Stolen laptop reveals security gap

Despite federal security policy established two years ago, the National Institutes of Health failed to encrypt a laptop that contained sensitive information and was stolen Feb. 23. The incident, made public last week, demonstrates that agencies have not moved fast enough to secure their data, security experts say. NIH’s National Heart, Lung and Blood Institute said it has reinforced its information security policies and enforcement since the theft of the laptop containing data on about 2,500 patients enrolled in a clinical research project. The Maryland-National Capital Park Police in Montgomery County, Md., is investigating the theft, but it has had no leads or breaks in the case, a spokeswoman said. The laptop was taken from the locked car trunk of an institute researcher. The files contained names, birth dates, hospital medical record numbers and medical reports but not Social Security numbers, addresses, phone numbers or financial information, said Dr. Elizabeth Nabel, director of the national Heart, Lung and Blood Institute. Since the theft, the institute has made sure that laptops are encrypted as required by policies set by the Health and Human Services Department, NIH’s parent, and the Office of Management and Budget, Nabel said. Agency information security employees are inspecting all researchers’ laptops to ensure that they have appropriate encryption software installed. All institute workers have received data security reminders about not keeping patient names or other identifying information on their laptops. NIH adheres to the HHS and federal directives for encryption, said John Jones, chief information officer and acting director of NIH’s Center for Information Technology. All other NIH institutes and centers are checking laptops and must certify by April 4 that they are encrypted, have a valid HHS waiver or have been taken out of service, Jones said. In addition, the CIO’s office is conducting a review to determine whether any particular or systemic weaknesses exist in operations or monitoring. Jones said the stolen laptop’s data was unencrypted because early attempts to encrypt it caused the corruption and loss of data. The data was needed for an ongoing clinical trial, so “the lab chief asked for a safer process before putting additional data at risk,” Jones said. Laptop theft remains a threat. The 2006 theft of a Veterans Affairs Department laptop that contained the personal data of millions of veterans spurred OMB to direct agencies to shore up data security. The Federal Information Security Management Act and Privacy Act require agencies to protect personally identifiable and other sensitive information. The National Institute of Standards and Technology provides guidance for the minimum requirements that agencies need to implement to comply with FISMA. Despite the harsh criticism VA received on Capitol Hill and in the media, many agencies remain slow to act. Some don’t feel any sense of urgency until they have a security incident, said Alan Paller, research director at the SANS Institute. “Convenience trumps security,” he said. “It’s a little inconvenient to encrypt, so people don’t do it,” he added. “But embarrassment trumps inconvenience. Other agencies haven’t had the embarrassment of their top executive being lambasted on TV. When they do, they move quickly.”