EMS Laptop Missing: Approximately 30,000 Potentially Affected By Lack of True Endpoint Security.

A laptop used by emergency medical services (EMS) personnel went missing in North Carolina.  The device was left on the bumper of an ambulance.  While details are sketchy, it sounds like the computer was left by accident on the ambulance, and somebody swung by and lifted it.  Or, it could have been left on the vehicle and lost in transit, while the ambulance was on its way to help another person in need.  The laptop disappeared around 10 p.m., and, obviously, conditions were dark.

 

The computer had records of more than 28,000 people who had been cared by Cabarrus County EMS over the past four years, including Social Security numbers and other personal data.

 

County officials have said that it’s possible, but unlikely, that information in the laptop could be breached.  There is no mention of whether the device was encrypted, so I’m guessing that your standard Windows logon username and password prompt is serving as protection.  Furthermore, the county spent over $15,000 to print and mail letters to people who might be affected, as well as hiring a call center, a sign that they are preparing for the worst and hoping for the best.

 

Medical facilities need to follow certain regulations as defined by the HIPAA.  Among the requirements, there is a specific provision to physically secure computers containing personal information.  By taking the laptop out of the building, the Cabarrus County EMS may be in violation of the Health Act.  Although I cannot profess to know in what capacity the laptop was being used, I think it’s safe to assume that it was not necessary for emergency situations.  Otherwise, why keep information of people who were treated four years ago?  I would have to assume that the laptop was being used in an administrative capacity.  And if there was a real emergency, such as the patient convulsing, you can bet it’s all hands on deck.  Misplacing a laptop in such a situation wouldn’t be unusual.

 

What happened to it, though, and if the information on the laptop is not encrypted, could it be accessed easily?  (Yes.)  If the laptop was not stolen, but somehow slid off the ambulance and went crashing into the road, could the contents be accessed as well?  Well, there’s a good probability that the answer is yes.  For starters, the laptop in question was a Panasonic Toughbook, which people tell me are pretty tough.  I think I’ve seen advertisements where a tank ran over it.  But you also have to consider that hard drives are pretty resilient.  As long as a hard drive is not powered up, those things can take a pretty heavy beating.  Ever drop an iPod and find it work?  It might give that tell-tale death-click, but it will still work.  For a while, anyway.

 

Information stored on a laptop can be accessed quite easily, no matter under what type of circumstances the device got stolen.  Combine that with the fact that medical facilities usually deal with a lot of personal data (how could they not?), hence HIPAA, and you’ve got a situation where encryption of data makes a lot of sense.  With a encryption service such as AlertBoot, where the entire contents of the laptop can be scrambled so unauthorized users cannot access it, Cabarrus County could have ensured that their patient data is protected; that they followed HIPAA; and saved a significant amount of funds as well as grief.



Comments (0)


Let us know what you think