in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Medical Laptop Encryption Software: 16,800 Fairview, North Memorial Patients Affected By Laptop Theft (Updated)

14,000 Fairview patients and 2,800 North Memorial patients in Minneapolis are being alerted that their protected health information was breached due to the actions of an employee at a subcontractor.  The laptop was not protected with drive encryption software like AlertBoot despite obligations to the contrary.

Update (28 SEP 2011): I've just gone back to the startribune.com article and have found that references to the laptop being a personal one have been deleted (the article shows an update on 10:19 AM September 28).  Furthermore, information that was not available yesterday, such as an explanation of what Accretive Health does, has been added.  I'm not sure what this means.  I think I might have jumped the gun on this one.

Accretive Health is Blamed

According to startribune.com and other sites, a laptop belonging to a subcontractor's employee was stolen during a vehicle break-in.  This incident resulted in the breach of Fairview "patient names, addresses, dates of birth, account balances, dates of services, diagnostic information, and SSNs".  North Memorial informed patients that SSNs were not included.

Hospital officials blamed the incident on a subcontractor, Accretive Health.  It's pretty rare to hear the name of the third party that caused a medical data breach, so this makes me wonder if the subcontractor did something to anger the company (besides causing the data breach, I mean) or if this is a new strategy taken by HIPAA covered-entities that are tired of bearing the brunt of negative PR for breaches they did not cause.

Apparently, the information from Fairway and North Memorial was supposed to be protected with encryption software, as stated in company procedures (it's not specified which company: the hospitals or Accretive Health).  The stolen laptop was not.  It seems quite reasonable that it wasn't because the device in question was a personal one.

The question then becomes, how did this data end up on this personal computer?  Did the unnamed employee take in his personal computer to work (one of those Bring Your Own Computer to work deals)?  Or did he copy the information to a USB stick (hopefully using encryption software, although very unlikely due to the turn of events) which was later used to copy the information to the laptop?

Employees are Ultimate Failure Point

Encryption is not a panacea.  I often note this, not because encryption software can't do its job, but because a lot of people seem to think that encryption is some kind of magic bullet against all the things that can go wrong with patient data:

"Are you protecting patient data?"
"Oh, don't worry.  We use encryption on all of our laptops."

Let me tell you something, if this is the response you're getting, perhaps you should be worried.  As the above case shows, there are plenty of ways that encryption won't come into play.  Even if all computers at a company are making use of cryptographic defenses, there are plenty of ways for information to pass through safety nets:

  • Information is sent via email
  • Files are copied to external storage devices and media
  • Non-company laptops are used
  • Hackers break into your database

A proper approach to security not only involves technological safeguards but other approaches as well, such as employee training (why and how information is secured) and the proper policies (such as penalties -- including termination of employment -- and rewards).

You must also remember that, as long as you're employing people, the risk of a data breach will never reach zero.


Related Articles and Sites:
http://www.startribune.com/lifestyle/wellness/130644048.html

 
<Previous Next>

BBC's Modern Sherlock Holmes Adaptation Teaches Data Security Lessons

Drive Encryption Software: Correction on Fairview, North Memorial Laptop Theft

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.