NIH to crack down on encryption

The director of the National Institutes of Health has notified employees to expect random computer audits as the agency works to ensure full compliance with its security policies. NIH discovered that a stolen laptop PC belonging to NIH contained medical data and Social Security numbers of 1,200 patients involved in medical research.

The theft of the unencrypted laptop was a major violation of NIH’s commitment to protect the confidentiality of patients, Dr. Elias Zerhouni, the agency’s director, said in a memo sent to all NIH employees.

NIH originally believed that no Social Security numbers were on the missing laptop, but an investigation of backup files proved otherwise. NIH is sending letters to notify those who might be affected. NIH is offering  free credit monitoring and insurance for as much as $20,000 in losses for patients affected by the incident, an NIH spokeswoman said.

“It is important that we do everything possible to reassure the public and our patients that we all take our responsibility regarding protection of sensitive data from loss or misuse extremely seriously in an age of increasing sophistication in information technologies,” Zerhouni said.

The new security precautions follow the theft of an unencrypted NIH laptop in February. The computer contained information about more than 3,000 patients in a clinical research project at NIH’s National Heart, Lung and Blood Institute. 

The stolen laptop violated a federal policy that requires agencies to encrypt mobile devices that contain personal information. The policy of NIH and its parent, the Health and Human Services Department, is to encrypt all government laptops with approved encryption software, whether or not the PCs contain sensitive or personal information, Zerhouni said.

Employees also must encrypt portable media, such as flash drives, if they contain sensitive government data. NIH’s information technology employees have encrypted nearly 11,000 laptops, Zerhouni said.

The disk encryption software must meet the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2. Encryption packages meeting that standard are available for Microsoft Windows and Linux operating systems. A separate package is under review for the Apple Macintosh operating system.

The agency has prohibited employees from using sensitive information on Apple Macintosh laptops because NIH’s encryption software from Check Point cannot be installed on them, said John Jones, NIH’s chief information officer and acting director of the Center for IT. NIH has about 4,500 Mac laptops, but only some contain sensitive data.

Check Point’s Pointsec encryption for Mac laptops is in testing, said David Vergara, product marketing directing of data security products at Check Point. He said he expects it to be ready in a few weeks.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.