The LA Times writes that a data breach at Cedars-Sinai Medical Center is larger than previously reported. According to latimes.com, a stolen computer that was not protected with medical laptop encryption software contained information on more than 33,000 patients; in August, the number was “more than 500” which implied a figure closer to 500 than 33,000.
Details that were unavailable before have been revealed as well.
Apart from the admission that the breach affected tens of thousands of people, it was revealed that the laptop in question was not protected with a solution like AlertBoot’s managed encryption software because of an oversight:
The laptop was password-protected, but did not have additional encryption software that would have further protected the sensitive data. The software was mistakenly not reinstalled after a change to the computer’s operating system…
This, of course, is something well within the realm of possibility. Indeed, I had mused that an oversight was the most probable reason why encryption was not used in an earlier blog post.
There are only two ways of catching such a problem: (1) as a user, you notice that the encryption login prompt that used to be there is not there any longer or (2) as an administrator, you’re running your weekly / monthly / semi-annual / whatever audits and notice that the number of encrypted machines doesn’t match up to the number of laptops out there.
There is another way, though: “Hospital staff are in the process of confirming that all employee laptops are properly encrypted”. This brute-force method, despite the outlay of time and energy, is probably the most surefire method of ferreting out any laptops that are not properly encrypted.
Not Stolen for Personal Information
As is usual in cases like these, Cedars-Sinai released the following observation:
Cedars-Sinai said it has no indication that the stolen laptop was used to access the medical records. After the theft, the hospital blocked the laptop’s access to its computer network.
“We believe that the laptop was stolen as a piece of personal property, not for any information it contained,” the hospital said.
Let me give you a brief explanation as to why the above reassurance is problematic: if I steal a car because I’m going to sell it to a chop shop, it doesn’t prevent me from rummaging the glove compartment and trunk to see if there’s anything of value. The fact that I stole a laptop because it’s a laptop doesn’t mean I’m not going to boot it up and see if I can find a secondary source of illegal profits, especially if I know that medical data is worth $10 per record on the black market.
As the saying goes in computer security circles, encryption is not the be all, end all of data security. However, it goes without saying that it’s an effective solution for a lot of ills.
Related Articles and Sites: