NIH to crack down on encryption

The director of the National Institutes of Health has notified employees to expect random computer audits as the agency works to ensure full compliance with its security policies. NIH discovered that a stolen laptop PC belonging to NIH contained medical data and Social Security numbers of 1,200 patients involved in medical research.

The theft of the unencrypted laptop was a major violation of NIH’s commitment to protect the confidentiality of patients, Dr. Elias Zerhouni, the agency’s director, said in a memo sent to all NIH employees.

NIH originally believed that no Social Security numbers were on the missing laptop, but an investigation of backup files proved otherwise. NIH is sending letters to notify those who might be affected. NIH is offering  free credit monitoring and insurance for as much as $20,000 in losses for patients affected by the incident, an NIH spokeswoman said.

“It is important that we do everything possible to reassure the public and our patients that we all take our responsibility regarding protection of sensitive data from loss or misuse extremely seriously in an age of increasing sophistication in information technologies,” Zerhouni said.

The new security precautions follow the theft of an unencrypted NIH laptop in February. The computer contained information about more than 3,000 patients in a clinical research project at NIH’s National Heart, Lung and Blood Institute. 

The stolen laptop violated a federal policy that requires agencies to encrypt mobile devices that contain personal information. The policy of NIH and its parent, the Health and Human Services Department, is to encrypt all government laptops with approved encryption software, whether or not the PCs contain sensitive or personal information, Zerhouni said.

Employees also must encrypt portable media, such as flash drives, if they contain sensitive government data. NIH’s information technology employees have encrypted nearly 11,000 laptops, Zerhouni said.

The disk encryption software must meet the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2. Encryption packages meeting that standard are available for Microsoft Windows and Linux operating systems. A separate package is under review for the Apple Macintosh operating system.

The agency has prohibited employees from using sensitive information on Apple Macintosh laptops because NIH’s encryption software from Check Point cannot be installed on them, said John Jones, NIH’s chief information officer and acting director of the Center for IT. NIH has about 4,500 Mac laptops, but only some contain sensitive data.

Check Point’s Pointsec encryption for Mac laptops is in testing, said David Vergara, product marketing directing of data security products at Check Point. He said he expects it to be ready in a few weeks.