By Mary Mosquera
March 31, 2008
Despite federal security policy established two years ago, the National
Institutes of Health failed to encrypt a laptop that contained sensitive
information and was stolen Feb. 23.
The incident, made public last week, demonstrates that agencies have not
moved fast enough to secure their data, security experts say.
NIH.s National Heart, Lung and Blood Institute said it has reinforced
its information security policies and enforcement since the theft of the
laptop containing data on about 2,500 patients enrolled in a clinical
research project. The Maryland-National Capital Park Police in
Montgomery County, Md., is investigating the theft, but it has had no
leads or breaks in the case, a spokeswoman said.
The laptop was taken from the locked car trunk of an institute
researcher. The files contained names, birth dates, hospital medical
record numbers and medical reports but not Social Security numbers,
addresses, phone numbers or financial information, said Dr. Elizabeth
Nabel, director of the national Heart, Lung and Blood Institute.
Since the theft, the institute has made sure that laptops are encrypted
as required by policies set by the Health and Human Services Department,
NIH.s parent, and the Office of Management and Budget, Nabel said.
Agency information security employees are inspecting all researchers.
laptops to ensure that they have appropriate encryption software
installed. All institute workers have received data security reminders
about not keeping patient names or other identifying information on
NIH adheres to the HHS and federal directives for encryption, said John
Jones, chief information officer and acting director of NIH.s Center for
All other NIH institutes and centers are checking laptops and must
certify by April 4 that they are encrypted, have a valid HHS waiver or
have been taken out of service, Jones said. In addition, the CIO.s
office is conducting a review to determine whether any particular or
systemic weaknesses exist in operations or monitoring.
Jones said the stolen laptop.s data was unencrypted because early
attempts to encrypt it caused the corruption and loss of data. The data
was needed for an ongoing clinical trial, so .the lab chief asked for a
safer process before putting additional data at risk,. Jones said.
Laptop theft remains a threat. The 2006 theft of a Veterans Affairs
Department laptop that contained the personal data of millions of
veterans spurred OMB to direct agencies to shore up data security. The
Federal Information Security Management Act and Privacy Act require
agencies to protect personally identifiable and other sensitive
information. The National Institute of Standards and Technology provides
guidance for the minimum requirements that agencies need to implement to
comply with FISMA.
Despite the harsh criticism VA received on Capitol Hill and in the
media, many agencies remain slow to act. Some don.t feel any sense of
urgency until they have a security incident, said Alan Paller, research
director at the SANS Institute. .Convenience trumps security,. he said.
.It.s a little inconvenient to encrypt, so people don.t do it,. he
added. .But embarrassment trumps inconvenience. Other agencies haven.t
had the embarrassment of their top executive being lambasted on TV. When
they do, they move quickly..
Subscribe to InfoSec News