Ochsner Medical Center, based out of suburban New Orleans, is notifying patients about a possible data breach. An external hard drive used for backup purposes is missing, and it appears that the device was not protected with disk encryption software like AlertBoot.
Several sources note that a backup hard drive is missing from the West Bank campus of Ochsner Medical Center. The hard drive contained bone density scans used in osteoporosis screenings, and may have also included “patient names, addresses, date of birth, medical record number, medications, and pertinent medical history as it pertains to a bone density scan between November 2005 and January 2012,” per Ochsner’s press release.
This is Ochsner Medical Center’s third data breach since December 2010, as phiprivacy.net points out. So, one has to wonder why the drive in this case has not been protected with encryption software instead of relying on “proprietary formats”:
Because the data was stored in a proprietary format, Ochsner does not believe that it is possible to access the information simply by connecting the hard drive to a computer and opening the files. To access the information in a readable format, one would have to use various software applications. At this time we feel that there is minimal risk to patients’ personal information.
It’s debatable whether proprietary formats will protect data. If the proprietary format referred to above has an encryption component, then yes, chances are that the information cannot be accessed.
If not, there is a chance that accessing it merely requires the use of a hex editor, or even a simple text editor. For example, while the file can only be opened with the right software to make complete sense of its contents, it could store the medical data as plaintext within the file. This would actually make it easier to find the PHI because it’ll stand out as English in a sea of gibberish.
What If You Can’t Protect It? Ochsner Stuck Between Two Hard Surfaces?
We might have to give Ochsner a break in this particular case, though. It’s easy to use medical computer disk encryption with your average computer; many advances have been made in that area. But what about medical equipment that has a digital computer component, and allows you to directly download or back up data by sticking in a USB drive? I mean, sure, there’s a “computer” in there, but that doesn’t mean you can manage its data as you would on a PC or Mac.
For one, you’re probably unable to install your encryption software of choice in that medical equipment. Connecting an encrypted external drive, then, would appear to the “computer” as an unformatted disk. This alone means that hard disk encryption is not an option.
On the other hand, if that’s the case, then obviously the correct procedure would have been to make backups a two-step process: first, back it up to an unsecure drive. Then, copy it over to an encrypted drive. Then, rewrite over the data in the first drive. Okay, so it’s a three-step process.
Sure, it’s not as convenient as AlertBoot’s automatic external USB disk encryption. But, data security isn’t about convenience. It’s about data security.
Related Articles and Sites: