in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption Software Not Used On Missing St John Regional Hospital

Saint John Regional Hospital in Canada has announced that an outside contractor, Cook Medical, has lost a laptop computer with some (literally!) sensitive data.  It is claimed that "extensive security" was used, but I beg to differ.  If they had used hard drive encryption I would be willing to entertain such claims.  It turns out the security in place was the use of two passwords.  That's computer security in the sense that a uniformed mannequin is security.

Only Three Affected - Hospital Notified Three Months After Data Breach

According to dailygleaner.com and timestranscript.com, the laptop was stolen from a Cook Medical employee back in January.  Saint John Regional Hospital, however, only received notice this month.

Letters were sent to the three patients whose names and birthdates were stored on the laptop.  Credit monitoring was offered.  The RCMP is investigating, but has not turned up anything so far.

With only three affected, it makes one wonder why that information was on that laptop.  The only Cook Medical I was able to turn up is the developer of health care devices.  Makes you wonder how names and birthdates of patients figure into the design of devices...

Extensive Security - Uhm...That's Debatable

I've already pointed out that the use of encryption software like AlertBoot endpoint security systems would have indicated extensive security.  It's not total and complete (what if the owner of the laptop kept the password taped to the bottom of the device?), but it's certainly better than what I'm reading here.  According timestranscript.com, Gary Foley, vice-president of professional services for Regional Health Authority B, pointed out that:

"...the laptop was equipped with two security passwords, which...made it extremely unlikely that any information on the computer could be accessed."

I'd drop the word "extremely" from that sentence.  Consider the word "extreme."  A "security" measure that takes less than 10 minutes to disable, with little need for technical knowledge...does this sound like a data breach would be an "extremely unlikely" scenario?

Now compare it to encryption, where there is a high need for technical knowledge in order to bypass it and, even when having it, may require no less than a century to gain access to the data.  Which sounds like extensive security?

Being Pragmatic About It - Maybe Too Pragmatic?

Health Minister Mike Murphy said despite efforts to improve security, some breaches are bound to occur.
"We have 19,000 employees in the Department of Health and there are going to be privacy breaches from time to time," he said. [dailygleaner.com article]

I can't argue with that.  Even if the rate of breaches were a low, low 0.01% per year (that means the chances of not having a breach is 99.99%.  Obviously, the number is not grounded on real life), with 19,000 employees, you'd have almost two breaches annually.

Plus, consider how many contractors and outside vendors the Department of Health must be working with, and the number of "employees" actually increases, even if the above hypothetical rate stays the same.

So, Mr. Murphy is right--he's being pragmatic and pointing out the obvious. (Kind of unusual when you consider he's a politician.)

On the other hand, there is a difference between being pragmatic and being a defeatist.  Just because you know it's going to happen doesn't mean you can't do anything about it.

For example, you could work to further decrease the odds of a breach.  Instead of relying on questionable security measures like double, triple, or quadruple passwords, why not engage the use of encryption?


Related Articles and Sites:
http://telegraphjournal.canadaeast.com/front/article/650641

 
<Previous Next>

Disk Encryption Software Not Deployed On USB Disk Missing At Bradford Teaching Hospitals?

Data Loss Prevention Failure Should Lead To CEO Jail Time?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.