in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: UK Calderdale and Huddersfield Foundation Trust Announces Breach (Updated)

The theft of a computer means breach disclosures to 1,500 patients that were treated at Calderdale Royal Hospital.  It appears that disk encryption software like AlertBoot was not used to protect its contents, resulting in the breach of data (password protection was used, but this is a poor substitute to encryption software).

Update (02 MAR 2011): It is now believed that the theft of the computer was an inside job [ http://www.examiner.co.uk/news/local-west-yorkshire-news/2011/03/02/patient-personal-details-will-now-be-encrypted-after-laptop-theft-say-hospital-bosses-86081-28266278/ ; ].

Computer Stolen From Locked Office

The medical director overseeing the hospital had this to say:

At the end of November it was found that part of an electromyography (EMG) machine, a computer which drives it, had been taken from a locked office in the neurophysiology department at Calderdale Royal Hospital ... We have written to some of the department's patients because limited personal data, such as names and dates of birth, was on the password protected computer. [zdnet.co.uk]

This is not a surprising occurrence.  First, the NHS has had numerous data breaches over the years involving lost and stolen computers and other storage devices.  In fact, there's a case in there where a laptop was stolen from a locked cupboard in a locked office, if memory servers.

Second, even if this were the first such occurrence for NHS, it certainly wouldn't be unheard of elsewhere.  People break in to steal stuff?  Who'd have thought of it?

I still cannot believe that we're still reading about instances where NHS computers trigger a data breach because the contents of those computers were not protected with computer encryption software.  I mean, is it too much to ask?

Sometimes, Yes

I assume that there are computers out there that are part of medical equipment that are used in the gravest of emergencies.  In such cases every second counts, which is why such equipment is designed to be as error-free as possible.  I'm not only referring to its uptime -- whether the equipment will fail when most needed -- but also to its operability: will trained and un-trained people alike be able to use it correctly?

Take for example the heart defibrillator: used when one is having a heart-attack, it's the last thing you want someone losing valuable seconds deciding, "uh, what does this knob here do again?"  These machines don't come with a computer in them (hmm...maybe this one from Phillips does), but assume that they did and that they stored patient information.  Do you really want doctors having to mess around with encryption passwords?  Clearly encryption is not a good idea in such a machine even if someone boneheadedly decided to infuse the equipment with sensitive data, somehow.

So, again, there are instances where having encryption software protecting access to a machine is not a good idea.  On the other hand, an EMG machine doesn't sound like something that would constitute an emergency piece of equipment.  And, since it does store patient data, why not do the right thing and protect the data that is stored in the computer that works with it?

We already know that people other than Houdini can make their way into locked offices.


Related Articles and Sites:
http://www.zdnet.co.uk/news/security/2010/12/23/hospital-trust-reports-data-breach-to-1500-patients-40091245/?s_cid=938

 
<Previous Next>

Email Encryption: Geisinger Health System Has Data Breach (Updated 30 DEC 2010)

Data Encryption: Bottled Civil War Message Used Vigenere Cipher (Updated)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.