Yale School of Medicine has announced that 1,000 people have had their clinical information breached. A laptop computer was stolen from the office of a data analyst. It was pointed out that the computer made use of password-protection but not drive encryption.
The announcement by Yale covers by little: 1,000 people affected Clinical information lost (no SSNs, financial info, or insurance numbers included) Password-protection, not encryption, in place Stolen on July 28 There is no mention of how the theft took place (forced break-in? Non-forced break-in? Mugging?), or what type of clinical information was lost. Perhaps that's why the Attorney General is looking into the issue.
The announcement by Yale covers by little:
There is no mention of how the theft took place (forced break-in? Non-forced break-in? Mugging?), or what type of clinical information was lost.
Perhaps that's why the Attorney General is looking into the issue.
I posted yesterday why the best computer password protection was no match for encryption; it's a recurring theme of mine. Perhaps Yale will finally go ahead and encrypt any machines that contain, or (will) potentially contain, sensitive information now that they've had their second breach. This is not Yale's first data breach incident, after all. In 2007, the on-campus theft of two computers led to the breach of over 10,000 students, faculty, and staff. Or perhaps they won't do anything of note because it's already a requirement at Yale that encryption be used. From Yale's HIPAA policy page: All Yale laptop and desktop computers used to store, access or transmit ePHI must follow current secure configuration standards, including: Whole Disk Encryption Automatic distribution of security and other patches via central computer management software (like Big Fix) Installation and update of anti-virus /anti-spyware software Automatic locking and password protection of desktops after 15 minutes of inactivity Registration in the ITS Backup service Protection via proxy servers or removal of administrative privileges Removal of applications that increase the vulnerability of computers such as Peer to Peer (P2P) file sharing A locking cable for physical security Other safeguards as they become technically feasible. The School of Medicine is part of the "Yale University HIPAA Covered Components" and is covered by the above requirements. So why was this particular computer, which contained ePHI--clinical information on the computer was lost; it doesn't get more ePHI than that--not encrypted? We don't have much information to go on, but it could be that this particular computer was a personal one. Or, perhaps the computer just slipped through the cracks. This is actually a pretty common occurrence, especially if an organization has to install encryption on computers that are already in use. The larger the population of computers, the greater the chances that something will be overlooked. There are solutions that try to minimize or eliminate this. AlertBoot endpoint encryption, for example, has a built-in encryption report engine that is tied to the number of computers that have its software: if a computer has the encryption software installed, it automatically goes on that report, identified as either encrypted or not. This allows for easy analysis of machines that need further work. Plus, if you compare it with a list of computers "out there" (such as Active Directory), you can see which ones need even more work. In traditional encryption suites, however, this report--traditionally an after though--is not as accurate as it can be, causing certain computers to be overlooked.
I posted yesterday why the best computer password protection was no match for encryption; it's a recurring theme of mine.
Perhaps Yale will finally go ahead and encrypt any machines that contain, or (will) potentially contain, sensitive information now that they've had their second breach. This is not Yale's first data breach incident, after all. In 2007, the on-campus theft of two computers led to the breach of over 10,000 students, faculty, and staff.
Or perhaps they won't do anything of note because it's already a requirement at Yale that encryption be used. From Yale's HIPAA policy page:
All Yale laptop and desktop computers used to store, access or transmit ePHI must follow current secure configuration standards, including:
The School of Medicine is part of the "Yale University HIPAA Covered Components" and is covered by the above requirements.
So why was this particular computer, which contained ePHI--clinical information on the computer was lost; it doesn't get more ePHI than that--not encrypted?
We don't have much information to go on, but it could be that this particular computer was a personal one. Or, perhaps the computer just slipped through the cracks.
This is actually a pretty common occurrence, especially if an organization has to install encryption on computers that are already in use. The larger the population of computers, the greater the chances that something will be overlooked.
There are solutions that try to minimize or eliminate this. AlertBoot endpoint encryption, for example, has a built-in encryption report engine that is tied to the number of computers that have its software: if a computer has the encryption software installed, it automatically goes on that report, identified as either encrypted or not. This allows for easy analysis of machines that need further work. Plus, if you compare it with a list of computers "out there" (such as Active Directory), you can see which ones need even more work.
In traditional encryption suites, however, this report--traditionally an after though--is not as accurate as it can be, causing certain computers to be overlooked.
Related Articles and Sites:http://www.nhregister.com/articles/2010/08/18/news/new_haven/doc4c6c3adccaeed193113041.txthttp://middletownpress.com/articles/2010/08/18/news/doc4c6c477b7b0c0205564912.txthttp://newhavenindependent.org/index.php/archives/entry/blumenthal_investigates_yale_security_breach/id_28544