The US government shutdown has, among other things, prompted people to compare the USA with its neighbor to the north, Canada. I bring this up because here’s another thing that they do differently: data breach notifications…that are helpful! Even more helpful would have been the use of medical data encryption like AlertBoot, but when that fails, you can still do right by your patients by being as informative as possible.
SD Card Loss at the Center of Data Breach
This is the first time I’ve run across a story where an SD card is at the heart of a data breach, but it’s not unexpected. They made their debut as affordable, easy-to-use storage media for prosumer digital cameras, and their use just kept spreading into other products. Currently, SD cards have capacities of 32 GB for the standard SD cards, and 2 TB for the SDXC cards.
And, with SD card ports routinely built into computers, it was a matter of time before these would fall under the spotlight of a medical data breach. Which brings us back to the Region of Peel.
According to a FAQ posted by the Region of Peel, 18,000 people who participated in the Peel Public Health’s Healthy Babies Healthy Children program are now embroiled in a data breach. It occurred when a bag was stolen from an employee’s car (or possibly misplaced). More details can be found here.
Based on the information that was revealed, it looks like the customary information popular among identity thieves was not present, so affected patients should breathe a sigh of relief. On the other hand, there is enough information for old-school cons. You know, the kind that uses paper-based mail. And, with 18,000 potential victims, just a 1% success rate translates into 180 future victims.
Not only did the Region of Peel provide details on when the breach occurred, what happened, how many people were affected, etc., they announced the breach on October 7. The SD card was reported as missing on September 24. It could have been missing since September 20.
In other words, it took around 2.5 weeks from theft to public notification. I don’t think I’ve seen a turnaround this fast when it comes to medical data breaches from any US medical institutions.
It’s kind of nice when things work the way they’re supposed to….
When it comes to patient data encryption, there is this focus on dealing with the most obvious. For example, in the US, there is a focus on installing PHI encryption software on laptops, which sometimes extends to USB sticks or external hard disk drives.
Other media get the short end of the stick, though. Or, more accurately, no stick at all. For example, I’ve already noted the resistance against encrypting desktop computers. This also tends to extend to backup tapes and “ultraportable” storage media like SD cards. I think most people can understand, at the gut level, why this is so: encrypting such devices feels weird. A little bit of overkill. It’s like when you’ve got secret service agents looking after the Queen’s corgis.
But, 2 TB of ePHI is 2 TB of ePHI, no matter what form it takes. If you’re willing to encrypt and secure a laptop because it’s portable, but dispense with it for desktop computers (which as of late are pretty portable as well), how can you justify not encrypting backup tapes, external drives, and USB memory which are even more portable than laptops?
This is why the AlertBoot solution doesn’t just encrypt a laptop’s disks. It also allows the encryption of any external media that are connected to it. Plus, it order to increase these devices’ usefulness, the data on them can be accessed by any computers that are also encrypted with AlertBoot.
It’s sensible, it’s smart, and it’s included. Oh, and by “included” I mean it’s free with the AlertBoot FDE package. When people are inventing all sorts of excuses that hamstring their own security efforts, it only makes sense to address the one area that’s key.