http://www.fcw.com/online/news/152223-1.html
By Mary Mosquera
FCW.com
April 11, 2008
The director of the National Institutes of Health has notified employees
to expect random computer audits as the agency works to ensure full
compliance with its security policies. NIH discovered that a stolen
laptop PC belonging to NIH contained medical data and Social Security
numbers of 1,200 patients involved in medical research.
The theft of the unencrypted laptop was a major violation of NIH’s
commitment to protect the confidentiality of patients, Dr. Elias
Zerhouni, the agency’s director, said in a memo sent to all NIH
employees.
NIH originally believed that no Social Security numbers were on the
missing laptop, but an investigation of backup files proved otherwise.
NIH is sending letters to notify those who might be affected. NIH is
offering free credit monitoring and insurance for as much as $20,000 in
losses for patients affected by the incident, an NIH spokeswoman said.
“It is important that we do everything possible to reassure the public
and our patients that we all take our responsibility regarding
protection of sensitive data from loss or misuse extremely seriously in
an age of increasing sophistication in information technologies,”
Zerhouni said.
The new security precautions follow the theft of an unencrypted NIH
laptop in February. The computer contained information about more than
3,000 patients in a clinical research project at NIH’s National Heart,
Lung and Blood Institute.
The stolen laptop violated a federal policy that requires agencies to
encrypt mobile devices that contain personal information. The policy of
NIH and its parent, the Health and Human Services Department, is to
encrypt all government laptops with approved encryption software,
whether or not the PCs contain sensitive or personal information,
Zerhouni said.
Employees also must encrypt portable media, such as flash drives, if
they contain sensitive government data. NIH’s information technology
employees have encrypted nearly 11,000 laptops, Zerhouni said.
The disk encryption software must meet the National Institute of
Standards and Technology’s Federal Information Processing Standard
140-2. Encryption packages meeting that standard are available for
Microsoft Windows and Linux operating systems. A separate package is
under review for the Apple Macintosh operating system.
The agency has prohibited employees from using sensitive information on
Apple Macintosh laptops because NIH’s encryption software from Check
Point cannot be installed on them, said John Jones, NIH’s chief
information officer and acting director of the Center for IT. NIH has
about 4,500 Mac laptops, but only some contain sensitive data.
Check Point’s Pointsec encryption for Mac laptops is in testing, said
David Vergara, product marketing directing of data security products at
Check Point. He said he expects it to be ready in a few weeks.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments