Nov. 18, 2005 at 11:00 AM ET
It was just a tiny thumb drive, but now, it's a pretty big problem for a Hawaii hospital. And what happened there could eventually become a problem for you, too.
Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives -- and now, according to a letter sent home, the drive was missing.
The device had been misplaced in early October, and hasn't been heard from since, said hospital spokeswoman Lani Yukimura. While medical information was not on the device, it would be a treasure trove for an ID thief who found it. Once plugged into any computer's USB port, a finder would have access to about as many identities as ChoicePoint Inc. leaked to criminals last year. So why has the Wilcox incident gotten so little attention?
The Hawaii hospital's lost thumb drive passed by largely unnoticed. Perhaps it was because Hawaii flies a bit under the radar of the mainland. Or it may just be that people are tired of this kind of news. After all, according to a survey conducted by the Ponemon Institute recently, about 1 in 9 adults received a letter in the mail this past year saying their data had been lost or stolen. So what's another 120,000?
But the Hawaii story is a bit different from other data leaks you've heard about. It signals the next big headache looming for both consumers and the people who try to keep our data safe -- something called "endpoints" in the security industry. Laptops, Palm pilots, PocketPC phones, and yes, those marvelous little thumb drives.
It's fine to spend millions of dollars protecting a network from hackers -- but what about all that data that goes walking out the door every night? What about those laptops left in taxis, or the whiz-bang cell phones left on airplanes? Those thoughts keep security professionals awake at night, and maybe you too.
My Blackberry, my self
"This is a really big issue," said Avivah Litan, security analyst at Gartner. "It's really just an unwieldy situation right now."
And unlike many potential security vulnerabilities that are discussed in geek circles, this one is not theoretical. Think about those wonderful Blackberry devices, for example. What if you lost yours?
Two years ago, a wayward Blackberry that belonged to a former Morgan Stanley executive ended up on eBay. How do we know it was from a Morgan Stanley executive? Because the buyer found 200 company e-mails and 1,000 contacts still on it.
Credant Technologies is one of a small army of companies that have begun focusing on this issue. The firm surveyed corporate Americato see how extensive the problem of lost devices is. Their findings, while self-serving, ring true.
Bob Heard, CEO of Credant, said that on average, a company with 1,000 employees loses 1 laptop each week.
Credant's survey of those who had lost laptops indicated that 82 percent were never recovered. It's not clear how many of those machines had customers' personal information on them, but 90 percent had "critical data," according to the survey.
Heard, himself a former identity theft victim, thinks the problem is out of hand.
"The problem has been expanded from a protection of data standpoint to a social issue," he said.
Devices that call for help
Other numbers paint a similarly bleak picture. Safeware, an insurance company, says more than 600,000 laptops were lost of stolen during 2004. Laptop/device theft was the most commonly-reported attack in the 2005 Computer Security Institute/FBI Computer Crime & Security Survey-- outpacing denial of service attacks, computer virus attacks, insider theft, and other "sexier" problems. About three-quarters of companies that responded to the FBI survey said they'd suffered a laptop or device theft in the past twelve months.
There are technologies being designed to combat the problem. Numerous firms are experimenting with "phone home" technology that tells a missing laptop or phone to send a beacon the moment it's connected to the Internet. Using a variety of geo-location technologies, firms and law enforcement agencies can hunt down the missing hardware.
But recovering the device doesn't ensure that critical data -- like the names of 120,000 hospital patients -- won't already be compromised. For that, password-protection and encryption are being tried. But those strategies have their flaws, too, Litan says. A database on a laptop might be encrypted, only for use by the owner -- but that person might run a report from the database and put it on a thumb drive for a presentation, a typical scenario.
There's really no way to keep someone from running reports on spreadsheets and databases in laptops, unless the database is completely locked up. In which case: Why have the laptop?
Best defense: Luck
Right now, your best defense is luck. Lose your laptop in a taxi, hopefully the finder will be more interested in fencing it for $50 than downloading the data. Using the simple password protection on your mobile device is worth the trouble because the odds are in your favor that the finder won't be a computer expert with a password-cracking program at hand.
Of course, he or she might be.
As for companies, there are a patchwork of federal regulations that mandate data be handled with better care: the Graham-Leech-Bliley Act for banks, HIPPA (The Health Insurance Portability and Accountability Act) for hospitals, among others. These laws are supposed to provide both guidelines and a deterrent to bad practices. For example, federal agencies can fine companies for carelessness.
Should a hospital, for example, be able to place 120,000 identities on a thumb drive, lose it, and get away with a simple "I'm sorry" letter? Or should there be some penalty for the hospital's failure to encrypt their customers data before putting it on so portable a device?
A future Red Tape Chronicles entry will discuss how often such fines are levied, but I'll bet you can guess the answer.