in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Alberta Health Information Act Updated For Breach Disclosure Notifications

Alberta, Canada is updating its books so that the breach of medical information is disclosed ASAP.  The original legislation had a number of good points although it didn't include a mandate for the use of medical encryption software for laptops used by health information custodians.  On the other hand, the Information Privacy commissioner does require it for devices that store personal and sensitive information, so it's a moot point.

A data breach last fall highlighted further problems, prompting the legislative change.

Breach Remains Under Wraps for Months

Alberta suffered its largest health information data breach to date on September 2013.  Over 620,000 people were affected.  The breached healthcare organization learned of the mishap right away and duly contacted the Information and Privacy commissioner.  And there the story ended until January of this year, when the Health Minister's office was contacted and it went public with the news.

The controversy over the three-month-long delay revealed that the Alberta Health Information Act proved an impediment to the Information Privacy commissioner because it treats "private-sector companies and health providers very differently" and prohibits the commissioner "from disclosing a breach to anyone, or forcing the offending organization to disclose it."

The updated law strikes out this obstruction; however, it is not without its own downsides and has raised concerns.

Use of Encryption Mandated

It's been a while since I've read any Canadian information security law, and what I've read wasn't comprehensive by any means – there's just too much out there, with each Canadian province and territory having its own set of laws.  So how do I know that the use of laptop encryption is mandated by the Alberta Information Privacy commissioner?

Well, I ran into this site at the University of Alberta that deals with "encryption myths and realities."  According to the page,
The Alberta Office of the Information and Privacy Commissioner and information management legislation such as FOIP, do require information custodians to adequately protect personally identifying information. The privacy commissioner specifically mandates laptop encryption for custodians of personal and sensitive information. [ualbertablog.ca]
This law is quite unique.  Legislation that I've come across (and I've read a lot of them despite my status of non-lawyer) does not mandate the use of encryption on specific devices.  Some legislation require the use of encryption to protect data in general; others contort words so that encrypted data is protected from legal penalties and fines (but does not directly mandate the use of encryption).

This brings up a very interesting question: when people don't follow the law in those regions where laptop encryption is specifically required, what chance do other regions have?

Related Articles and Sites:
http://www.databreaches.net/ca-new-rules-to-require-immediate-warnings-when-health-data-breached/
http://www.edmontonjournal.com/rules+require+immediate+warnings+when+health+data+breached/9812614/story.html
http://www.ualbertablog.ca/2012/01/encryption-myths-and-realities.html
 
<Previous Next>

HIPAA External Drive Encryption: Larsen Dental Care Announces Breach

HIPAA Server Security: Total of $4.8 Million HIPAA Fine For NY Presbyterian and Columbia U

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.