They may have won the NFC East division last year, but the Washington Redskins really need to get their heads in the game. The security game, that is.
A trainer’s laptop has been stolen, containing thousands of records for the NFL team’s players going back 13 years, all containing password-protected, but unencrypted, medical data.
The situation is, alas, not uncommon; the theft of laptops containing unencrypted medical records is an ongoing problem and one of the top categories of HIPAA disclosures to the US Department of Human Health and Services.
"It seems almost inevitable that if you put unencrypted confidential data on a laptop it will be stolen,” Tim McElwee, president of Proficio, told Infosecurity. “The solution is simple—stop doing this."
At the very least, if one must do this, then it’s important to follow best practices of encrypting all sensitive personal data as it enters a system, at rest, in use and in motion.
"This incident clearly indicates how important it is to encrypt data at rest, especially when mobile devices (laptop, tablets, phones) are involved,” Giovanni Vigna, Lastline CTO and co-founder said via email. “Password protection can prevent the occasional onlooker from accessing the data, but if a disk can be removed or a whole device stolen, only disk encryption can protect the data."
Luther Martin, HPE distinguished technologist, HPE Security-Data Security, added, “The ability to neutralize a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure.”
Unfortunately, for the players, headaches are likely to ensue from the breach. “Medical information the new data gold mine for attackers,” Martin said. “The data is lucrative, often unprotected, and useful for all types of fraud including medical and identity fraud.”
As such, the hit was likely a very intentional one—rather than an opportunistic grab.
Michael Magrath, current chairman of the nonprofit Healthcare Information Management Systems Society (HIMSS) Identity Management Task Force, and director of Healthcare Business, VASCO Data Security, noted that “this is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League. Teams secure and protect their playbooks and need to apply that philosophy to securing their players' medical information.”
Photo © Stepan Kapl