News in the tech press that the NHS has been visited by Qakbot – a worm with a keen appetite for peoples’ sensitive data. (Despite the name it wasn’t specifically designed to target the NHS).
The effects of malware on systems that gather our sensitive data haven’t really entered public consciousness, but there are potentially serious problems here, especially when so many practitioners are logging in to systems remotely.
Last year, Tim Loughton asked a string of government departments about the incidence of malware during the previous year. Most of the replies fell into one of two categories. The Home Office, Ministry of Justice and Department for Communities and Local Government played the Mornington Crescent card by insisting that national security would be threatened if they even looked at the question.
Others, including the Department for Health when asked about NHS hospitals, produced the standard brush-off: ‘The information requested is not held centrally and could be obtained only at disproportionate cost’.
The Department for Children, Schools and Families dealt with it like this:
how many and what proportion of computers in (a) local authority children’s services departments, (b) Children and Family Court Advisory Support Service and (c) schools were found to be infected with malware in 2008.
Information on the number or proportion of computers infected with malware is not collected centrally from either local authority children’s services or from schools. However many schools do employ a managed service for their ICT support and those organisations will normally maintain this information and report to schools.
It simply won’t do. If a government department is mandating the collection of peoples’ sensitive data – particularly when this is without any opportunity to consent or opt out – it ought to be taking responsibility for the security of that data a great deal more seriously.