GHIT Notebook

June 16, 2008

Op Ed: Lessons of NIH’s stolen laptop

By Peter Morrison

The National Institutes of Health (NIH) recently found itself at the center of public and media scrutiny when an employee’s laptop was stolen, potentially compromising the personally identifiable information (PII) of NIH study participants. The data included the names, birth dates, hospital medical record numbers, and diagnosis-related information for 2,500 study participants. It was not encrypted – a violation of the U.S. Office of Management and Budget (OMB) June 23, 2006 mandate M-06-16, Protection of Sensitive Agency Information, requiring federal agencies to encrypt all sensitive data on mobile devices.

This same scenario, in which a mobile device containing sensitive data is lost or stolen, has played out in several government agencies in recent years and will inevitably recur as government employees increase their use of mobile devices (i.e., laptops, thumb drives, smartphones, etc.) to perform mission-critical activities.

Public health organizations are particularly at risk: the widespread use of mobile devices to manage patient information in the public health arena increases the likelihood that a patient’s private health data and other PII may be lost or stolen, leaving these organizations and their patients vulnerable to compromise.

The intense scrutiny surrounding the NIH incident and similar instances of sensitive data loss should motivate public health agencies to pursue mobile data protection. Federal, state, and local public health agencies and organizations can turn to a variety of sources, including the U.S. General Services Administration (GSA) SmartBUY program or the U.S. Department of Defense Enterprise Software Initiative (DoD-ESI) program, as appropriate, to find solutions to protect data on their vulnerable endpoints.

At the same time, federal agencies must guard against the instinct to make a knee-jerk decision to buy a solution simply to meet OMB M-06-16. The goal of the federal mandate is not compliance. Instead, it is to “compensate for the protections offered by the physical security controls when the information is removed from, or accessed from outside of the agency location.”

Compliance is intended to help an agency perform its mission-critical activities. Like any other information technology (IT) investment, identifying the appropriate mobile data security solution should be considered based on the needs of the public health agency’s enterprise and how that solution enables the enterprise to fulfill its mission.

To find the right solution to protect patient and related sensitive information in your public health organization, there are a number of key factors to consider:

-- Security, end-user transparency, and ease of operational management. Most vulnerable endpoint security solutions are based on older encryption technologies that were never designed to work in today’s sophisticated environments. Understanding how your agency needs to balance these three requirements to meet its mission is essential.

-- Data-centric vs. device-centric solutions. The GSA and DoD purchasing vehicles offer both solutions. Agencies need to ask themselves: what are we really trying to protect – the data on the device (e.g., medical records, patient diagnoses, phone numbers, etc.), or the device itself? That’s a business, policy, and management decision that only you can answer for your public health organization’s enterprise.

-- Centralized (integrated) vs. non-centralized encryption approaches. As you consider the solution that best meets your public health organization’s needs, you need to decide what role security policy plays in its implementation.

A centralized approach places a larger emphasis on security policy as the driving factor for decision-making. In contrast, a non-centralized approach offers the end-user greater flexibility in deciding what to encrypt and why. Do you really want the end-user deciding security policy?

Ultimately, the solution should be one that considers the roles that people, processes, operations, enforcement, and management play in ensuring vulnerable endpoint protection.

Whether or not to pursue mobile data security is no longer a question for public health agencies– it is a necessity. Agencies must now rise to the challenge and determine how to meet those needs throughout their organizations.

Pete Morrison is Vice President, North American sales for Credant Technologies, a provider of endpoint data protection solutions. He can be reached at pmorrison@credant.com.

View Comments

The www.govhealthit.com is cool resource, thanks, owner. And look at this buy liquor Posted by buyliquorlot on August 20, 2008 Your site- www.govhealthit.com is amazing site, respect, webmaster. Buy Cialis Buy Viagra Buy Levitra Posted by buyliquorlot on August 20, 2008 Beautifull design Thanks, webmaster. Posted by Ipod Nana Online on August 25, 2008 Cool blog Thanks, webmaster. Posted by best savings accounts uk on August 26, 2008 buy cd Corel WordPerfect MAIL 2 Posted by usacomm on September 22, 2008 purchase Adobe Premiere Pr o 1.5 software Posted by Rustemacl on September 25, 2008 purchase Windows 2003 Server Standart Edition - Full software Posted by MadMark on September 29, 2008 FLV to AVI converter for Mac\FLV to MOV converter for Mac\FLV to MP4 converter for Mac\FLV to M4V converter for Mac\FLV to WMV converter for Mac\FLV to MPEG converter for Mac\FLV to 3GP converter for Mac\FLV to Divx converter for Mac\FLV to MP3 converter for MacFLV to Device\FLV to iPod converter for Mac\FLV to PSP converter for Mac\FLV to Zune converter for Mac\FLV to Apple TV converter for Mac\FLV to DVD converter for Mac\DVD to FLV converter for Mac FLV editor for Mac tools \FLV editor for Mac\FLV joiner for Mac\FLV cutter for Mac Posted by liliana on October 8, 2008 Want to learn how water contamination then remember to always boil your water to kill all the germs. There are many different ways to perform the treatment of water because water is a necessary and vital necessity to life itself. If you are learning how to clean air and the cost associated with this, then you have come to the right place to learn how from my new ebook. Since when did learning how to clean water was a difficult task? Some types include boiling water, desalinization, water filters (like brita or pur), and specialized processes and methods. Posted by johny on October 9, 2008 cd shop Nero 8 Ultra Edition 8.2 software Posted by SweetCaroline on October 17, 2008 download Symantec Norton Internet SecurityT 2006 Posted by MarioKnesser on October 29, 2008 Hello, just a great website. ebony tits indian pussy lolita art lolita tgp open pussy Posted by hieplyweepe on November 2, 2008 Hi, just a great website :) black pussy eat pussy great tits nice pussy preteen lolita russian lolita Posted by GefInsategeft on November 4, 2008 Hello, just a great website! ebony pussy huge tits little tits teen pussy open pussy pussy cum Posted by cemExefsceF on November 5, 2008 buy allegra buy zyrtec buy lamisil buy aciphex buy zyban buy effexor buy celexa buy celebrex buy zocor buy cipro Posted by Stratos56 on November 11, 2008 mobile phone converter is currently the best video files converter for mobile phone to convert most popular videos like AVI, FLV, MOV, WMV, VOB, DivX, XviD to your mobile phone. Posted by cautionyou on November 27, 2008

Post a Comment

To post a comment you must be a registered user of GOVHEALTHIT.com and be logged in. Use one of the forms below to login or register for FREE to GOVHEALTHIT.com Login to GOVHEALTHIT.com E-mail Address: Password: Forgot your password?

Register and Post Comment * First Name: * Last Name: * E-mail Address: * Password: * Retype Password: * Blog Username: * Comments: E-mail me when new comments are posted in this thread?