in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Disk Encryption On OHSU Stolen Laptop Not Present. Some Still Don’t Understand Password Protection

Oregon Health & Science University has alerted nearly 900 patients that a laptop computer belonging to an OHSU employee was stolen from his hotel room in Chicago.  OHSU believes that the risk of identity theft is low because Social Security numbers were not included as part of the laptop computer’s data.  However, other information such as names, phone numbers, dates of birth, gender, and some medical information were included.  Makes me wonder why this laptop wasn’t using laptop encryption software to protect its contents.  After all, HIPAA regulations would kick in the moment the laptop left the hospital’s premises, no?

Low Risk of Identity Theft?  Maybe, Maybe Not

Because SSNs were not included, the hospital’s position is that there is a very low risk of ID theft.  I’d like to say, sure, if you’re a lazy criminal.  But if you’re an enterprising criminal, you’ve got plenty to get you all the information necessary to perpetrate ID theft.

OHSU has pointed out that the medical information on this machine was “medical diagnosis category and category of treatment — but not the specific treatments.”  But wouldn’t this be enough for a criminal to call the person and finagle all the necessary information?

The names and phone numbers are available.  A little rummaging of files would probably identify the machine as belonging to OHSU (emails, missives with electronic letterheads, etc.).  What’s preventing a criminal from calling a Mr. or Ms. Jones (the gender of patients was part of the data) as a rep from OHSU and asking blatantly for his or her SSN?  Couldn’t the thief claim that it’s needed in processing the medical insurance papers, you know, regarding “pancreatic cancer”? (Let’s say the diagnosis was “pancreatic cancer” for Jones.)  And there’s a good chance that Jones would give the information.  After all, if anyone knows Jones had issues with pancreatic cancer, it’s the hospital.

Password Protection Was Used

The letter sent out to affected patients pointed out that the laptop computer had password protection on it.  Password protection, unfortunately, while a deterrent, is not an obstacle.  It’s like that “police line - do not cross” tape.  If there’s no officer standing guard, only those who follow the law will not cross the line.  Criminals, by definition, do not follow the law.

Likewise, password prompts under Windows will only prevent those who’re not desperate to find what’s in the computer.  Otherwise, it’s just a matter of popping out the hard drive and connecting it to another computer.  Tired of me harping about this?  I can't help it:

The computer was password protected, which is about the only safety measure you can take except for strapping the laptop around your neck and even then someone would steal it if they wanted. [Posted by pradoyolanda at oregonlive.com, my emphasis]

The above person is wrong.  There’s plenty more OSHU could have done.

Encryption Should Have Been Used

There are two ways to ensure the patient information is not accessed on the stolen laptop: One, delete the information.  Generally, this is a step taken prior to losing the laptop and needs constant monitoring.  The second way is to have the contents of the laptop encrypted.  The use of hard drive encryption or file encryption would have ensured that only people who know the username and password can access the data.  This is different from normal password protection, where one does not need the username and password to bypass the prompt.


Related Articles:
http://www.oregonlive.com/news/index.ssf/2008/12/stolen_ohsu_laptop_may_contain.html#post
http://www.theoutlookonline.com/news/story.php?story_id=122912762851517000
http://www.upi.com/Top_News/2008/12/14/Laptop_contained_patient_records/UPI-31131229266532/

 
<Previous Next>

Massachusetts Protection Of Personal Information: One Dealership Should Be Happy For The Extension

Email Attachment Encryption - An Easy Way To Prevent Information Security Breaches

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.