Tallaght Hospital* in Dublin, Ireland, recently suffered a data breach. Details are unclear but it involved outsourcing of transcribing services to Uscribe, a company based in the Phillipines. Something went astray.
In the Roscommon County Hospital incident, confidential paper medical records from patients treated in Midland Regional Hospital in Mullingar were discovered in a rubbish bin in the grounds of Roscommon County Hospital.
Would simple Data Flow Diagrams (DFD) have prevented these? Don't forget that Data Protection legislation also applies to paper records.
So here are some reminders. At the start of a project draw a simple DFD. This should show where data flows and where it is stored in the system. Don't forget to ask the following types of questions.
- Does anybody export data to laptops, USB sticks etc.? (Danger Danger)
- How are backups handled? Are they managed by third parties?
- Is the same production data used by test systems, development companies etc.?
- What about data used for trouble shooting, diagnositic purposes? Is that properly deleted when it is not longer needed?
- Are processes in place to securely erase any hardware when it is being disposed of?
When you are embarking on your next project, don't forget to use a simple DFD.
- Irish Data Protection Commissioner - Transfers Abroad
- UK Information Commissioner's Office -Sending personal data outside the European Economic Area (Principle 8)
- Data Flow Diagrams
- siliconrepublic.com - Gardaí to probe data breach at Dublin hospital
- Irish Times - Patient data leak not confined to Tallaght hospital, says chief
- RTE - Roscommon Hospital
(*) Full Name "Adelaide and Meath Hospital, inc National Childrens Hospital, Tallaght"