NIH bars sensitive data from Mac laptops

The National Institutes of Health has blocked employees from working with sensitive information on Apple Macintosh laptop PCs because NIH’s approved full-disk encryption software cannot be installed on them.

Check Point Software Technologies’ Full Disk Encryption (formerly Pointsec PC) only supports Microsoft and Linux operating systems, but it is in beta testing for Mac laptops, according to information about data encryption NIH posted online for its employees.

The guidance on Macs follows the theft Feb. 23 of an unencrypted NIH laptop that contained data on 2,500 patients participating in a clinical research project at the agency's National Heart, Lung and Blood Institute. The laptop PC was stolen from the locked trunk of an NIH employee’s vehicle while it was parked in Montgomery County, Maryland. NIH officials did not say whether the laptop was a Mac or Microsoft Windows-based computer.

In response to the theft, NIH restated that its policy and that of its parent agency — the Health and Human Services Department — is to encrypt all government laptop PCs, regardless of whether they contain sensitive or personally identifiable information. Contractor-owned laptop PCs that contain sensitive government information must also be encrypted under NIH’s policy.

An initial attempt to encrypt the stolen laptop resulted in data corruption and loss, said John Jones Jr., acting chief information officer and acting director of the Center for Information Technology at NIH. He added that the employee decided to wait until another process was available that would not alter the data.

After the theft, Jones said he directed NIH institutes and centers to recheck the status of their laptop PCs and verify by April 4 that they were encrypted, have a valid HHS waiver or have been taken out of service. His office has been analyzing the situation for weaknesses in operations and monitoring. Because Pointsec cannot support Mac laptops at this time, those machines were not included in the April 4 deadline.

“However, you must make sure that no Mac laptops contain sensitive government information” or personally identifiable information, the guidance states. NIH did not respond to calls requesting more information.

The Office of Management and Budget directed agencies to encrypt laptop PCs to protect personally identifiable information after the theft in 2006 of a Veterans Affairs Department laptop that put at risk the personal data of millions of veterans. The Federal Information Security Management Act and the Privacy Act require agencies to protect personally identifiable and other sensitive data.

In addition to Pointsec, NIH employees can use Microsoft BitLocker, which supports Windows Vista and meets Federal Information Processing Standard 140-2 for data encryption. Any other whole-disk encryption software that complies with FIPS 140-2 is acceptable, NIH officials said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.