Hard Drive Encryption A Solution For University Of Florida Case?.

The University of Florida will be notifying patients that there was a breach of their information.  According to the Triangle Business Journal, an assistant professor of plastic surgery at the university stored digital photographs of patients and identifying information on a computer.  The identifying information included names, dates of birth, Social Security numbers, and Medicare numbers.  Such information is to be stored on university servers and never on individual computer hard drives, per school regulations; the doctor is resigning from his position for violating this policy.

 

The storage of the information was not the cause of the information security breach, however.  The breach occurred when the doctor gave away the computer to a friend.  The computer had a new operating system installed in it—by the friend, not the doctor—and the Journal article states that it “[resulted] in the permanent loss of most of the patient information.”  I don’t know who the Journal is quoting, but they may want to revisit that last statement.

 

Most data is not lost when a new OS installed in a computer.  Data is not lost even when a computer’s hard drive is formatted in preparation to installing a new OS.  What does get lost is the ease in which one accesses the data.  However, the data is still there, and if one has the right software, he’ll be able to get to it.  The only way to delete data is—surprise!—to add more data; more specifically, to write new data over the old data.  Otherwise, the act of deleting data does not delete the data at all (like clicking on “empty recycle bin”), which explains why data recovery software can do its namesake duty.  There are other ways to protect the data besides data overwrites, though.  For example, one could encrypt the hard disk with full disk encryption solutions like AlertBoot.

 

Returning to the University of Florida article, it sounds like there was no attempt to steal identities, and the university is alerting the public because they have a duty to do so.  If I were one of the 1,300 patients, I wouldn’t be too worried about this particular incident.

 

There are, however, a couple of points of interest to this story.  To begin with, how did the university know about the above incident?  The article seems to imply that university property was given away, but I’m not sure if I’m reading things in context.  My suspicions reside on the assumption that a doctor knows better than to give away university property to friends.  If he were doing this, obviously a routine check on inventory would have brought the incident to light…as well as providing another reason for immediate dismissal.

 

Also, this case shows how hard it is to ensure that employees follow policies within an organization.  Often times, policies are not followed because employees are unaware that such policies exist in the first place.  In other cases where similar policies exist, data is saved on a local computer because accessing files from a local computer is much more convenient, knowing that policies prohibit such behavior for security reasons.  Convenience will often trump security policies.



Comments (0)


Let us know what you think