Jewish Hospital has announced a third breach, following breaches at Our Lady of Peace and Sts. Mary & Elizabeth Hospital Women’s Center. The incident is a strong reminder that full disk encryption solutions should be deployed before a device is used.
Laptops Stolen, Affects 2,089 Patients
The breach occurred at the Catheterization Lab at Jewish Hospital. Two laptop computers containing sensitive patient data were stolen between July 16 and July 19. The data included names, dates of service, medical record numbers, patient account numbers, Social Security numbers, and other data for 2,089 people.
The laptops featured password-protection, were behind a locked door, and were secured to a desk. While the hospital is in the process of implementing encryption software in all laptops and other portable devices (it seems their second data breach at the Women’s Center kick-started that effort), it’s pretty apparent that these particular computers were yet to be secured.
Knowing of the above, it’s hard to criticize Jewish Hospital. Despite the lack of encryption on the devices, it’s apparent that Jewish Hospital went to some great lengths to secure their machines.
And, they’re actually still working on making their environment even more data-safe: they’re still working on deploying encryption on any and all devices that could store sensitive information.
Applying Encryption Before Being Used
While I shouldn’t be pooh-poohing Jewish Hospital’s efforts, I should point out that there is a reason why encryption software should be installed before a machine is released for use. After all, a computer is set up for a potential breach the moment sensitive data is saved to it. If you don’t have encryption prior to that data being saved, it’s unprotected.
Furthermore, installing encryption before it’s sent out just makes sense from a logistical perspective: it’s always easier to install encryption–along with any other software that is used by your organization’s employees–from the beginning, as opposed to having to:
Take away the machine from an employee in order to install encryption, months after it has been issued; or
Track down an employee and have IT personnel visit them in order to install encryption; or
Have the employee install encryption
Of course, for an organization that’s already in business and has only recently acquired the wherewithal or the need to use encryption software, the method that “makes sense” is not an option, and is forced to consider one of three options I’ve listed above.
Interestingly enough, option three might make the most sense of the three, at least when it comes to AlertBoot encryption solutions. Because AlertBoot is a web-based encryption solution, it means that the deployment of encryption can take place anywhere an internet connection is available.
And, because the installation process is very straightforward–it’s not different from installing any other software, such as a game, for example–the average employee should have no problems going through the short, simple steps that lead to better data security.