Disk Encryption Software: Cooper University Hospital Residence Data Breach.

All residents who were at Cooper University Hospital for 2008/2009 and 2009/2010 are being alerted to the breach of their personal information.  A USB flashdrive went missing only hours after a database was copied to the device.  It hasn’t been mentioned whether full hard disk encryption was used to protect the contents of the drive.


There is A LOT of Data in that USB Disk



While it hasn’t been specified how many people are affected, one thing is for sure: those who are affected have justifiable grounds for tossing and turning at night.  According to the notification letter sent by Cooper University Hospital, the following information was saved to the missing USB flashdrive:


For housestaff:
Name, beeper number, email, Social Security number, employee ID number, citizenship, USMLE number, ECFMG number, visa information, salary, leave of absence, license number, DEA number, CDES number, NPI number, address, telephone numbers, emergency contact name, marital status, spouse’s name, resident birthdate and birthplace, gender, race, forwarding address, home phone and employer.


For visiting residents:
Name, home address, home phone/cell#, Social Security number, date of birth, PA training License number, Medical School & graduation date


USB Encryption: Reliable Protection



This is the sort of information you don’t want falling into the wrong hands.  And it wouldn’t have if disk encryption had been used.


Had it?  Cooper University Hospital, on account of being a hospital, is bound to the security and privacy rules founder under HIPAA.  Unfortunately for the residents, HIPAA was actually designed to protect patient information, not doctors’ information.


On the other hand, the hospital probably has an extensive policy of using encryption software because of their patients.  It would have been just a little hop, skip, and jump away to apply the same to doctors’ information.


Why this focus on encryption?  Because it’s pretty much the only type of data security program that can protect information after it has been stolen.  Think about it.  If the USB disk was protected by a locked door and a locked desk drawer, data is at risk if both of these locks are picked.  With encryption, the protection is part of the data.


Furthermore, if encryption from AlertBoot had been used, it would be pretty much guaranteed that the information on the lost USB drive couldn’t be accessed: because of AlertBoot’s design, an encrypted USB disk is usable within a group of assigned computers.


If the thief plugs it into his own computer, the USB disk would show up as unformatted, and there would be no way for him to read the data.



Related Articles and Sites:
http://www.databreaches.net/?p=13952
http://doj.nh.gov/consumer/pdf/cooper_university_hospital.pdf



Comments (0)


Let us know what you think