth Insider report. It is also not clear what "medical records" entails exactly.

Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay