A doctor at Hong Kong's United Christian Hospital has reported the loss of a USB memory stick over the weekend. The thumbdrive did contain patient information, albeit limited, but its data was not secured in any way--neither data encryption software like AlertBoot endpoint security nor password-protection was used.
The lost data was limited, as I mentioned previously. Only eight patients were affected--some would say eight too many--and the information included names, ID numbers, and scans of fetal heart in one case. A PowerPoint file, created for an internal clinical discussion, also contained the details of seven patients.
Five of the eight patients were contacted. Efforts are being made to contact the other three.
There was no mention of where or how the USB flashdrive was lost.
An initial probe found that the doctor was not following with the hospital's data security guidelines. It has been pointed out, for example, that personally-identifying patient data was not required in the clinical discussion, so it shouldn't have been included. I imagine that the lack of data security programs on the drive would also be against the guidelines.
A Hong Kong legislator has remarked that one way to minimize data breaches from happening is using password-protected USB sticks.
Sigh. That certainly would lower breaches--but it wouldn't really minimize it.
Why not use password-protection? Because people can bypass it. Depending on what type of device it happens to be, there may multiple ways of doing it: removing batteries, using a hex editor, connecting a device to a different computer, booting up from a CD…none of these are particularly hard things to do.
Furthermore, the instructions for doing so can be found quite easily. You can thank Google and other search engines for that.
A search for bypassing encryption, though, will generally reveal…well, interesting stuff, but nothing practical. I guess an explanation could be that people who know how to bypass encryption are keeping their mouths shut and their fingers restrained.
Another explanation is that encryption is pretty much impossible to bypass. I only add the qualifier because…well, you never know. But I know this: as of right now encryption will always provide better data security than password-protection.
Related Articles and Sites:http://www.thestandard.com.hk/news_detail.asp?pp_cat=11&art_id=80809&sid=23450808&con_type=1http://news.gov.hk/en/category/healthandcommunity/090412/html/090412en05003.htmhttp://www.networkworld.com/news/2009/041409-hk-panel-probes-lost-flash.htmlhttp://www.networkworld.com/news/2009/041409-united-christian-hospital-loses-another.html