in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Medical Laptop Security: Users Of Blood Clot Prevention Medicine At Risk Of ID Theft

Medical laptop encryption like AlertBoot disk encryption is both effective and affordable when it comes to securing protected health information (PHI) .  So why is it not used as often as it should be?  The question is prompted by a data breach at Alere Home Monitoring, which is in the news due to the loss of a laptop computer that led to 100,000 breach notification letters.

Laptop Stolen from Employee Car

According to the fine investigative work by Dissent at phiprivacy.net, we know that Alere Home Monitoring suffered a data breach on September 23, 2012.  However, it looks like the company was only alerted of the data breach around October 1 (about a week later).

According to sources, found by Dissent, a laptop computer was stolen from a parked car on September 23, among other items.  The laptop was password protected; however, there is no mention on whether patient encryption software was used to protect the data.  On the other hand, notification letters to one hundred thousand people are generally a dead giveaway that cryptographic solutions were not used.

The stolen data included names, addresses, dates of birth, Social Security numbers, and diagnoses.  The police have been notified, and one year's worth of identity protection is being offered to those affected.

Apparently, not all were clients of Alere.  There are those who are being notified could have dealt with QAS, Inverness Medical, or Hemosense -- although, Dissent notes that she can't confirm that the information is accurate.  The relationship between these three and Alere, according to cap.org is that Alere Home Monitoring was formerly Inverness, and that the company acquired HemoSense, QAS (aka, Quality Assured Services), and Tapestry.  The last one was not mentioned in connection to the breach.

Questions, Questions

Dissent also offers some questions:

  1. Why weren't the data encrypted?
  2. Why was a laptop left in an unattended vehicle?
  3. Was there a substitute media notice? If so, where was it published?
  4. Why is there no prominently displayed notice on Alere's home page?
  5. Will HHS actually fine entities for leaving unencrypted data in cars?

All of these questions -- quite valid, seeing how it was difficult to obtain information regarding this case -- are a result of improperly securing patient information.  If you work for a HIPAA covered-entity, and you use a laptop computer that is full of PHI, the use of laptop disk encryption software is a no-brainer: Not only does encryption protect data from unauthorized access, it also provides safe harbor from multiple data breach rules and regulations, both at the federal and state level.

Granted, just because you use a laptop chockfull of PHI doesn't mean you're required to use encryption.  If, like me, one uses a laptop computer as a replacement to a desktop computer, then whatever security measures you had in place for the desktop can be applied to the laptop (arguably.  But why take the chance?)  Seeing how the laptop was stolen from a car, however, encryption should have been used in this case.


Related Articles and Sites:
http://www.phiprivacy.net/?p=10627
http://www.valvereplacement.org/forums/showthread.php?41003-**WARNING-LETTER**-from-Alere

 
<Previous Next>

Small Healthcare Data Security: Neurologist Files HIPAA/HITECH Breach With HHS

Smishing: SMS + Phishing, Present And On The Rise On Android

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.