[ISN] Stolen laptop reveals security gap

From: InfoSec News (alerts@private)
Date: Tue Apr 01 2008 - 00:25:24 PST


http://www.fcw.com/online/news/152075-1.html

By Mary Mosquera
FCW.com
March 31, 2008

Despite federal security policy established two years ago, the National 
Institutes of Health failed to encrypt a laptop that contained sensitive 
information and was stolen Feb. 23.

The incident, made public last week, demonstrates that agencies have not 
moved fast enough to secure their data, security experts say.

NIH.s National Heart, Lung and Blood Institute said it has reinforced 
its information security policies and enforcement since the theft of the 
laptop containing data on about 2,500 patients enrolled in a clinical 
research project. The Maryland-National Capital Park Police in 
Montgomery County, Md., is investigating the theft, but it has had no 
leads or breaks in the case, a spokeswoman said.

The laptop was taken from the locked car trunk of an institute 
researcher. The files contained names, birth dates, hospital medical 
record numbers and medical reports but not Social Security numbers, 
addresses, phone numbers or financial information, said Dr. Elizabeth 
Nabel, director of the national Heart, Lung and Blood Institute.

Since the theft, the institute has made sure that laptops are encrypted 
as required by policies set by the Health and Human Services Department, 
NIH.s parent, and the Office of Management and Budget, Nabel said. 
Agency information security employees are inspecting all researchers. 
laptops to ensure that they have appropriate encryption software 
installed. All institute workers have received data security reminders 
about not keeping patient names or other identifying information on 
their laptops.

NIH adheres to the HHS and federal directives for encryption, said John 
Jones, chief information officer and acting director of NIH.s Center for 
Information Technology.

All other NIH institutes and centers are checking laptops and must 
certify by April 4 that they are encrypted, have a valid HHS waiver or 
have been taken out of service, Jones said. In addition, the CIO.s 
office is conducting a review to determine whether any particular or 
systemic weaknesses exist in operations or monitoring.

Jones said the stolen laptop.s data was unencrypted because early 
attempts to encrypt it caused the corruption and loss of data. The data 
was needed for an ongoing clinical trial, so .the lab chief asked for a 
safer process before putting additional data at risk,. Jones said.

Laptop theft remains a threat. The 2006 theft of a Veterans Affairs 
Department laptop that contained the personal data of millions of 
veterans spurred OMB to direct agencies to shore up data security. The 
Federal Information Security Management Act and Privacy Act require 
agencies to protect personally identifiable and other sensitive 
information. The National Institute of Standards and Technology provides 
guidance for the minimum requirements that agencies need to implement to 
comply with FISMA.

Despite the harsh criticism VA received on Capitol Hill and in the 
media, many agencies remain slow to act. Some don.t feel any sense of 
urgency until they have a security incident, said Alan Paller, research 
director at the SANS Institute. .Convenience trumps security,. he said.

.It.s a little inconvenient to encrypt, so people don.t do it,. he 
added. .But embarrassment trumps inconvenience. Other agencies haven.t 
had the embarrassment of their top executive being lambasted on TV. When 
they do, they move quickly..


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Apr 01 2008 - 00:49:08 PST