in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Full Disk Encryption: Texas Health Presbyterian Hospital Flower Mound Announces HIPAA Breach

Texas Health Presbyterian Hospital Flower Mound has begun notifying patients of a data breach that occurred on June 21, 2011.  According to the notification letter, a laptop that does not appear to be protected with laptop encryption software like AlertBoot was stolen.

Company-Issued Laptop

According to the breach notice posted at the Texas Health Presbyterian Hospital Flower Mound site, the laptop was company-issued to an employee of Texas Health Partners.  The latter was a business associate and provided management oversight.

The information on the now-missing notebook computer contained

name and account number, plus at least one or more of the following elements: age, allergies, chief complaint, date and time of admission, date and time of laboratory order, date and time of specimen collection, date of birth, dates of service, diagnosis, discharge instructions, discharge summary, employer, gender, height, history and physical report, insurance, group number, ID number, subscriber’s name and/or subscriber’s date of birth, lab results, marital status, medical history, medical record number, Medicare Questionnaire report data, medication, name of account guarantor, name of lab test, name of physician, name and address of spouse, operative report, phone number, procedure, procedure start and stop time, radiology report results, room number, total charges, type of anesthesia, type of service, vital signs, weight, and x-ray number.  It may have also included the social security number for a very small number of patients. [phfmtexas.com]

It has not been revealed how many patients were affected or how the laptop computer was stolen -- from an open office?  From the employee's vehicle?  By a UFO with Star Trek-like tractor beam?  It was revealed, though, that the laptop required a user ID and 12-character password to logon to the laptop.

Is that Tied to Laptop Encryption?

Furthermore, the use of this 12-character password has led the hospital to conclude that "there is no significant risk of identity theft or financial fraud" (at least, that's the implication).  Is this a realistic assessment?

Well, it depends on a couple of factors.  First, is the 12-character password tied to encryption software or to a password-prompt?  The difference is like asking whether we're talking about money stored in a bank vault vs. a high school locker: for the former, figuring out the combination is the easiest way to get to the money; for the latter, you might not bother with a combo and just bash the locker's door.

Likewise, when it comes to computer data: encryption is like the vault and password-protection is like the locker.  In other words, there are other ways of getting around password-protection other than finding out what the actual password happens to be (slaving a hard drive or using a Linux LiveCD, for starters).

Second, how/where was the laptop stolen from?  If it was stolen from the trunk of a car, perhaps the thief will assume that there is very little of substance in the laptop and just reformat the hard drive and install the operating system over it (this does NOT guarantee data security, by the way).  If it was stolen from a medical office, then perhaps the laptop was stolen expressly because it was assumed medical and other useful data was in it, meaning that the thief has an interest in breaking into the computer (which brings us to the first point above).

Long story short: password tied to encryption, then, yes, there is no significant risk.  If the password is not tied to encryption, well, things are not as safe as they seem.


Related Articles and Sites:
http://www.databreaches.net/?p=20240
http://www.phfmtexas.com/LinkClick.aspx?fileticket=Lo%2b7DL2fEsM%3d&tabid=310

 
<Previous Next>

Encryption Laws In The UK: Must Personal Data In Computers Be Encrypted?

Data Encryption Software: VA Medical Center Employee Takes Unauthorized Data Home

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.