The theft of two laptops on June 4th has affected 250,000 patients at the University of Alberta Hospital. The information on the two machines includes names, birth dates, personal health numbers, and test results for STDs. The question is, was drive encryption software like AlertBoot used on these machines? Depending on who you quote, one gets different answers.
The Hospital Says…
According to ctv.ca, the hospital has announced that the laptops are protected by “a security program that requires multiple passwords” and as such “the public should not be concerned, we believe there’s a very low, low risk of any information on those devices being made accessible to anybody else.”
Of course, the problem is that passwords can be bypassed. When I say bypassed, I don’t necessarily mean that data on a file can be accessed directly (to do so generally requires correctly guessing the password).
I mean, there is software out there–hex editors, for example–that allows you to easily see the information in a file. Also, depending on the situation, it could reveal the password as well.
So, while having password-protection in place is better than nothing, if the thief happens to know what he’s doing (or, at least, has the wits to do a couple of searches in Google), it’s barely better than nothing.
The Information and Privacy Commissioner Says…
The Information and Privacy Commissioner, Frank Work, has claimed that he is “shocked” about the information security used in this case. According to him, the standard for storing personal and other sensitive information–such as medical information–on portable devices is encryption.
But, this is where the story takes a weird turn. According to the hospital spokesman, “the latest laptops to be stolen were encrypted but not with the most up-to-date software.” I’m assuming he’s referring to the two computers that were stolen, unless other laptops were stolen since then.
So…since when is encryption not encryption?
Well, when weak encryption is used. Because of advances in technology, what was considered safe today may not be considered as such tomorrow. For example, the standard right now is 128-bit AES encryption, or equivalent. This is what you use for on-line bank transactions, for example.
As computers get faster, though, at some point the protection offered by this encryption will not be considered powerful enough, and people will have to switch up, to 256-bit encryption (which won’t be for some time…maybe, a decade or so? It all depends).
If you will, it’s like finding that your castle walls are not effective anymore because the enemy has figured out how to build better, longer, and stronger ladders, so now you have to make your castle walls even higher–and now, the enemy has to figure out how to build even better, longer, stronger ladders….
So, is the information on those two laptops secure or not? It’s hard to tell. Obviously, it’s better protected than originally thought (weak encryption beats password-protection any day). But, it would be possible–with the right resources–to gain access to the contents on the laptops’ hard disks. It would, however, take considerable time as well.
Related Articles and Sites: