Medical Laptop Encryption: Canadian Health Authority Finds Out "Certain Security Measures" Not Followed.
The Winnipeg Regional Health Authority announced that there was a data breach at their Health Sciences Centre. A laptop with patient data for 322 people was stolen. The type of information that was stolen was not detailed, but breach notification letters were sent and the police have been called to investigate the theft. Unlike HIPAA regulations in the US, Canada’s medical legislation on patient data security varies by province, so the use of medical encryption software does not necessarily translate to safe harbor from publicizing data breaches.
Indeed, the law can be even more strenuous than the US’s, in some cases mandating that encryption software be used, while in other provinces its use is merely recommended (although most agree that encryption represents “no actual loss of information” and will not require a notification).
WRHA Holding Independent Investigation
Despite the police involvement, the Winnipeg Regional Health Authority has said,
it’s conducting its own investigation “to determine exactly how and why certain security measures do not appear to have been followed in this case,” WHRA vice-president and CEO Real Cloutier.
When referring to “certain security measures,” I imagine that it’s a reference to WRHA behavioral policies that were designed to stop data breaches from happening. The problem with such security policies is that, at some point, they will fail because people are terrible at being consistent.
Had laptop encryption been used to secure the information on the machine, which is an infinitely more reliable way of protecting digital information, WHRA would be in better position.
This is not to say that whatever policies I imagine they currently have are worthless. Far from it, they’re required for a number of reasons, including the need to protect equipment from theft, or preventing physical altercations. However, because more can be done for data security – namely, the use of encryption – and because of the importance visited on it, security shouldn’t just stop at physical and behavioral policies.
Related Articles and Sites: