in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption: Beth Israel Deaconess To Pay $100K To Settle Breach Of Personal Laptop

Beth Israel Deaconess Medical Center will settle with the Massachusetts Attorney General's Office to the tune of $100,000 for causing a data breach when a laptop computer was stolen from it campus.  This amount is on top of the $500,000 that the hospital paid to deal with the data breach itself (as of August 2014, according to phiprivacy.net).  The use of disk encryption software goes a long way towards preventing such "fines" from being assessed, as many people know: there are legal safeguards as well as technical ones.

However, the hospital couldn't take advantage of these for a very simple reason: the stolen laptop was the personal device belonging to a physician, and so the hospital had no direct control over its security… in theory.

Does Not Mean "Ban Personal Devices"

The data breach occurred in 2012 (that's right, two years ago) and affected nearly 4,000 people.  The laptop was a personal device.  Why is BIDMC being held responsible?

According to the complaint against BIDMC [Beth Israel Deaconess Medical Center], in May 2012, an unauthorized person gained access to a BIDMC physician’s unlocked office on campus and stole an unencrypted personal laptop sitting unattended on a desk. The laptop was not hospital-issued but was used by the physician with BIDMC’s knowledge and authorization on a regular basis for hospital-related business.

As the underlined portion shows, BIDMC cannot but be held accountable.  They knew of the laptop's presence and use.  The physician had obtained authorization.  The laptop was stolen from the hospital's premises.  I mean, except for the question of ownership, you may as well call it the hospital's machine for all intents and purposes as they relate to the data breach.

It's About Securing Data

It's hard to understand how BIDMC got it so wrong.  The need to use encryption solutions on sensitive data has been known by the medical community well before 2012.  It makes even less sense seeing how the medical center is located in Boston – meaning they have to deal with HIPAA/HITECH as well as the quite arduous Massachusetts data security laws.

Indeed, certain organizations feel that the laws are so oppressive that they actually ban the use of personal devices at work.  It's an extreme attempt at controlling the risks of a data breach.  Why BIDMC decided to go the other way is a complete mystery to me.  Perhaps they made the mistake of believing it was a matter of securing hospital devices.  Because the physician's laptop was not hospital property, it's decided that there's no need to encrypt the device.

The problem with this approach, among other things, is that laws and regulations clearly point out that it's the data that needs to be protected.

Related Articles and Sites:
http://www.phiprivacy.net/beth-israel-deaconess-medical-center-to-pay-100000-to-settle-state-charges-over-data-breach/
 
<Previous Next>

Data Encryption: Apartment Front Office Broken Into For Personal Info

Human Resources Data Encryption: Godiva Chocolatier Has Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.