in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Disk Encryption: Medical Data From Dean Health System And St. Mary's Hospital Not Protected

Even if a medical facility has successfully implemented data encryption like AlertBoot on all computers at their facilities, the lack of oversight can lead to a data breach.  Just ask the guys over at Dean Health System and St. Mary's Hospital.

Doctor Breaks Protocol, Copies Data to Personal Computer

The theft of a laptop computer has resulted in a data breach for Dean and St. Mary's.  The crime took place on November 8, at a doctor's residence.  Only medical data was affected, and the following was not lost in the burglary: Social Security numbers, addresses, phone numbers, credit card numbers, or other financial information, according to the hospital's spokesperson.

It was not mentioned whether the doctor's laptop was protected in anyway (it was her personal computer and not issued by the hospital), although the spokesperson did mention that all "data on Dean computers are encrypted" and that copying the data and placing it in a personal computer was against hospital policy.

The use of disk encryption is quite often espoused for better data security, but it has its loopholes, as the above result shows.  How are these loopholes possible?

Full Disk Encryption, File Encryption, and Copying Data

It's possible because encrypted requires a compromise when it comes to data security: it has to allow authorized users access to protected contents.  Otherwise, what's the use?  You might as well just delete the data.

Once a person is authorized to access data, by supplying the correct username and password, encryption can't help you.  Under full disk encryption, where everything on a computer's hard disk is protected, all contents are up for grabs.  Under file encryption, where individual files or groups of files are protected, any files that have been accessed are left unprotected.  Until you "sign off," that is.

(If the above leaves you wondering "then what's the use of encryption," it's easiest to think of a safe or vault as an analog: Even the most impregnable ones are easily accessible if you supply the combination to the lock.  And, once open, the safe doesn't offer any protection until it's closed and locked again.)

What's Dean and St. Mary's supposed to do?  They have to protect patient information, as dictated by HIPAA (and HITECH gives the bite to do so), but they also have to allow doctors access to that same information.  It's necessary for treatment, you know?

At the same time, there's only so much the IT department can do.  They can't control what a doctor--or any other person, really--chooses to do, including the breaking of computer usage policies.

A partial answer might lie in USB port control, which allows an administrator to control which devices can communicate with a computer.  This way, a mouse or a blue tooth transmitter for headphones can be used with a computer while, at the same time, blocking the use of portable data devices like flashdrives.

However, it cannot take the place of regular data audits and other forms of management oversight activities, which appears to be what failed Dean and St. Mary's.


Related Articles and Sites:
http://host.madison.com/wsj/news/local/crime_and_courts/article_24f20b7c-0ca0-11e0-b14e-001cc4c03286.html

 
<Previous Next>

Full Disk Encryption Not Utilized In Mankato Clinic Laptop

Email Encryption: Geisinger Health System Has Data Breach (Updated 30 DEC 2010)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.