By Salvatore Salamone
March 26, 2008 | On Sunday, The Washington Post reported on a laptop stolen from the National Institutes of Health (NIH) that contained clinical trial data of 2,500 patients.
The article noted that the laptop “was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses, and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy.”
There are so many things troubling about this theft and they should all serve as a reminder about the risk inherent when data is on laptops and the responsibilities organizations have to protect that data.
First, even though the laptop was stolen in February, the NIH delayed notifying patients about the breach until last week -- roughly a month later -- for fear of this would "provoke undue alarm." Duh. If the data was compromised (and there is no indication that it has been), waiting a month would give thieves an incredible head start during which they could potentially use the information to do damage. Fortunately, while the data in this incident contained names and birthdays, it did not have Social Security Numbers, phone numbers, or patient addresses.
Second, the laptop was in the locked trunk of a car, which just goes to show the increased risk to data in our more mobile workforce. The laptop theft problem is pervasive. The FBI, Gartner, and others peg laptop theft rates at between three to seven percent. And 50 percent of the 403 senior managers surveyed in the Computer Security Institute’s 2007 Computer Crime and Security Survey said their organization experienced laptop or mobile device theft within the last 12 months.
Third, related to the mobility factor, the data should have been encrypted. This case appears to be an example of people simply bypassing existing rules. The article notes that an initial attempt to encrypt the data failed, and no further attempt was made.
And let’s hope the data was at least backed up. Even if it had not been stolen, laptops have a higher failure rate relative to most desktop systems because of the way they are handled.
This incident, and others like it, should be used by life sciences IT managers to justify more stringent data protection policies. While this case involves personally identifiable and medial information, other data -- such as research that comprises an organization’s intellectual property -- is also at risk and needs protection.
At a minimum, every life sciences organization that handles, collects, stores, and analyzes such data must put into place ironclad policies and procedures that do not let employees intentionally or accidentally avert rules about protecting data.
The data should automatically be backed up and encrypted.
Those who want to go a step further can certainly do more to protect the data. For instance, new online services automate backup whenever a user connects to the Internet. Since trial data is often collected in the field, such services help ensure more of the collected data is backed up (rather than waiting for the device be brought into the lab or office).
For protection of another type, there are software packages and systems for laptops and mobile devices that wipe a drive clean if the device is stolen or an unauthorized user attempts to access data. (There are also services that help locate a stolen laptop.)
The bottom line is that IT must take a more commanding role in protecting data associated with intellectual property and clinical trial data whose exposure could result in HIPAA violations and identity theft problems for the trial participants.
How do you protect your data? Do you have any tricks of the trade that make the processes easier on your users? Drop me a note at firstname.lastname@example.org and share your thoughts on the subject.