According to scmp.com, the University of Hong Kong has lost a laptop computer containing medical information on more than 3,600 people. Apparently, the laptop computer was not secured with full disk encryption software; and yet, 901 patients’ data was cryptographically protected independently.
Police are currently investigating the situation.
Massive Data Breach
This latest episode has been labeled a “massive data breach,” which, if you’ve been following the news in the US for the last couple of years, feels like a quaint statement. Granted, an argument could be made that just one person’s data breach is already one too many. But in this case, it’s helpful to consider the city’s population and its data security environment.
According to this other scmp.com article, Hong Kong’s privacy watchdog received only one data breach complaint in 2018, down from 100 in 2014. One presumes that the 2019 figures are somewhat similar.
Obviously, Hong Kong is a small place (only 7.39 million people live there according to a 2017 census), so it follows that it would have comparatively less information security incidents than, say, the US, which has a population of over 400 million. So, taking that into consideration, it’s understandable why the University of Hong Kong’s security breach would be labeled “massive.”
If the official figures are to be believed, there don’t appear to be too many data breaches in Hong Kong. Could this be because Hong Kongers are better at data security? Or perhaps the numbers are quite depressed because not too many people report incidents to the privacy watchdog? Regardless, it’s quite the eye-popping figure.
Encryption Only for Some?
What’s even more surprising about this latest incident may be the fact that a subset of patients had their data secured. Why is that? What makes the 901 patients so special that their information was protected while that of 2700 patients wasn’t? The short article on scmp.com doesn’t provide details, unfortunately.
It could be that the university screwed up. They could have a policy where all laptops are supposed to be encrypted but this particular computer was overlooked somehow. This could also explain why the 901 patients had their information encrypted as well: if there is a security policy where all laptops are to be encrypted, it’s not far-fetched to imagine that the same policy also requires files to be encrypted when passed around, be it via email, a cloud service, or otherwise.
If, however, there is no such policy on laptop encryption, then it invites questions. First, in this day and age, why not? Second, then what about the 901 patients? Why was encryption used to secure their data?
FDE: Betting That You’ll Lose A Computer… Some Day
It’s often said that full disk encryption (FDE) is one of the most surefire ways of preventing a data breach. There are detractors, though: people point out that FDE is powerless when it comes to hacks while one is connected to the internet, be it phising, or the activation of some malware, or even honest-to-god accidents like emailing a file to the wrong person. However, this is a false argument: it’s like stating that seat belts in cars are useless because an errant tire could roll down the highway and go through your windshield, instantly killing you. The point of seatbelts is not to protect you from all danger.
Likewise, the point of FDE is not to prevent all data breaches (it cannot) but to do so when a machine is lost, no matter why it’s missing. That laptops used in the workplace (especially in environments where sensitive data is handled on a daily basis, like in a medical setting) are not protected with the most basic security tool is appalling. When you consider the rate at which things are stolen or lost – especially items like smartphones, laptops, tablets, and other high-value electronics – it only makes sense to use FDE.
The university has promised to review their security policies and update them as needed. More often than not, it turns out that it’s not the security policy that needs to be worked on; rather, it’s the follow-through, the abiding to the continuous, everyday monitoring that ensures that the policies in place are being followed.
Related Articles and Sites: