NIH bars sensitive data from Mac laptops

The National Institutes of Health has blocked employees from working with sensitive information on Apple Macintosh laptop PCs because NIH’s approved full-disk encryption software cannot be installed on them.

Check Point Software Technologies’ Full Disk Encryption (formerly Pointsec PC) only supports Microsoft and Linux operating systems, but it is in beta testing for Mac laptops, according to information about data encryption NIH posted online for its employees.

The guidance on Macs follows the theft Feb. 23 of an unencrypted NIH laptop that contained data on 2,500 patients participating in a clinical research project at the agency's National Heart, Lung and Blood Institute. The laptop PC was stolen from the locked trunk of an NIH employee’s vehicle while it was parked in Montgomery County, Maryland. NIH officials did not say whether the laptop was a Mac or Microsoft Windows-based computer.

In response to the theft, NIH restated that its policy and that of its parent agency — the Health and Human Services Department — is to encrypt all government laptop PCs, regardless of whether they contain sensitive or personally identifiable information. Contractor-owned laptop PCs that contain sensitive government information must also be encrypted under NIH’s policy.

An initial attempt to encrypt the stolen laptop resulted in data corruption and loss, said John Jones Jr., acting chief information officer and acting director of the Center for Information Technology at NIH. He added that the employee decided to wait until another process was available that would not alter the data.

After the theft, Jones said he directed NIH institutes and centers to recheck the status of their laptop PCs and verify by April 4 that they were encrypted, have a valid HHS waiver or have been taken out of service. His office has been analyzing the situation for weaknesses in operations and monitoring. Because Pointsec cannot support Mac laptops at this time, those machines were not included in the April 4 deadline.

“However, you must make sure that no Mac laptops contain sensitive government information” or personally identifiable information, the guidance states. NIH did not respond to calls requesting more information.

The Office of Management and Budget directed agencies to encrypt laptop PCs to protect personally identifiable information after the theft in 2006 of a Veterans Affairs Department laptop that put at risk the personal data of millions of veterans. The Federal Information Security Management Act and the Privacy Act require agencies to protect personally identifiable and other sensitive data.

In addition to Pointsec, NIH employees can use Microsoft BitLocker, which supports Windows Vista and meets Federal Information Processing Standard 140-2 for data encryption. Any other whole-disk encryption software that complies with FIPS 140-2 is acceptable, NIH officials said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.