[ISN] NIH to crack down on encryption

From: InfoSec News (alerts@private)
Date: Mon Apr 14 2008 - 00:29:06 PDT


http://www.fcw.com/online/news/152223-1.html

By Mary Mosquera
FCW.com
April 11, 2008

The director of the National Institutes of Health has notified employees 
to expect random computer audits as the agency works to ensure full 
compliance with its security policies. NIH discovered that a stolen 
laptop PC belonging to NIH contained medical data and Social Security 
numbers of 1,200 patients involved in medical research.

The theft of the unencrypted laptop was a major violation of NIH’s 
commitment to protect the confidentiality of patients, Dr. Elias 
Zerhouni, the agency’s director, said in a memo sent to all NIH 
employees.

NIH originally believed that no Social Security numbers were on the 
missing laptop, but an investigation of backup files proved otherwise. 
NIH is sending letters to notify those who might be affected. NIH is 
offering free credit monitoring and insurance for as much as $20,000 in 
losses for patients affected by the incident, an NIH spokeswoman said.

“It is important that we do everything possible to reassure the public 
and our patients that we all take our responsibility regarding 
protection of sensitive data from loss or misuse extremely seriously in 
an age of increasing sophistication in information technologies,” 
Zerhouni said.

The new security precautions follow the theft of an unencrypted NIH 
laptop in February. The computer contained information about more than 
3,000 patients in a clinical research project at NIH’s National Heart, 
Lung and Blood Institute.

The stolen laptop violated a federal policy that requires agencies to 
encrypt mobile devices that contain personal information. The policy of 
NIH and its parent, the Health and Human Services Department, is to 
encrypt all government laptops with approved encryption software, 
whether or not the PCs contain sensitive or personal information, 
Zerhouni said.

Employees also must encrypt portable media, such as flash drives, if 
they contain sensitive government data. NIH’s information technology 
employees have encrypted nearly 11,000 laptops, Zerhouni said.

The disk encryption software must meet the National Institute of 
Standards and Technology’s Federal Information Processing Standard 
140-2. Encryption packages meeting that standard are available for 
Microsoft Windows and Linux operating systems. A separate package is 
under review for the Apple Macintosh operating system.

The agency has prohibited employees from using sensitive information on 
Apple Macintosh laptops because NIH’s encryption software from Check 
Point cannot be installed on them, said John Jones, NIH’s chief 
information officer and acting director of the Center for IT. NIH has 
about 4,500 Mac laptops, but only some contain sensitive data.

Check Point’s Pointsec encryption for Mac laptops is in testing, said 
David Vergara, product marketing directing of data security products at 
Check Point. He said he expects it to be ready in a few weeks.



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Apr 14 2008 - 00:42:36 PDT