Oregon Health & Science University is reporting another data security breach. This is the second such breach in 6 months, and again involved the theft of a laptop computer. Like in the previous instance, it has been pointed out that password-protection was used to protect the contents of the laptop. There is no mention on whether hard disk encryption like AlertBoot was used, although my opinion is that it would have been mentioned (after all, password protection was mentioned).
The laptop computer was stolen from a physician's home. More specifically, from his car that was parked at his home. As past history shows, cars parked overnight and laptops are not a good combination. Patient names, treatment dates, treatment summaries, and medical record numbers were stored, according to kptv.com. These are not what a criminal would normally use for identity theft and other forms of fraud. On the other hand, it could be used for other crimes such as blackmail.
The laptop computer was stolen from a physician's home. More specifically, from his car that was parked at his home. As past history shows, cars parked overnight and laptops are not a good combination.
Patient names, treatment dates, treatment summaries, and medical record numbers were stored, according to kptv.com. These are not what a criminal would normally use for identity theft and other forms of fraud. On the other hand, it could be used for other crimes such as blackmail.
This is speculation, of course, and it would take lots of time to pull off, but the above could be combined with a phonebook to carry out one of those "if you don't pay, I'll tell your medical condition to important people" scenarios. It wouldn't be the first time someone paid money so people would shut up about HIV statuses, unwanted pregnancies, etc. More pragmatically, it would seem that the loss of the laptop without any encryption on it is a violation of HIPAA regulations. While HIPAA doesn't require outright the use of encryption software when it comes to personal health information (PHI) protection, it does require that PHI be protected against threats to its security or integrity. I'd say that password-protection does not fit this description, but that would be for the courts to decide. (On the other hand, the fact that the prior OHSU incident also lacked encryption strongly signals that, under the current HIPAA rules, password-protection may be good enough. Not good enough from a security perspective, in my opinion, just good enough to cover one's behind when the law comes knocking. One's got to assume that OHSU's lawyers know what they're doing, right?)
This is speculation, of course, and it would take lots of time to pull off, but the above could be combined with a phonebook to carry out one of those "if you don't pay, I'll tell your medical condition to important people" scenarios. It wouldn't be the first time someone paid money so people would shut up about HIV statuses, unwanted pregnancies, etc.
More pragmatically, it would seem that the loss of the laptop without any encryption on it is a violation of HIPAA regulations. While HIPAA doesn't require outright the use of encryption software when it comes to personal health information (PHI) protection, it does require that PHI be protected against threats to its security or integrity. I'd say that password-protection does not fit this description, but that would be for the courts to decide.
(On the other hand, the fact that the prior OHSU incident also lacked encryption strongly signals that, under the current HIPAA rules, password-protection may be good enough. Not good enough from a security perspective, in my opinion, just good enough to cover one's behind when the law comes knocking. One's got to assume that OHSU's lawyers know what they're doing, right?)
There are numerous methods of easily bypassing password-protection. The methods are so easy a child could do it. And, these methods are meticulously document on the web, so it's just a simple matter of looking them up. This is why password-protection is not to be trusted. Data security programs like full disk encryption, on the other hand, don't suffer from such a flaw. Indeed, that's why banks, law enforcement agencies, and other organizations--including criminal ones--use encryption to secure their information.
There are numerous methods of easily bypassing password-protection. The methods are so easy a child could do it. And, these methods are meticulously document on the web, so it's just a simple matter of looking them up. This is why password-protection is not to be trusted.
Data security programs like full disk encryption, on the other hand, don't suffer from such a flaw. Indeed, that's why banks, law enforcement agencies, and other organizations--including criminal ones--use encryption to secure their information.
Related Articles and Sites:http://www.kptv.com/technology/19739721/detail.html http://www.databreaches.net/?p=5555