Even if a medical facility has successfully implemented data encryption like AlertBoot on all computers at their facilities, the lack of oversight can lead to a data breach. Just ask the guys over at Dean Health System and St. Mary's Hospital.
The theft of a laptop computer has resulted in a data breach for Dean and St. Mary's. The crime took place on November 8, at a doctor's residence. Only medical data was affected, and the following was not lost in the burglary: Social Security numbers, addresses, phone numbers, credit card numbers, or other financial information, according to the hospital's spokesperson. It was not mentioned whether the doctor's laptop was protected in anyway (it was her personal computer and not issued by the hospital), although the spokesperson did mention that all "data on Dean computers are encrypted" and that copying the data and placing it in a personal computer was against hospital policy. The use of disk encryption is quite often espoused for better data security, but it has its loopholes, as the above result shows. How are these loopholes possible?
The theft of a laptop computer has resulted in a data breach for Dean and St. Mary's. The crime took place on November 8, at a doctor's residence. Only medical data was affected, and the following was not lost in the burglary: Social Security numbers, addresses, phone numbers, credit card numbers, or other financial information, according to the hospital's spokesperson.
It was not mentioned whether the doctor's laptop was protected in anyway (it was her personal computer and not issued by the hospital), although the spokesperson did mention that all "data on Dean computers are encrypted" and that copying the data and placing it in a personal computer was against hospital policy.
The use of disk encryption is quite often espoused for better data security, but it has its loopholes, as the above result shows. How are these loopholes possible?
It's possible because encrypted requires a compromise when it comes to data security: it has to allow authorized users access to protected contents. Otherwise, what's the use? You might as well just delete the data. Once a person is authorized to access data, by supplying the correct username and password, encryption can't help you. Under full disk encryption, where everything on a computer's hard disk is protected, all contents are up for grabs. Under file encryption, where individual files or groups of files are protected, any files that have been accessed are left unprotected. Until you "sign off," that is. (If the above leaves you wondering "then what's the use of encryption," it's easiest to think of a safe or vault as an analog: Even the most impregnable ones are easily accessible if you supply the combination to the lock. And, once open, the safe doesn't offer any protection until it's closed and locked again.) What's Dean and St. Mary's supposed to do? They have to protect patient information, as dictated by HIPAA (and HITECH gives the bite to do so), but they also have to allow doctors access to that same information. It's necessary for treatment, you know? At the same time, there's only so much the IT department can do. They can't control what a doctor--or any other person, really--chooses to do, including the breaking of computer usage policies. A partial answer might lie in USB port control, which allows an administrator to control which devices can communicate with a computer. This way, a mouse or a blue tooth transmitter for headphones can be used with a computer while, at the same time, blocking the use of portable data devices like flashdrives. However, it cannot take the place of regular data audits and other forms of management oversight activities, which appears to be what failed Dean and St. Mary's.
It's possible because encrypted requires a compromise when it comes to data security: it has to allow authorized users access to protected contents. Otherwise, what's the use? You might as well just delete the data.
Once a person is authorized to access data, by supplying the correct username and password, encryption can't help you. Under full disk encryption, where everything on a computer's hard disk is protected, all contents are up for grabs. Under file encryption, where individual files or groups of files are protected, any files that have been accessed are left unprotected. Until you "sign off," that is.
(If the above leaves you wondering "then what's the use of encryption," it's easiest to think of a safe or vault as an analog: Even the most impregnable ones are easily accessible if you supply the combination to the lock. And, once open, the safe doesn't offer any protection until it's closed and locked again.)
What's Dean and St. Mary's supposed to do? They have to protect patient information, as dictated by HIPAA (and HITECH gives the bite to do so), but they also have to allow doctors access to that same information. It's necessary for treatment, you know?
At the same time, there's only so much the IT department can do. They can't control what a doctor--or any other person, really--chooses to do, including the breaking of computer usage policies.
A partial answer might lie in USB port control, which allows an administrator to control which devices can communicate with a computer. This way, a mouse or a blue tooth transmitter for headphones can be used with a computer while, at the same time, blocking the use of portable data devices like flashdrives.
However, it cannot take the place of regular data audits and other forms of management oversight activities, which appears to be what failed Dean and St. Mary's.
Related Articles and Sites:http://host.madison.com/wsj/news/local/crime_and_courts/article_24f20b7c-0ca0-11e0-b14e-001cc4c03286.html