Stolen laptop reveals security gap

Congress investigates theft

Lawmakers are stepping in to examine the circumstances surrounding the theft of a laptop belonging to the National Institutes of Health. Rep. John Dingell (DMich.), chairman of the Energy and Commerce Committee, and Rep. Bart Stupak (D-Mich.), chairman of the committee’s Oversight and Investigations Subcommittee, have opened an investigation into the theft and NIH operations.

Although NIH reported the theft to federal and law enforcement immediately, it delayed notifying the affected patients until March 20, four weeks after the incident.

The Office of Management and Budget requires agencies to have a breach notification policy.

“The stunning failure to act, by both NIH and HHS, raises troubling questions,” Dingell said.

Dingell said he will examine what safeguards were in place and where the security process failed and how to fix it.

— Mary Mosquera

Despite federal security policy established two years ago, the National Institutes of Health failed to encrypt a laptop that contained sensitive information and was stolen Feb. 23.

The incident, made public last week, demonstrates that agencies have not moved fast enough to secure their data, security experts say.

NIH’s National Heart, Lung and Blood Institute said it has reinforced its information security policies and enforcement since the theft of the laptop containing data on about 2,500 patients enrolled in a clinical research project. The Maryland-National Capital Park Police in Montgomery County, Md., is investigating the theft, but it has had no leads or breaks in the case, a spokeswoman said.

The laptop was taken from the locked car trunk of an institute researcher. The files contained names, birth dates, hospital medical record numbers and medical reports but not Social Security numbers, addresses, phone numbers or financial information, said Dr. Elizabeth Nabel, director of the national Heart, Lung and Blood Institute.

Since the theft, the institute has made sure that laptops are encrypted as required by policies set by the Health and Human Services Department, NIH’s parent, and the Office of Management and Budget, Nabel said. Agency information security employees are inspecting all researchers’ laptops to ensure that they have appropriate encryption software installed. All institute workers have received data security reminders about not keeping patient names or other identifying information on their laptops.

NIH adheres to the HHS and federal directives for encryption, said John Jones, chief information officer and acting director of NIH’s Center for Information Technology.

All other NIH institutes and centers are checking laptops and must certify by April 4 that they are encrypted, have a valid HHS waiver or have been taken out of service, Jones said. In addition, the CIO’s office is conducting a review to determine whether any particular or systemic weaknesses exist in operations or monitoring.

Jones said the stolen laptop’s data was unencrypted because early attempts to encrypt it caused the corruption and loss of data. The data was needed for an ongoing clinical trial, so “the lab chief asked for a safer process before putting additional data at risk,” Jones said.

Laptop theft remains a threat. The 2006 theft of a Veterans Affairs Department laptop that contained the personal data of millions of veterans spurred OMB to direct agencies to shore up data security. The Federal Information Security Management Act and Privacy Act require agencies to protect personally identifiable and other sensitive information. The National Institute of Standards and Technology provides guidance for the minimum requirements that agencies need to implement to comply with FISMA.

Despite the harsh criticism VA received on Capitol Hill and in the media, many agencies remain slow to act. Some don’t feel any sense of urgency until they have a security incident, said Alan Paller, research director at the SANS Institute. “Convenience trumps security,” he said.

“It’s a little inconvenient to encrypt, so people don’t do it,” he added. “But embarrassment trumps inconvenience. Other agencies haven’t had the embarrassment of their top executive being lambasted on TV. When they do, they move quickly.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.