The theft of computers by workers and employees is rare, although not unheard of. The theft of computers from a locked IT room is rare as well, but also not unheard of — which is why any computers that store sensitive information ought to be protected with full disk encryption software like AlertBoot. Insider jobs may or may not be on the rise, but one thing’s for sure: a data breach is a data breach, no matter where it took place or who was involved.
7 Laptops Stolen from Overlook Masonic Health Center
According to telegram.com, a nighttime maintenance and security worker is accused of breaking into Overlook Masonic Health Center’s IT room and stealing seven computers over an eight-day period. The man has admitted to stealing one computer (the one for which he was caught on tape, which resulted in his arrest) but has denied being involved otherwise.
The video footage shows the suspect unlocking the door to the IT room, picking up a laptop computer, and walking out, “all in less than 25 seconds.”
Less than 30 seconds to steal a computer worth nearly $1,000. It sounds impressive unless you factor in that, as the maintenance worker, he probably had keys to the locked room. But, even if that were not the case, forcing doors open is not too hard for a determined person. More secure doors, such as those secured with an electromagnet and accessible via the correct keycard, could increase actual security levels. But they also fall short when it comes to stopping people who have access in the first place.
(Incidentally, it appears that the IT center in this case had a regular door. Keycard systems generally log the comings and goings of people. Such a log has not been provided. Plus, such a setup would have upended the need to setup a video camera.)
What Does This Mean for Patient Data Safety?
Was encryption software necessary in this instance?
Overlook Masonic Health Center is, as the name suggests, a medical facility. As far as I can tell, they’re a HIPAA-covered entity (HIPAA, Health Insurance Portability and Accountability Act). Now, if any of the seven laptops that were stolen contained protected health information (PHI), the renegade action of the maintenance worker could constitute a HIPAA breach.
“Could” because the theft of PHI is not automatically a breach of HIPAA. The Act does not require perfect security. However, because of the HITECH amendment to HIPAA, it is required to notify any patients who are affected by the laptop thefts. If more than 500 patients are affected, it’s necessary under the rules to contact the HHS and the media as well.
You may be wondering, “why would PHI data be in a laptop computer in the IT room?” The reasons are myriad.
A doctor’s laptop was taken in for fixes, updates, or patches.
IT guys are embarking on a data-centralization project and were using PHI for testing purposes (a bad data security practice, incidentally. People rationalize it by noting that it’s in-house and the data won’t go outside the “secure” IT room).
Computers are being decommissioned and it’s up to the IT guys to sanitize the hard disks
The list goes on and on.
So, was encryption software necessary? Perhaps not in this particular case (we don’t know for sure); however, if you consider the odds, it would have been smarter to ensure the computers were protected with full disk encryption. It’s not just about the odds, about the probability of something bad happening. It’s also about expected values.
If the odds of a computer being stolen are 1/1000, perhaps you could rationalize living with the threat of something happening. The odds are, after all, pretty low. But if it turns out that the 1/1000 chance is directly coupled to one million dollars in post-breach cleanup costs, well, as Dirty Harry said, “are you feeling lucky?” (Incidentally, this line of thinking is why people and businesses sign up for insurance).
The beauty of using encryption anywhere that PHI might be (not “is” but “might be”) stored is that it does away with such risks: technologically (encryption secures the data from unauthorized access) and legally (HITECH provides safe harbor from the Breach Notification Rule if encryption is used).
Related Articles and Sites: