University of Rochester Medical Center (URMC) has notified 837 people that their medical information may have been compromised when a USB memory stick went missing. Disk encryption software was not used to secure the contents of the flash drive.
The USB disk belonged to a surgeon who used it to save information for patients that needed follow-up care. The only reason 837 patients are being notified is because the physician is uncertain whose files were in the missing USB disk. The 800-odd patients represent current and former patients the doctor has seen over the past 3 years. The lost information includes names, dates of birth, and diagnoses and other medical information, but does not include SSNs or addresses. Overall, not as bad as medical data breaches go. This case is one where everyone is being notified because the list cannot be pared down. One imagines the list could be pared down--say, to only the patients that he's seen in the last year--but there is no guarantee that he deleted any files after a patient successfully recovered. And who's to say how long it takes for patients to recover? If it takes them more than a year of follow up after surgery...well, my proposed "one year cutline" would be inadequate.
The USB disk belonged to a surgeon who used it to save information for patients that needed follow-up care. The only reason 837 patients are being notified is because the physician is uncertain whose files were in the missing USB disk. The 800-odd patients represent current and former patients the doctor has seen over the past 3 years.
The lost information includes names, dates of birth, and diagnoses and other medical information, but does not include SSNs or addresses. Overall, not as bad as medical data breaches go.
This case is one where everyone is being notified because the list cannot be pared down. One imagines the list could be pared down--say, to only the patients that he's seen in the last year--but there is no guarantee that he deleted any files after a patient successfully recovered. And who's to say how long it takes for patients to recover? If it takes them more than a year of follow up after surgery...well, my proposed "one year cutline" would be inadequate.
There's a lot of talk about the "cloud-this" and the "centralized-medical-database-that" and lots of forward-thinking technologies (and their negative effects) but sometimes it's the old stuff that one has to focus on. In fact, some might say that most of the time it's the old stuff that one has to focus on. Why? Because it's the old stuff that's being used by people. Of course, USB flash drives, as commercial products, are anything but old. I got my first one about 5 years ago, when they were still considered "hot products." Still using the same one, in fact. It's not protected with whole disk data encryption, which may raise some eyebrows along some circles. I mean, look who I work for. On the other hand, unlike the good doctor above, I never carry personal information on it. And, if I do find myself needing to save a sensitive file to it, I actually use a self-contained file encryption program from Sophos. Why? Well, it works. And it's free. Now, if I was in the habit of constantly saving sensitive data to my 5-year old USB drive, I would use a disk encryption program like AlertBoot on it, which is what our surgeon should have been doing. URMC has announced that they'd start encrypting all laptops and USB flash drives in order to prevent similar future breaches. I don't know why they've waited so long.
There's a lot of talk about the "cloud-this" and the "centralized-medical-database-that" and lots of forward-thinking technologies (and their negative effects) but sometimes it's the old stuff that one has to focus on. In fact, some might say that most of the time it's the old stuff that one has to focus on.
Why? Because it's the old stuff that's being used by people. Of course, USB flash drives, as commercial products, are anything but old. I got my first one about 5 years ago, when they were still considered "hot products." Still using the same one, in fact.
It's not protected with whole disk data encryption, which may raise some eyebrows along some circles. I mean, look who I work for.
On the other hand, unlike the good doctor above, I never carry personal information on it. And, if I do find myself needing to save a sensitive file to it, I actually use a self-contained file encryption program from Sophos. Why? Well, it works. And it's free.
Now, if I was in the habit of constantly saving sensitive data to my 5-year old USB drive, I would use a disk encryption program like AlertBoot on it, which is what our surgeon should have been doing.
URMC has announced that they'd start encrypting all laptops and USB flash drives in order to prevent similar future breaches. I don't know why they've waited so long.
Related Articles and Sites:http://www.phiprivacy.net/?p=3586http://www.whec.com/news/stories/S1728283.shtml?cat=566