Stolen laptop reveals security gap

Congress investigates theft

Lawmakers are stepping in to examine the circumstances surrounding the theft of a laptop belonging to the National Institutes of Health. Rep. John Dingell (DMich.), chairman of the Energy and Commerce Committee, and Rep. Bart Stupak (D-Mich.), chairman of the committee’s Oversight and Investigations Subcommittee, have opened an investigation into the theft and NIH operations.

Although NIH reported the theft to federal and law enforcement immediately, it delayed notifying the affected patients until March 20, four weeks after the incident.

The Office of Management and Budget requires agencies to have a breach notification policy.

“The stunning failure to act, by both NIH and HHS, raises troubling questions,” Dingell said.

Dingell said he will examine what safeguards were in place and where the security process failed and how to fix it.

— Mary Mosquera

Despite federal security policy established two years ago, the National Institutes of Health failed to encrypt a laptop that contained sensitive information and was stolen Feb. 23.

The incident, made public last week, demonstrates that agencies have not moved fast enough to secure their data, security experts say.

NIH’s National Heart, Lung and Blood Institute said it has reinforced its information security policies and enforcement since the theft of the laptop containing data on about 2,500 patients enrolled in a clinical research project. The Maryland-National Capital Park Police in Montgomery County, Md., is investigating the theft, but it has had no leads or breaks in the case, a spokeswoman said.

The laptop was taken from the locked car trunk of an institute researcher. The files contained names, birth dates, hospital medical record numbers and medical reports but not Social Security numbers, addresses, phone numbers or financial information, said Dr. Elizabeth Nabel, director of the national Heart, Lung and Blood Institute.

Since the theft, the institute has made sure that laptops are encrypted as required by policies set by the Health and Human Services Department, NIH’s parent, and the Office of Management and Budget, Nabel said. Agency information security employees are inspecting all researchers’ laptops to ensure that they have appropriate encryption software installed. All institute workers have received data security reminders about not keeping patient names or other identifying information on their laptops.

NIH adheres to the HHS and federal directives for encryption, said John Jones, chief information officer and acting director of NIH’s Center for Information Technology.

All other NIH institutes and centers are checking laptops and must certify by April 4 that they are encrypted, have a valid HHS waiver or have been taken out of service, Jones said. In addition, the CIO’s office is conducting a review to determine whether any particular or systemic weaknesses exist in operations or monitoring.

Jones said the stolen laptop’s data was unencrypted because early attempts to encrypt it caused the corruption and loss of data. The data was needed for an ongoing clinical trial, so “the lab chief asked for a safer process before putting additional data at risk,” Jones said.

Laptop theft remains a threat. The 2006 theft of a Veterans Affairs Department laptop that contained the personal data of millions of veterans spurred OMB to direct agencies to shore up data security. The Federal Information Security Management Act and Privacy Act require agencies to protect personally identifiable and other sensitive information. The National Institute of Standards and Technology provides guidance for the minimum requirements that agencies need to implement to comply with FISMA.

Despite the harsh criticism VA received on Capitol Hill and in the media, many agencies remain slow to act. Some don’t feel any sense of urgency until they have a security incident, said Alan Paller, research director at the SANS Institute. “Convenience trumps security,” he said.

“It’s a little inconvenient to encrypt, so people don’t do it,” he added. “But embarrassment trumps inconvenience. Other agencies haven’t had the embarrassment of their top executive being lambasted on TV. When they do, they move quickly.” 

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.