Blog

Posts Tagged ‘patient data’

Cord Blood Registry Learns Hard Lesson

Friday, March 4th, 2011

What happens when you leave a laptop and backup tapes holding unencrypted sensitive customer data in your car? Simple–someone breaks into aforementioned vehicle and steals them–leading to a data breach affecting 300,000 customers.

Cord Blood Registry, the world’s largest stem cell bank, learned this lesson the hard way. Hopefully, your data is already protected–especially on laptops and backup media. If not, hopefully you will learn from CBR’s mistake and won’t have to go through the painful process of learing the lesson the hard way as well.

The lax data protection is a combination of a false sense of security, combined with being oblivious to the risk, mixed with a healthy dose of feeling like the solution is too complex or costly. CBR should have had policies in place mandating that data on laptops and backup media be encrypted to prevent exposure or compromise. More importantly, it should have had tools in place that simplifiy and automate that process so that data protection isn’t reliant solely on an individual user’s ability to follow that policy.

Tags: , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Gigabytes of Data Gone in a Flash

Thursday, March 3rd, 2011

Have you ever lost a USB thumb drive? I have so many, I am not even sure I would notice if one was missing. I am positive that some have been misplaced over time. Thankfully, none of my USB thumb drives have any private or sensitive information I care about on them. Lost thumb drive? No sweat. The next tech conference or event I go to, I am bound to get three or four new ones.

For many companies, unfortunately, thumb drives also get lost–but contain sensitive data that is not properly protected. For example, an employee of the Henry Ford Health System in Michigan recently lost a USB flash drive containing unencrypted information on nearly 3,000 patients.

Apparently, Henry Ford Health System has a policy in place mandating that such data be encrypted. The article states, “The device is not encrypted as required to protect individual patient information.” It also says, “hospital officials said it’s still unclear how the flash drive was lost.”

I think this brings up two valuable points. First–it is only marginally relevant how the flash drive was lost. Maybe it was stolen. Maybe it got left in a pair of pants and washed with the laundry. Maybe it fell out of the employee’s pocket. The bottom line is that determining how the USB flash drive was lost is unlikely to yield any useful results to prevent a similar occurrence in the future.

Second, it demonstrates that an unenforced policy is about as effective as not having a policy in the first place. Whether the employee intentionally ignored the policy, or made an honest mistake, the fact is the policy wasn’t followed and now personal information on almost 3,000 patients is assumed exposed or compromised as a result.

Establishing a policy is an important step, but it is just a first step, not the end of the journey. IT admins need to have tools in place that can monitor systems and ensure the policy is followed and enforced as well.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Closing the Barn Door After the Horses Escape

Tuesday, April 6th, 2010

There is an old saying about closing the barn door after the horses have escaped. Obviously, that is too late.

John Muir Health is “closing the barn door after the horses escape” by implementing disk encryption software on its laptops AFTER two laptops with unencrypted data were stolen–leading to the compromise of nearly 5,500 patients’ sensitive and confidential data.

John Muir Health waited two months–the maximum amount of time allowed under the HITECH amendment to the HIPAA compliance mandate that governs data security in the health industry. Hala Helm, Muir’s vice president and chief compliance and privacy officer, is quoted explaining the delay with the justification “We wanted to make sure we had accurate information and could address questions from our patients.”

The move to encrypt the data on John Muir Health laptops is a good one–but in hindsight it is obviously a security control that should have been in place already. Had the data on the stolen laptops been encrypted, no patient data would be exposed or compromised as a result of the theft of the laptops. John Muir Health could have simply written off a few thousand dollars for the lost hardware, replaced the laptops, and carried on with business as usual.

If your organization has laptops, and those laptops have private, sensitive, or confidential data on them–ever, perhaps you should consider shutting the barn door now–while the horses are still safely inside?

Tags: , , , , , , ,
Posted in Data Storage Security | 1 Comment »