ALBERTA STOLEN GOVERNMENT COMPUTERS A WARNING Stolen laptops a 'warning':

Stolen laptops a 'warning'

Watchdog questions security of Albertans' confidential health data

By Brent Wittmeier, Edmonton JournalJune 25, 2009Comments (3)

Alberta's information and privacy commissioner wants health data to be more secure after two laptops containing private information on 250,000 people were stolen earlier this month from a University Hospital research lab.

Commissioner Frank Work called the theft a "warning" of the potential risks of using portable devices such as laptops, memory sticks and hand-held computers to handle sensitive health information.

"We just got really lucky with this," said Work, after Alberta Health Services revealed the risk of thieves gaining access to the information was small. "This could have been a nightmare for those people.

"The lesson is, do what you got to do to get these devices protected."

Work said he is disappointed Alberta Health Services didn't know more about the laptops.

"This raises a whole lot of issues," Work said. "Do they know what's going on in their departments with other portable devices?"

The theft may provoke an evaluation of Alberta Health's policies on portable devices, including inventories of devices in use, maximum numbers of files allowed, and better awareness of exactly what data are stored on individual devices in case of a loss. Work suggested it may be necessary to reduce the number of portable devices.

"Maybe we've got to start looking at why we're using some of these devices in the first place."

The missing laptops were secured to desks in the locked provincial lab information technology room at the University Hospital when they were stolen June 4.

250,000 TEST SAMPLES

Alberta Health Services said the hard drives contained random samples of 250,000 lab tests for communicable and reportable diseases, monitored by the province for potential outbreaks. While not complete health records, the data contained sensitive information, including patient names and personal health numbers.

Officials say the risk of thieves actually accessing the data are extremely low since the laptops are protected by passwords and security software.

"The public should not be concerned," said Bill Trafford, chief information officer of Alberta Health Services. "We believe there's very very low risk of any information on those devices being made accessible to anybody else."

Trafford said the laptops were protected by a "recent but not brand new version of encryption," which has been tested by third-party security experts. While it's not the latest encryption software currently being installed on departmentcomputers, Trafford described the protection as "very solid."

The announcement of the thefts was necessary in case the information gets out, particularly since it's unknown which health numbers were on thecomputers, he said.

"We can't know who's on that list since it was randomly selected. Like any other financial systems, other systems, people need to be aware that their identity, their numbers can be used."

Alberta's auditor general echoed Work's concerns, calling the theft a reminder of the importance and difficulty of data security.

"It's another example of why the organizations have to pay attention to information technology security," Fred Dunn said.

His office has warned the province about data security for three years. It released a report last October criticizing "significant weaknesses" in the

province's information systems.

While Dunn reiterated his call for better software and physical security, he said data encryption only gets you so far.

"It's a bit of a false security to think that no one will be able to interpret this," said Dunn, who is also the auditor for the University of Alberta. "There are very skilled individuals out there who can interpret data from virtually any source."

© Copyright (c) The Edmonton Journal