A Vancouver hospital has notified patients of a data breach. A medical student lost a laptop and a USB drive that were not protected with full disk encryption software like AlertBoot. It goes without saying, but I'll say it anyway: Why?
Approximately 450 people were affected by the data breach. The laptop and USB drive, owned by a medical student with ties to Vancouver General Hospital, was lost while the devices were being used outside hospital facilities. More specifically, it was lost at Toronto airport. The devices were not secured using full disk encryption (FDE), but it's noted that password protection was used. Password protection is, of course, a poor substitute to FDE. The hospital records stored in the devices included names, medical record numbers, dates of birth, and medical diagnoses. It affects Vancouver General Hospital visitors from November 16, 2009 through March 2010.
Approximately 450 people were affected by the data breach. The laptop and USB drive, owned by a medical student with ties to Vancouver General Hospital, was lost while the devices were being used outside hospital facilities. More specifically, it was lost at Toronto airport.
The devices were not secured using full disk encryption (FDE), but it's noted that password protection was used. Password protection is, of course, a poor substitute to FDE.
The hospital records stored in the devices included names, medical record numbers, dates of birth, and medical diagnoses. It affects Vancouver General Hospital visitors from November 16, 2009 through March 2010.
The situation has raised questions among commentators. Some have asked and expressed a certain rage and frustration: "what's a student doing with people's health data?" While I can understand the frustration, I must also point out that it's a misplaced one. The fact that a "student" lost the data is meaningless. After all, this is not some elementary school we're talking about; it's a hospital. Specifically, the laptop belonged to a resident physician. If you haven't watched ER, Scrubs, Chicago Hope, Grey's Anatomy, and numerous other medical dramas/dramedies, a resident is a person with a medical degree that practices medicine under the supervision of a fully licensed doctor. In other words, they're "graduate student" doctors, if you will: not really a student, but not a PhD, either. Plus, even if the owner of the laptop were a full-fledged student, what does it matter? If you're in medical school, chances are you have to deal with people's medical data. The question is: why was the student's laptop not encrypted? Was he allowed to take the data off medical premises? If so, why was the student's laptop not encrypted? Also, why was the student's laptop not encrypted? Have I mentioned that I wonder why was the student's laptop not encrypted? (You get the point).
The situation has raised questions among commentators. Some have asked and expressed a certain rage and frustration: "what's a student doing with people's health data?" While I can understand the frustration, I must also point out that it's a misplaced one.
The fact that a "student" lost the data is meaningless. After all, this is not some elementary school we're talking about; it's a hospital. Specifically, the laptop belonged to a resident physician. If you haven't watched ER, Scrubs, Chicago Hope, Grey's Anatomy, and numerous other medical dramas/dramedies, a resident is a person with a medical degree that practices medicine under the supervision of a fully licensed doctor. In other words, they're "graduate student" doctors, if you will: not really a student, but not a PhD, either.
Plus, even if the owner of the laptop were a full-fledged student, what does it matter? If you're in medical school, chances are you have to deal with people's medical data.
The question is: why was the student's laptop not encrypted? Was he allowed to take the data off medical premises? If so, why was the student's laptop not encrypted? Also, why was the student's laptop not encrypted? Have I mentioned that I wonder why was the student's laptop not encrypted? (You get the point).
The site ctvbc.ctv.ca has an interview with a hospital spokesperson. He notes that the breach is an unfortunate circumstance and that they will do their best from happening again, but that they cannot guarantee it won't happen again. I hate to say it, but he's right. Decentralization in medical operations has meant the introduction of many data "endpoints": computers, laptops, tablet PCs, smartphones, etc. Protecting all these devices; tracking which ones have sensitive data; running audits on them periodically; etc. is, while technically possible, realistically improbable. Hence, the lack of a guarantee. However, that doesn't mean that you can't be safe. For example, traffic accidents happens every day, but the use of seat belts, air bags, defensive driving, proper car maintenance, and other safeguards means most people survive a lifetime of driving unscathed by lowering their risk profile. Likewise for data breaches. Despite all the logistical problems surrounding patient data security, the risks of having one can be lowered significantly. For example, the use of health data encryption software like full disk encryption for laptops prevents many breaches from occurring, and would have prevented the one above. So, in light of this, why was the student's laptop not encrypted?
The site ctvbc.ctv.ca has an interview with a hospital spokesperson. He notes that the breach is an unfortunate circumstance and that they will do their best from happening again, but that they cannot guarantee it won't happen again.
I hate to say it, but he's right. Decentralization in medical operations has meant the introduction of many data "endpoints": computers, laptops, tablet PCs, smartphones, etc. Protecting all these devices; tracking which ones have sensitive data; running audits on them periodically; etc. is, while technically possible, realistically improbable. Hence, the lack of a guarantee.
However, that doesn't mean that you can't be safe. For example, traffic accidents happens every day, but the use of seat belts, air bags, defensive driving, proper car maintenance, and other safeguards means most people survive a lifetime of driving unscathed by lowering their risk profile.
Likewise for data breaches. Despite all the logistical problems surrounding patient data security, the risks of having one can be lowered significantly. For example, the use of health data encryption software like full disk encryption for laptops prevents many breaches from occurring, and would have prevented the one above.
So, in light of this, why was the student's laptop not encrypted?
Related Articles and Sites:http://www.ctvbc.ctv.ca/servlet/an/local/CTVNews/20111027/bc_steele_privacy_breach_111027/20111027/?hub=BritishColumbiaHomehttp://topnews.ae/content/29782-resident-doctor-loses-laptop-security-breach-issued