NIH bars sensitive data from Mac laptops

The National Institutes of Health has blocked employees from working with sensitive information on Apple Macintosh laptop PCs because NIH’s approved full-disk encryption software cannot be installed on them.

Check Point Software Technologies’ Full Disk Encryption (formerly Pointsec PC) only supports Microsoft and Linux operating systems, but it is in beta testing for Mac laptops, according to information about data encryption NIH posted online for its employees.

The guidance on Macs follows the theft Feb. 23 of an unencrypted NIH laptop that contained data on 2,500 patients participating in a clinical research project at the agency's National Heart, Lung and Blood Institute. The laptop PC was stolen from the locked trunk of an NIH employee’s vehicle while it was parked in Montgomery County, Maryland. NIH officials did not say whether the laptop was a Mac or Microsoft Windows-based computer.

In response to the theft, NIH restated that its policy and that of its parent agency — the Health and Human Services Department — is to encrypt all government laptop PCs, regardless of whether they contain sensitive or personally identifiable information. Contractor-owned laptop PCs that contain sensitive government information must also be encrypted under NIH’s policy.

An initial attempt to encrypt the stolen laptop resulted in data corruption and loss, said John Jones Jr., acting chief information officer and acting director of the Center for Information Technology at NIH. He added that the employee decided to wait until another process was available that would not alter the data.

After the theft, Jones said he directed NIH institutes and centers to recheck the status of their laptop PCs and verify by April 4 that they were encrypted, have a valid HHS waiver or have been taken out of service. His office has been analyzing the situation for weaknesses in operations and monitoring. Because Pointsec cannot support Mac laptops at this time, those machines were not included in the April 4 deadline.

“However, you must make sure that no Mac laptops contain sensitive government information” or personally identifiable information, the guidance states. NIH did not respond to calls requesting more information.

The Office of Management and Budget directed agencies to encrypt laptop PCs to protect personally identifiable information after the theft in 2006 of a Veterans Affairs Department laptop that put at risk the personal data of millions of veterans. The Federal Information Security Management Act and the Privacy Act require agencies to protect personally identifiable and other sensitive data.

In addition to Pointsec, NIH employees can use Microsoft BitLocker, which supports Windows Vista and meets Federal Information Processing Standard 140-2 for data encryption. Any other whole-disk encryption software that complies with FIPS 140-2 is acceptable, NIH officials said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.