NIH bars sensitive data from Mac laptops
The agency restated its policy mandating full-disk encryption for laptop PCs, which is still in beta testing for Macs.
The National Institutes of Health has blocked employees from working with sensitive information on Apple Macintosh laptop PCs because NIH’s approved full-disk encryption software cannot be installed on them. Check Point Software Technologies’ Full Disk Encryption (formerly Pointsec PC) only supports Microsoft and Linux operating systems, but it is in beta testing for Mac laptops, according to information about data encryption NIH posted online for its employees.The guidance on Macs follows the theft Feb. 23 of an unencrypted NIH laptop that contained data on 2,500 patients participating in a clinical research project at the agency's National Heart, Lung and Blood Institute. The laptop PC was stolen from the locked trunk of an NIH employee’s vehicle while it was parked in Montgomery County, Maryland. NIH officials did not say whether the laptop was a Mac or Microsoft Windows-based computer.In response to the theft, NIH restated that its policy and that of its parent agency — the Health and Human Services Department — is to encrypt all government laptop PCs, regardless of whether they contain sensitive or personally identifiable information. Contractor-owned laptop PCs that contain sensitive government information must also be encrypted under NIH’s policy.An initial attempt to encrypt the stolen laptop resulted in data corruption and loss, said John Jones Jr., acting chief information officer and acting director of the Center for Information Technology at NIH. He added that the employee decided to wait until another process was available that would not alter the data. After the theft, Jones said he directed NIH institutes and centers to recheck the status of their laptop PCs and verify by April 4 that they were encrypted, have a valid HHS waiver or have been taken out of service. His office has been analyzing the situation for weaknesses in operations and monitoring. Because Pointsec cannot support Mac laptops at this time, those machines were not included in the April 4 deadline.“However, you must make sure that no Mac laptops contain sensitive government information” or personally identifiable information, the guidance states. NIH did not respond to calls requesting more information.The Office of Management and Budget directed agencies to encrypt laptop PCs to protect personally identifiable information after the theft in 2006 of a Veterans Affairs Department laptop that put at risk the personal data of millions of veterans. The Federal Information Security Management Act and the Privacy Act require agencies to protect personally identifiable and other sensitive data.In addition to Pointsec, NIH employees can use Microsoft BitLocker, which supports Windows Vista and meets Federal Information Processing Standard 140-2 for data encryption. Any other whole-disk encryption software that complies with FIPS 140-2 is acceptable, NIH officials said.