Saint John Regional Hospital in Canada has announced that an outside contractor, Cook Medical, has lost a laptop computer with some (literally!) sensitive data. It is claimed that "extensive security" was used, but I beg to differ. If they had used hard drive encryption I would be willing to entertain such claims. It turns out the security in place was the use of two passwords. That's computer security in the sense that a uniformed mannequin is security.
According to dailygleaner.com and timestranscript.com, the laptop was stolen from a Cook Medical employee back in January. Saint John Regional Hospital, however, only received notice this month. Letters were sent to the three patients whose names and birthdates were stored on the laptop. Credit monitoring was offered. The RCMP is investigating, but has not turned up anything so far. With only three affected, it makes one wonder why that information was on that laptop. The only Cook Medical I was able to turn up is the developer of health care devices. Makes you wonder how names and birthdates of patients figure into the design of devices...
According to dailygleaner.com and timestranscript.com, the laptop was stolen from a Cook Medical employee back in January. Saint John Regional Hospital, however, only received notice this month.
Letters were sent to the three patients whose names and birthdates were stored on the laptop. Credit monitoring was offered. The RCMP is investigating, but has not turned up anything so far.
With only three affected, it makes one wonder why that information was on that laptop. The only Cook Medical I was able to turn up is the developer of health care devices. Makes you wonder how names and birthdates of patients figure into the design of devices...
I've already pointed out that the use of encryption software like AlertBoot endpoint security systems would have indicated extensive security. It's not total and complete (what if the owner of the laptop kept the password taped to the bottom of the device?), but it's certainly better than what I'm reading here. According timestranscript.com, Gary Foley, vice-president of professional services for Regional Health Authority B, pointed out that: "...the laptop was equipped with two security passwords, which...made it extremely unlikely that any information on the computer could be accessed." I'd drop the word "extremely" from that sentence. Consider the word "extreme." A "security" measure that takes less than 10 minutes to disable, with little need for technical knowledge...does this sound like a data breach would be an "extremely unlikely" scenario? Now compare it to encryption, where there is a high need for technical knowledge in order to bypass it and, even when having it, may require no less than a century to gain access to the data. Which sounds like extensive security?
I've already pointed out that the use of encryption software like AlertBoot endpoint security systems would have indicated extensive security. It's not total and complete (what if the owner of the laptop kept the password taped to the bottom of the device?), but it's certainly better than what I'm reading here. According timestranscript.com, Gary Foley, vice-president of professional services for Regional Health Authority B, pointed out that:
"...the laptop was equipped with two security passwords, which...made it extremely unlikely that any information on the computer could be accessed."
I'd drop the word "extremely" from that sentence. Consider the word "extreme." A "security" measure that takes less than 10 minutes to disable, with little need for technical knowledge...does this sound like a data breach would be an "extremely unlikely" scenario?
Now compare it to encryption, where there is a high need for technical knowledge in order to bypass it and, even when having it, may require no less than a century to gain access to the data. Which sounds like extensive security?
Health Minister Mike Murphy said despite efforts to improve security, some breaches are bound to occur."We have 19,000 employees in the Department of Health and there are going to be privacy breaches from time to time," he said. [dailygleaner.com article] I can't argue with that. Even if the rate of breaches were a low, low 0.01% per year (that means the chances of not having a breach is 99.99%. Obviously, the number is not grounded on real life), with 19,000 employees, you'd have almost two breaches annually. Plus, consider how many contractors and outside vendors the Department of Health must be working with, and the number of "employees" actually increases, even if the above hypothetical rate stays the same. So, Mr. Murphy is right--he's being pragmatic and pointing out the obvious. (Kind of unusual when you consider he's a politician.) On the other hand, there is a difference between being pragmatic and being a defeatist. Just because you know it's going to happen doesn't mean you can't do anything about it. For example, you could work to further decrease the odds of a breach. Instead of relying on questionable security measures like double, triple, or quadruple passwords, why not engage the use of encryption?
Health Minister Mike Murphy said despite efforts to improve security, some breaches are bound to occur."We have 19,000 employees in the Department of Health and there are going to be privacy breaches from time to time," he said. [dailygleaner.com article]
I can't argue with that. Even if the rate of breaches were a low, low 0.01% per year (that means the chances of not having a breach is 99.99%. Obviously, the number is not grounded on real life), with 19,000 employees, you'd have almost two breaches annually.
Plus, consider how many contractors and outside vendors the Department of Health must be working with, and the number of "employees" actually increases, even if the above hypothetical rate stays the same.
So, Mr. Murphy is right--he's being pragmatic and pointing out the obvious. (Kind of unusual when you consider he's a politician.)
On the other hand, there is a difference between being pragmatic and being a defeatist. Just because you know it's going to happen doesn't mean you can't do anything about it.
For example, you could work to further decrease the odds of a breach. Instead of relying on questionable security measures like double, triple, or quadruple passwords, why not engage the use of encryption?
Related Articles and Sites:http://telegraphjournal.canadaeast.com/front/article/650641