This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Mary Mosquera
April 11, 2008
The director of the National Institutes of Health has notified employees
to expect random computer audits as the agency works to ensure full
compliance with its security policies. NIH discovered that a stolen
laptop PC belonging to NIH contained medical data and Social Security
numbers of 1,200 patients involved in medical research.
The theft of the unencrypted laptop was a major violation of NIH=E2=80=99s
commitment to protect the confidentiality of patients, Dr. Elias
Zerhouni, the agency=E2=80=99s director, said in a memo sent to all NIH
NIH originally believed that no Social Security numbers were on the
missing laptop, but an investigation of backup files proved otherwise.
NIH is sending letters to notify those who might be affected. NIH is
offering free credit monitoring and insurance for as much as $20,000 in
losses for patients affected by the incident, an NIH spokeswoman said.
=E2=80=9CIt is important that we do everything possible to reassure the public
and our patients that we all take our responsibility regarding
protection of sensitive data from loss or misuse extremely seriously in
an age of increasing sophistication in information technologies,=E2=80=9D
The new security precautions follow the theft of an unencrypted NIH
laptop in February. The computer contained information about more than
3,000 patients in a clinical research project at NIH=E2=80=99s National Heart,
Lung and Blood Institute.
The stolen laptop violated a federal policy that requires agencies to
encrypt mobile devices that contain personal information. The policy of
NIH and its parent, the Health and Human Services Department, is to
encrypt all government laptops with approved encryption software,
whether or not the PCs contain sensitive or personal information,
Employees also must encrypt portable media, such as flash drives, if
they contain sensitive government data. NIH=E2=80=99s information technology
employees have encrypted nearly 11,000 laptops, Zerhouni said.
The disk encryption software must meet the National Institute of
Standards and Technology=E2=80=99s Federal Information Processing Standard
140-2. Encryption packages meeting that standard are available for
Microsoft Windows and Linux operating systems. A separate package is
under review for the Apple Macintosh operating system.
The agency has prohibited employees from using sensitive information on
Apple Macintosh laptops because NIH=E2=80=99s encryption software from Check
Point cannot be installed on them, said John Jones, NIH=E2=80=99s chief
information officer and acting director of the Center for IT. NIH has
about 4,500 Mac laptops, but only some contain sensitive data.
Check Point=E2=80=99s Pointsec encryption for Mac laptops is in testing, said
David Vergara, product marketing directing of data security products at
Check Point. He said he expects it to be ready in a few weeks.
Content-Type: text/plain; charset="us-ascii"
Subscribe to InfoSec News