NIH to crack down on encryption

NIH to crack down on encryption
NIH to crack down on encryption

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE 

By Mary Mosquera
April 11, 2008

The director of the National Institutes of Health has notified employees 
to expect random computer audits as the agency works to ensure full 
compliance with its security policies. NIH discovered that a stolen 
laptop PC belonging to NIH contained medical data and Social Security 
numbers of 1,200 patients involved in medical research.

The theft of the unencrypted laptop was a major violation of NIH=E2=80=99s 
commitment to protect the confidentiality of patients, Dr. Elias 
Zerhouni, the agency=E2=80=99s director, said in a memo sent to all NIH 

NIH originally believed that no Social Security numbers were on the 
missing laptop, but an investigation of backup files proved otherwise. 
NIH is sending letters to notify those who might be affected. NIH is 
offering free credit monitoring and insurance for as much as $20,000 in 
losses for patients affected by the incident, an NIH spokeswoman said.

=E2=80=9CIt is important that we do everything possible to reassure the public 
and our patients that we all take our responsibility regarding 
protection of sensitive data from loss or misuse extremely seriously in 
an age of increasing sophistication in information technologies,=E2=80=9D 
Zerhouni said.

The new security precautions follow the theft of an unencrypted NIH 
laptop in February. The computer contained information about more than 
3,000 patients in a clinical research project at NIH=E2=80=99s National Heart, 
Lung and Blood Institute.

The stolen laptop violated a federal policy that requires agencies to 
encrypt mobile devices that contain personal information. The policy of 
NIH and its parent, the Health and Human Services Department, is to 
encrypt all government laptops with approved encryption software, 
whether or not the PCs contain sensitive or personal information, 
Zerhouni said.

Employees also must encrypt portable media, such as flash drives, if 
they contain sensitive government data. NIH=E2=80=99s information technology 
employees have encrypted nearly 11,000 laptops, Zerhouni said.

The disk encryption software must meet the National Institute of 
Standards and Technology=E2=80=99s Federal Information Processing Standard 
140-2. Encryption packages meeting that standard are available for 
Microsoft Windows and Linux operating systems. A separate package is 
under review for the Apple Macintosh operating system.

The agency has prohibited employees from using sensitive information on 
Apple Macintosh laptops because NIH=E2=80=99s encryption software from Check 
Point cannot be installed on them, said John Jones, NIH=E2=80=99s chief 
information officer and acting director of the Center for IT. NIH has 
about 4,500 Mac laptops, but only some contain sensitive data.

Check Point=E2=80=99s Pointsec encryption for Mac laptops is in testing, said 
David Vergara, product marketing directing of data security products at 
Check Point. He said he expects it to be ready in a few weeks.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods