FCHP Laptop Theft Has Lessons For Businesses
Laptops are a godsend to many businesses, particularly those in the health care industry, thanks to their ever-shrinking size and ever-increasing computing power.
But with the portability of laptops comes a very scary downside, one that Worcester-based Fallon Community Health Plan just became intimately aware of.
That's because an FCHP laptop containing unencrypted personal information on nearly 30,000 of its members was recently stolen, forcing the company to disclose the breach publicly and notify those whose personal information might be vulnerable. It's an embarrassing turn of events, but more importantly it's a costly one. The HMO has made thousands of phone calls to members, sprung to monitor the credit reports of affected members for one year through EquiFax and it could face repercussions from the Centers for Medicare and Medicaid Services, which is reportedly investigating the incident.
Get It Together
Many in the IT security industry are left shaking their head at the latest data breach news.
"I guess the thing we wonder in the security industry is when will these people learn?" asked Sally Hudson, an analyst for the Framingham-based IT research firm IDC.
But Eric Schultz, president and CEO of FCHP, said his company is taking full responsibility for the breach and has long understood the importance of security when it comes to sensitive electronic data.
"Technology is a paradox," he said. "On the one hand, it's so powerful and important that it does play a role in making health care more efficient and affordable, but on the flip side there is an inherent risk that comes with it."
In the case of the FCHP breach, a laptop containing members' private information was stolen from a "third-party vendor" of FCHP's in Boston. While FCHP has a policy insisting all laptops are encrypted for security and password protected, neither was true at the time the laptop was stolen.
FCHP is not the first insurer to deal with the embarrassing disclosure of such an incident. In April 2006, Hartford, Conn.-based insurer Aetna reported that a laptop with information on about 38,000 of its members had been stolen out of an employee's car. In that case, the laptop was protected by a "strong password authentication" system.
Schultz said FCHP took notice of Aetna's experience in 2006 and had applied some important lessons from that case's example.
"When that Aetna issue occurred that was a catalyst for us to examine our own policy," he said. In particular, he said FCHP began limiting who within the company could be assigned a laptop.
"We retracted the use of laptops from a large percentage of our workforce," he said. "And we make everyone that uses a laptop go through an education process and sign documentation that they agree on how to use it."
Lessons Learned
Michelle Drolet, CEO of IT security firm Towerwall in Framingham (formerly known as Conqwest), said there are several ways business owners can learn from the FCHP situation.
First, she said that "data should never reside on laptops." All data, she said, should be stored centrally, and employees with laptops should have to tap into that central server. That way, if a laptop is stolen, the thief can't get at the data if the company's network is encrypted.
Drolet also recommends "social engineering," or training employees on how to handle equipment with sensitive data.
And while it might sound like something out of Mission Impossible, Drolet said biometrics - which is technology that uses fingerprint or retinal scans as identification - can be used to prevent ne'er-do-wells from accessing information on a laptop.
"Biometrics really do work," she said. "Most of time people are using the fingerprint scanners."
The theft of FCHP's laptop also shows that most often, data compromises aren't terribly complicated, according to Hudson.
"We spend a lot more time trying to thwart hackers, but people forget, very often the security breaches are very low-tech," she said.
As for FCHP, Schultz said now that its affected members have been notified, the company will begin to "look at our own policies and procedures to see what we can do to minimize risk exposure in the future."
WBJ Web Partners
Most Recent
Most Recent
0 Comments