in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

NIH Loses Laptop Computer Without Hard Disk Encryption: Some Thoughts

I blogged last night (much sooner than the mainstream media, it seems like—I know I didn’t see too many other articles at the time) about how the National Institute of Health had reported that a laptop with patients’ data was stolen.  At the time I said that it affected 2500 people and that the blame shouldn’t fall just on the researcher who lost the laptop.  I also suggested that an encryption solution that allowed easier auditing, like AlertBoot, may have reduced the chances of something like this happening.

 

Well, I woke up today to find nearly two hundred new articles covering the situation, according to Google News; and as of right now, there are lots of comments on those articles.  I’d like to offer my thoughts on some comments that have popped up in all the excitement.

 

The Feds are incompetent. They’ve lost stuff without fail.  Besides the NIH thing, there were two VA incidents, the backup tapes, the… OK, so the federal government has problems.  But they’re nowhere close to the incident rates of private industry.  I’m not saying that the government is doing a good job.  However, it’s only fair to point out that people are lumping together various different, autonomous branches together into a single entity.  If people are going to sing that tune, and crying for blood, why not go after retailers?  That industry is composed of different, autonomous entities, and TJX, the Gap, Hannaford, and numerous other companies have lost more records combined.  Heck, some of them have single‑handedly lost more records than what the Fed lost, combined, over the past three years.  And, if I’m not wrong, the Fed’s actually bigger than the retail industry, which means that the Fed actually has a lower incidence rate of data breaches.

 

People shouldn’t get their panties in a bunch.  This is a victimless crime.  Yeah…no, it isn’t.  For starters, there’s the researcher who’s lost the laptop.  He could be fired, demoted, research funds pulled, whatever.  And before someone says “good riddance,” remember, this is a heart researcher, not some office drone munching on doughnuts.  This guy could be the guy to make a breakthrough in cardio‑related research.  And I’m not talking about a new aerobics gizmo. (You know who’s not in the people’s cross‑hairs?  The IT guy who should have made sure the researcher’s laptop was encrypted.)  Plus, there’s the fact that a laptop got stolen.  Last time I checked, theft means there’s a victim.

 

As to the 2500 patients/volunteers to the research?  They could be victims, too.  As I remarked in the previous post, readily useful information was not included, like SSNs.  The stolen information includes medical diagnoses, names, and DOBs.  If an insurance company gets a hold of this information, they’ve got reasons to deny coverage.  Does it sound farfetched?  Sure.  Could it happen?  It already has.  Just like people Google up someone’s name when they’re set up for a blind date, insurance companies have been found to google the backgrounds of people signing up for insurance.

 

I’d like to say it’s unlikely to happen, but I’ve personally stumbled upon an Alcoholics Anonymous spreadsheet with names, e‑mail addresses, and phone numbers online; who knows what else is out there?  It was weird for me, since I’m under the impression that AA‑related things are supposed to be anonymous, but I’ve never been to one, so I have no idea how it works.

 

Patient information shouldn’t be leaving the premises.  I want to agree with this one.  The very best method of protecting information, after all, is making sure it doesn’t leave a security perimeter.  Of course, there’s always the chance the thieves will come to you, so you’d still need to use full disk encryption on computers.  However, the potential of an information security breach is lowered considerably if patient data is not carried about.

 

However, there are many legitimate reasons why information does leave the premises.  For example, let’s say we’re talking about a hospital, not a medical research center.  HIPAA requires that patients’ medical information be retained for at least 6 years after their deaths.  Now, chances are you’re not going to keep that around—hospitals are pretty cramped places already.  It’s got to go into storage.  That generally means leaving the hospital and going into the coffers of a storage company like Iron Mountain.

 

Or what if a researcher is going away on a week‑long conference and wants to do some work on his off‑time? VPN?  Sure; it might work.  And don’t tell me there’s no work done at such conferences.  Some people decide to do more than sip margaritas when colleagues who can offer suggestions are around.  For that matter, what if you have to share data?  These armchair security zealots are suggesting people e-mail stuff?

 

Why’d he leave the laptop in the trunk of a locked car?  I’d imagine it was for security purposes.  If the researcher was not mindful of security, he’d have left the laptop in the back seat or something.  Nope, this guy was security conscious to a degree.  It’s just a shame he didn’t nurture that security consciousness to a mild degree of security paranoia.  You know, the kind of paranoia that makes you jiggle the door knob after locking the door?  Just to see if it opens?

 
<Previous Next>

NIH Loses Laptop Computer Lacking Hard Disk Encryption

HMO Data Breach Exposes Private Information On‑Line. How Device Encryption Can Help

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.