Beth Israel Deaconess Medical Center is alerting 3,900 patients that a laptop computer with personal medical information was stolen. The article at bostonglobe.com reveals that a tracking device was used on the laptop, but it’s not mentioned whether the device was protected with data encryption software like AlertBoot. Regardless, patients should be able to rest a little bit easier after a forensic firm has found that there was “nothing that would be used from an identity theft perspective.”
Physician’s Own Laptop
The laptop theft took place on May 22 and took place at a hospital office.
Despite the location where the laptop computer was stolen from, it’s been revealed that it belonged to a physician. I’m not sure if Beth Israel is one of those firms engaging in BYOD (bring your own device), but if it is, it certainly hasn’t approached the rollout correctly.
BYOD requires, at the most basic level, that devices holding sensitive data be protected. If we were talking about a regular company, sensitive data could refer to corporate secrets, internal memos and other communications, client lists, etc — whatever a company deems important enough to protect from prying eyes. Since Beth Israel is a medical institution, it stands to reason that their sensitive data includes patients’ medical data, commonly referred to as “protected health information” or PHI.
The type of data that falls under the auspices of the PHI label is very broad. It can include non-medical personal data such as personal addresses, phone numbers, and even a patient’s hospital room number and phone extension. In fact, there is so little that is not considered PHI when it comes to patient data that, if you are dealing with such data in any way or form, it makes sense to protect it. One of the most effective and simplest ways to do so is to use encryption software, like full disk encryption, to protect the entire device.
But, the hospital already knows this.
Preaching to the Choir
Beth Israel Deaconess routinely protects information on company-issued computers by encrypting the material with software that makes it difficult to decipher [bostonglobe.com]
And, because it already experienced a significant data breach one year ago, it has changed certain policies:
We [Beth Israel Deaconess] have said to our employees that there is now a mandatory encryption program. So any device that is used in any way with our data, whether it is patient-related or administrative, it must be encrypted. [bostonglobe.com]
According to the hospital’s CIO, 1,500 personal devices may be in use (which leads me to suspect that BYOD is a truism at the hospital, even if it’s not an officially sanctioned program). The process of encrypting these is expected to take three months as people bring their devices to “depots.”
Three months to encrypt 1,500 devices? With the use of web-based AlertBoot, that project would be complete in less than a month. I know because we currently hold an account with over 10,000 encrypted endpoints for a global finances firm that has offices spread across the world. It took us less than two months.
But, in the case of Beth Israel, it makes sense that they don’t do everything over an internet connection because, besides installing encryption, they’re also looking to check for the installation of antivirus software and installing patches, jobs that are simplified by accessing the actual devices.
Still, three months is an awfully long time. Generally, the less time it takes you to roll out data security, the better: there is more than a handful of companies and organizations that experienced a data breach while they were deploying encryption system-wide.
Related Articles and Sites: