Disk Encryption Software: Ontario UHN Patient Details Stolen, Privacy Commissioner Angry.

The Ontario Privacy Commissioner reportedly hit the roof after finding out that a patient data breach was not reported to her office, learning of the situation via the local news instead.  If you have a data breach, even more important than ensuring that data encryption software be used is complying with any laws.  I’m not even sure why I’m making that observation; it’s just common sense.


University Health Network Notifies 763



The University Health Network (UHN) recently notified 763 patients, who had undergone surgeries at their facilities, that the loss of an unencrypted USB drive caused a data breach.


Their medical information–names, admission and discharge dates, and surgical procedures–had been copied to an unsecure USB drive (the employee who owned the USB drive claims that she didn’t know personal health information was saved to the USB device).


I guess I can accept that tale.  You loan your flashdrive to a coworker; he copies some files to it in order to transfer them a computer with a spotty network connection; and he forgets to delete the files.  You, of course, have no idea.


But, then, what would prompt you to report the theft of USB device?  And, how was it determined that 763 people had their information compromised?


You know what, I guess I just can’t accept the explanation.


Encryption Software Already Required



The hospital pointed out that, per their regulations, any devices that store personal health information must be encrypted.  Of course, as they’ve found to their dismay, such policies–although they matter–do not completely resolve the issue.  When it comes to data security, something a little more proactive is generally required.


Which is why they’re looking to “the automatic encryption of any device that gets used by the network.”


I guess it would be similar to what AlertBoot does when it comes to USB data devices that connect to a computer: in order to effect a more secure data environment, it is possible in AlertBoot for a central administrator to specify that any external USB data devices (be they portable hard disks or pocket-able flashdrives, etc.) be automatically encrypted when connected to an already-encrypted machine.


In other words, plug your flashdrive into the USB port of a machine with AlertBoot laptop encryption, and you’ll find that the flashdrive is encrypted as well.  In fact, plug it into another computer, or outside your group of computers that have been associated as a network, and the drive will show up as unformatted (as it’s supposed to).


Such an approach–while requiring a little more forethought and work–generally tends to create a more secure data environment.



Related Articles and Sites:
http://www.cbc.ca/canada/toronto/story/2010/08/04/usb-medical-files-stolen684.html
http://www.phiprivacy.net/?p=3233



Comments (0)


Let us know what you think