More details on the Lucile Packard Children's Hospital situation from yesterday. I had harped about the lack of full disk encryption on a stolen computer that belonged to the hospital. Well, it turns out that the presence of encryption wouldn't have made much of difference....unless remote administration is possible, like it is in AlertBoot.
It was already mentioned that the hospital would be challenging the fine imposed by the California Department of Public Health (CDPH), a whopping $250,000 for not reporting the breach within the legally-required five days after the discovery of the breach. Some details were revealed today in the appeal notice which, I guess, can explain why encryption software was not used to protect data on this particular computer that got stolen: The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home.[lpch.org] I wasn't quite sure I read that correctly; I thought that perhaps the computer was subsequently stolen from the employee's home; I mean, it's known to happen. But, no, it's literally a case where the hospital experienced a breach because an employee took the office computer without authorization. The point was further driven home when it was revealed that "theft charges have been filed against the former employee."
It was already mentioned that the hospital would be challenging the fine imposed by the California Department of Public Health (CDPH), a whopping $250,000 for not reporting the breach within the legally-required five days after the discovery of the breach.
Some details were revealed today in the appeal notice which, I guess, can explain why encryption software was not used to protect data on this particular computer that got stolen:
The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home.[lpch.org]
I wasn't quite sure I read that correctly; I thought that perhaps the computer was subsequently stolen from the employee's home; I mean, it's known to happen. But, no, it's literally a case where the hospital experienced a breach because an employee took the office computer without authorization. The point was further driven home when it was revealed that "theft charges have been filed against the former employee."
A data security tool like encryption would be useless in this situation....or would it? On the face it, encryption is useless because the employee already had authorization to access the computer. This implies that he is in possession of the password and any external tokens for accessing the computer. This is the problem with data security tools when there's an "insider breach": a general assumption is made that you can trust those who've been given access. On the other hand, a solution like AlertBoot endpoint encryption could have been useful. For example, when it's revealed that the computer was stolen, an administrator hops onto his computer, goes to an administrative console in the cloud, and updates the settings for the stolen machine, rescinding the thief/employee's access. Once this administrative procedure is finished, the employee is now "on the outs" when it comes to accessing the stolen computer's data. Granted, the stolen computer must eventually connect to the internet for the password to be invalidated on the computer, but this "connection requirement" is also true for computer recovery software that are billed as "LoJack for computers." Also, I should point out that there is no guarantee that the computer wouldn't have been stolen a second time, after the employee took the computer home or on his way home. In that case, it really would have been a data breach, without any gray areas (the employee charged with theft was given access to the data as part of his job). The use of disk encryption programs would have been paramount. Coulda, shoulda, woulda...yes, they're all suppositions. Until something unexpected happens, like an employee stealing a desktop computer.
A data security tool like encryption would be useless in this situation....or would it?
On the face it, encryption is useless because the employee already had authorization to access the computer. This implies that he is in possession of the password and any external tokens for accessing the computer. This is the problem with data security tools when there's an "insider breach": a general assumption is made that you can trust those who've been given access.
On the other hand, a solution like AlertBoot endpoint encryption could have been useful. For example, when it's revealed that the computer was stolen, an administrator hops onto his computer, goes to an administrative console in the cloud, and updates the settings for the stolen machine, rescinding the thief/employee's access. Once this administrative procedure is finished, the employee is now "on the outs" when it comes to accessing the stolen computer's data.
Granted, the stolen computer must eventually connect to the internet for the password to be invalidated on the computer, but this "connection requirement" is also true for computer recovery software that are billed as "LoJack for computers."
Also, I should point out that there is no guarantee that the computer wouldn't have been stolen a second time, after the employee took the computer home or on his way home. In that case, it really would have been a data breach, without any gray areas (the employee charged with theft was given access to the data as part of his job). The use of disk encryption programs would have been paramount.
Coulda, shoulda, woulda...yes, they're all suppositions. Until something unexpected happens, like an employee stealing a desktop computer.
Related Articles and Sites:http://www.lpch.org/aboutus/news/releases/2010/cdph.htmlhttp://www.phiprivacy.net/?p=3664http://www.computerworld.com/s/article/9184679/Hospital_appeals_250_000_fine_for_late_breach_disclosure