This site is intended for health professionals only
Friday 30 September 2016
Share |

A cautionary tale of mobile identity theft

Comment

Tom Brownlie
AMSPAR Chief Executive

Mary got home later than usual. She was exasperated. Normally she would have slipped off her coat and called out to John, her husband, and say, "It's me!" On this occasion, that wasn't the first thing on her mind. She was still furious. First of all, her right sleeve didn't drop as normal and then the left sleeve cut on the cuff of her blouse. How much worse could the day get?

Striding through to the kitchen, where John sat sipping a coffee, Mary prepared to spout forth the hassle she had been through. Earlier that day her bag had disappeared. No – it had surely been stolen. How careless had she been? She was normally so alert drawing attention to others and advising at work in her role as the practice manager.

As she entered the kitchen, John could see that something was up. "What's wrong?" he asked.

"My handbag," she said through gritted teeth. "Stolen while I was in Marks. I don't know how it happened. I was looking through some tops. One moment the bag was there; the next it was gone. Cards, keys, cash – everything. Everything!"

"Why didn't you call me earlier?"

"I didn't think that was the first priority. I wanted to get it reported and get things sorted as quickly as possible. Besides, my phone was in the bag."

John froze as he was about to raise the mug to his mouth. "What time was this?" he queried.

"Oh, something like 4.30."

"Not later?" said John with increasing concern.

"Maybe five or 10 minutes either way. Why?

"So you didn't text me at five?"

"No, I couldn't. I didn't have my phone."

"Oh dear – there may be even more sorting to do …"

John had received a text just after five. Although it had been from Mary's phone, it hadn't been from Mary. The thief who had stolen the bag had scrolled through the contacts on her phone, found a listing of "Hubby", had texted John to be reminded of their PIN number and later had proceeded to empty the account.

Vigilance is a virtue
Mary's predicament could have been avoided by not "losing" the bag in the first place. But given that such things happen she could have kept her phone locked and been more discreet in her contact listings (at least there wasn't a contact called "PIN"!)

We always seek to ensure that things are kept secure, and we have an extra onus when we have responsibility for others – be it the practice equipment, fellow colleagues or patients' records.
Too often I have witnessed poor practice in a reception area.

Little things, like being able to overhear telephone conversations, people being permitted to queue at the reception desk, computer screens being viewable to the public. I have even experienced a receptionist calling across the waiting room to confirm a patient's date of birth. These are small, avoidable things, which, if not in place, can cause the loss of confidence in a surgery.

Should the worst projections of pandemic flu materialise, one can imagine the demand for the vaccine. The value of prescription leaflets and the vaccine will soar. In 2006, the NHS Security Management Service reported on the loss of four boxes each containing 2,000 FP10 forms. This was down to poor procedures being in place and a delay in the reporting of the event. Based on the average cost of a false prescription form, the estimated loss in financial terms was put at £3.4m.(1)

Preventative measures
There are many toolkits available to assist the practice manager in making sure they are doing their utmost in terms of security. The NHS Counter Fraud and Security Management Service (NHS CFSMS) has a useful document entitled Protecting Your NHS: a professional approach to managing security in the NHS (see Resource).

Although we take steps, thefts will still occur regardless of the preventative measures that are put in place. I recently had the unfortunate experience of suffering a home burglary. Fortunately (or perhaps potentially unfortunately) I returned home to disturb them and the loss was limited.

What could have been of concern was the fact that I had the office laptop at home in order to catch up on work. That was taken. Luckily, I carry very little data on the laptop, preferring to keep any work on a memory stick, which is kept on my person. Many will argue that it is easier to lose this so it is best to keep it encrypted. And needless to say that the laptop should be password protected.

While such security measures can be taken, many IT experts are able to crack the security. But those that can probably really wanted to do so. On this occasion I would anticipate that burglars who lift two bottles of wine from the fridge while overlooking bottles of champagne and special malt whiskies can't be the brightest buttons in the box.

Besides, should they succeed in accessing the few documents that are on the laptop, they will only find prompt notes for various meetings I had to attend. And in that respect they deserve all they get.

References
1. NHS Security Management Service. Security of Prescription Forms Guidance. London: NHS CFSMS; 2008. Available from: http://www.dhsspsni.gov.uk/pas-security-prescription-forms-guidance-feb0...

Resource
NHS Counter Fraud and Security Management Service (NHS CFSMS). Protecting Your NHS: a professional approach to managing security in the NHS. London: NHS CFSMS; 2003. Available from: http://www.nhsbsa.nhs.uk/SecurityManagement/Documents/sms_strategy.pdf