Our ITAD firm works with many health care organizations that employ encryption and “LoJack” tracking technology to protect and recover electronic Personal Health Information (“PHI”) stored on laptops in use at their facilities. These tools are very effective to mitigate the risk of data breach events, since most reported breaches of data from physical devices are the result of lost or stolen laptops.
Encryption is the process of encoding messages (or information) in such a way that third parties cannot read them, and only authorized parties can. In an encryption scheme, the information is scrambled using an encryption algorithm (typically referred to as an encryption key), turning it into an unreadable cipher text. If information stored on a laptop or a computer is encrypted, only someone that knows the secret key can read what it says.[i]
To be effective at protecting data on hard drives, encryption must be implemented and managed properly. First, the encryption software must be installed prior to storing any sensitive data on the drive. Files are only encrypted once the software is installed, so previously saved files would not be secured through encryption. Next, encryption software is only effective at protecting data if the computer is powered off. If a computer is seized while running, there are readily available processes that sophisticated adversaries could use to read the data regardless of encryption.[ii] Also, the password entered by a user to access the encrypted files must be sophisticated enough to thwart hackers or otherwise this security measure is ineffective. Finally, there are tools that might recover the encryption key using side-channel attacks based on semiconductor memory data remanance,[iii] though it is highly unlikely a random thief would have access or interest in such a process.
In the event a laptop is stolen, misplaced or misappropriated, a tracking technology called “LoJack” can locate the device whenever it accesses the Internet. This technology involves the installation of a Computrace Agent on the bios of the machine using the company’s patented persistence technology, which is difficult to detect and virtually tamper-proof. The laptop and Computrace Agent are tracked at a third party monitoring center which receives reports at regular intervals on the physical location of the device.[iv] If an organization suspects a laptop is missing, it can use the service to locate the device and work with law enforcement authorities to recover it. In addition, organizations can receive alerts from the service if they believe a laptop was destroyed or assigned to a particular location and the monitoring service receives a signal from the Computrace Agent indicating the device is located somewhere other than expected. LoJack also includes features to initiate a remote wipe of a computer’s hard drive.
There are some limitations to this tracking software. A thief could still access the data on the device if a drive is not protected with a password and/or encryption. The drive could also be removed from the laptop and recovered in a separate machine – the hard drive itself is not tracked, just the bios chip on the motherboard of the machine that includes the tracking agent.
By installing drive encryption and device tracking software on computers and laptops in use at hospitals and other sites, organizations dramatically reduce the likelihood of a breach of PHI. Still, the use of technology is not enough, on its own, to mitigate this risk. A layered approach of technology, security procedures, access controls, and employees trained to use this security system effectively is critical.
In addition, data still reside on computers in use, regardless of whether they are encrypted or tracked. In order to eliminate the risk of a data breach, the information stored on data bearing devices must ultimately be destroyed when disposed.