in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

File Encryption Could Have Helped Grady Memorial Hospital To Protect Voice Files

The FBI is investigating the theft of medical records belonging to Grady Memorial Hospital.  At first, in a sure sign that the heat is getting to me, I thought that a data security solution like AlertBoot couldn’t have helped.  But once you start getting into the story, it’s quite obvious that file encryption would have helped secure the information.  Due to the nature of the files, however, I would have recommended disk encryption if it were a viable option.

 

The gist of the story is that Grady Memorial Hospital lost a bunch of voice recordings that were meant to be converted into medical notes.  What tripped me up was the fact that these files are voice recordings.  As stated in the article by The Atlanta Journal— Constitution, “the records pertained to recorded physician comments.”  Generally, we’re talking about a microcassette recorder if it involves voice, records, and physicians.  I thought a stack of tapes had gone missing.  How do you encrypt a tape that works in a machine independently from a computer?

 

However, if I hadn’t been feeling so indolent and sluggish, the part where it says that the “missing records were kept on computer files” would have jumped at me.  At least, I’m keeping good company when it comes to being clueless: Grady has no idea how many patients are affected, how the records were stolen, or which patients need alerting.  It should be noted that the actual theft involved a subcontractor to the vendor that Grady had hired for the job.

 

So, this is what I’m guessing happened.  A bunch of tapes (or whatever method doctors use nowadays to record their observations) get shipped out to the vendor.  The records are then converted into digital files, if they weren’t in that format already, which in turn are sent out to the subcontractors.  The subcontractors lose the device on which the voice recordings are stored; news travels up the chain of command.  Grady jumps into action.  Grady has no idea how many people are affected because—wait for it—they don’t have a written transcript.  If they had 100 tapes, each of them 1 hour long, they’d have to listen all 100 recordings to figure who was affected, and how.  At the same time, they can’t let any Moe, Dick, and Joe listen to these recordings because they’d be toeing the line in terms of doctor‑patient confidentiality and possibly HIPAA regulations.  So, they’re stuck with 100 hours’ worth of listening to be done.  And the only people who can listen to these tapes have real jobs to do. (Ironically enough, people listening to the recordings and transcribing them—most likely not doctors—are unhindered by regulations because they’re not working at a medical practice…the insanity).

 

At least, to me, this is the likely explanation on why Grady’s press release is so thin on details.  They probably had to follow the law in terms of announcing the data breach ASAP, and yet they themselves are currently ignorant on how severe a breach they have on their hands due to the nature of the breach and the associated difficulties.  End result: a data breach alert devoid of any real substance.  It’s about as good as not alerting the general populace.

 

Which is what they would have done if Grady or the vendors had adequate data protection in place.  With so little to go on, it’s debatable the following would have worked for the hospital, but any type of digital data can be usually protected using file encryption, so this could have been an option for Grady.  The only reason I’m slightly apprehensive in recommending file encryption is that all 100 voice files that I’ve used as an example above would have to be encrypted, which will take time.  An hour’s worth of voice is going to result in a big file no matter what, and the bigger the file, the longer it takes to encrypt.

 

If transporting such files to the vendor, or from the vendor to the subcontractor, is a recurring job, a better method may be to encrypt a portable hard drive using full disk encryption.  Then, any files copied to that particular device will be encrypted automatically.  Plus, there are no delays in encrypting the data since these are encrypted the moment they’re copied over to the encrypted disk.

 

Related Articles:

http://www.ajc.com/metro/content/metro/atlanta/stories/2008/07/25/grady_records_theft.html

 
<Previous Next>

Laptop Hard Drive Encryption Has Similarities With Broken Barn Doors

Disk Encryption A Great Ingredient For Anheuser-Busch Employees

Comments

ADVANCE Perspective: HIM said:

OK, so maybe it's not exactly the same story, but it's pretty darn close. In a recent article I did,

October 1, 2008 7:26 AM
 

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.