Encrypting an external hard disk drive is not a hard process. With AlertBoot endpoint encryption, it gets done automatically. Maybe it’s something Brigham and Women’s/Faulkner Hospitals should think about: they had a breach on June 21, when a doctor lost a hard drive, affecting 638 patients (possibly).
Device Left in Taxi, Data Deleted
According to a couple of Boston sources, the data breach took place on June 21, when a doctor that works at both hospitals left a hard disk drive in a cab. More specifically, it was left “in a piece of luggage in a cab” (bostonherald.com). The article goes on to note that
the doctor said patient information had been downloaded to the drive but had been deleted. The hospital notified patients because it couldn’t be sure the information had been destroyed.
The drive contained (before it was deleted) names, medical record numbers, dates of admission, medication, diagnoses, and treatments for patients who stayed at either hospital between July 10, 2009 and January 28, 2011 (one and a half years!).
Is there any reason to doubt the doctor? Not really. On the other hand, who’s to say that the doctor is wrong (he or she forgot about a file) or that whoever is currently in possession of the external hard disk drive hasn’t used freely-availably software to reconstitute the deleted data? The use of encryption software would have completely prevented such a thing from happening.
I’ve got to say, this is an aspect of HIPAA/HITECH that I had never considered before: reporting a data breach where the likelihood of a data breach is almost, nearly, and yet certainly non-existent. I guess sometimes an argument for a “harm threshold” can be made, in spite of my objections to it when it comes to data breaches.
The incident leaves many questions.
Was the doctor authorized to download all that data?
If so, why wasn’t hard disk drive encryption software used on the external drive?
If not, did the doctor know that it was against regulations, and that’s why the information was deleted?
How did the hospitals know that the information went all the way back to July 2009?
Why did the doctor download this information to a local device?
Like I already noted, the use of external disk drive encryption would have been ideal. It would have put at rest all of the above questions and then some. Easier said than done, right?
One of the reasons why organizations don’t reach out for 100% coverage of external drive protection is because 1) it’s time consuming to deploy it and 2) there is no guarantee that staff will only use the authorized devices. I mean, what if someone brings in his own personal USB flash drive and decides to use that instead?
For situations like those, however, there are solutions like AlertBoot’s automatic encryption of external storage devices, for securing things such as USB keys. The way it works is thus: first, a computer (desktop or laptop) is deployed with encryption software. Second, a setting for automatically encrypting all plugged in storage devices is turned on from the on-line management console. Third, sit back and relax.
Any devices that are connected to the computer will be encrypted automatically. Furthermore, the devices are only readable from the original computer and computers that belong in the same network/group. Outside of these computers, the device shows up as an unformatted device, as all FDE protected devices do.
The only caveat? You have to remind people to not plug in their iPhones and other devices with an operating system. And, of course, those who ignore the reminder will learn soon enough not to do it.
Related Articles and Sites: