[ISN] Stolen hospital laptop sparks new data security rules

From: InfoSec News (alerts@private)
Date: Sun Mar 11 2007 - 23:11:04 PST


http://www.cbc.ca/canada/ottawa/story/2007/03/08/sickkids-stolenlaptop.html

CBC News 
March 8, 2007

Hospitals across the province are now expected to follow new data 
security rules following the theft of a laptop computer holding personal 
information on thousands of patients at Toronto's Hospital for Sick 
Children, says a report by Ontario's privacy commissioner.

Ann Cavoukian's report was released on Thursday, more than two months 
after the laptop was stolen from the minivan of a doctor. He had left 
the hospital on Jan. 4 with the computer to work on a research project 
at home that evening.

Data stored on the laptop included information on 2,900 patients, such 
as their names, patient numbers and medical conditions.

Hospital spokeswoman Helen Simeon admits the laptop contained sensitive 
material and even included the HIV status of some patients.

"In my view, there is no excuse. This should never happen again," Simeon 
told CBC News on Thursday. Hospitals in question contacted

All hospital patients affected by the security breach have been 
contacted.

About one-third of them have died, but Cavoukian said the privacy of 
their medical information is still important because of links to their 
relatives.

Cavoukian ordered the hospital to implement a ban on the removal of 
personal health data in electronic form from hospital premises. In cases 
where such information must be removed, it must first be encrypted.

In fact, all Ontario hospitals will be expected to follow the new rule, 
Cavoukian said.

"That is now the standard in Ontario. You must encrypt personally 
identifiable data that you remove from the office on a remote device."

The only security measure on the stolen laptop was an eight-character 
alpha-numeric password. Cavoukian's report says password protection is 
no longer enough.

"There is no excuse for unauthorized access to personal health 
information due to the loss of a mobile computing device," it says.

Cavoukian notes that when it is necessary to upload patient data onto 
mobile electronic devices, it can also be encoded and include only 
information essential to the research.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Sun Mar 11 2007 - 23:28:53 PST