The Washington Post reports today that a laptop containing "sensitive medical information" on more than 2,500 patients in a NIH study was stolen last month, potentially exposing seven years worth of data, including names, diagnoses and heart scans to...people who would want to bore themselves to death reading that kind of thing.
What is more interesting is that the Post reports that the data on the laptop was not encrypted, a clear violation of Government security policies. And to think I was worried about Google Health.
Here's a question. Why is this data, which is supposed to be encrypted and kept under the highest confidentiality and security, kept on a laptop computer which any bloke could simply walk away with? I don't know about you, but if I wanted to keep data secure, I'd keep it on an encrypted external hard disk, which I'd disconnect and keep under lock and key when not in use, with the keys on a separate flash drive under separate lock and key.
It's great that the Government requires patient data to be encrypted, but that doesn't do me much good if the machine it is encrypted on is readily accessable, and the keys aren't secured somewhere else.
At least they're learning...
Nabel, in her statement, said that since the NIH incident, "we are ensuring" that all the institute's laptop computers are encrypted and that staff members will be required to take regular computer security training. She also said "patient names, other identifying information, or identifiable medical information" will no longer be stored on laptop computers
