Home Forums Discussions General Discussion Laptops-ugh

Keep those laptops encrypted!!

Physician's Stolen Laptop Leads to $1.5 Million Settlement--this article appeared in Medscape today

Yep - full disk encryption is free/cheap, and worth the trouble.

Most loses aren't going to be this disruptive and costly, but I do know of a certain large healthcare company that brought in a team of pros to encrypt every laptop in their organization with 60 days after they had had laptops stolen and their CEO was summoned to DC to answer questions.

Cost them millions to remediate their problem.

Indy, is there an easy, inexpensive way to do this?
I don't have AC on the laptop itself, so no patient data is on the internal drive, but if I wanted to encrypt, what would you suggest?

Inexpensive - yes
Easy - that is a relative term for me (or you), I would say it is easy, it just takes a few steps and attention to detail.

If you think there is sufficient interest (or should be), I can spell it out.

I'll mention in passing that there are tools to encryption portions of your disk, but that misses the point of what most bad actors are targeting.

For those who target more affluent individuals/households, they are more interested in your browser and remote software than your patient data. A browser (or remote access) with saved passwords is like a master-key to all of your information and accounts. Scary. That is why I recommend an encryption tool like LastPass to vault your credentials.

I'll also mention that on the enterprise side we have been brought in to deal with patient data theft, and that is often done with something more sophisticated like a spear-phishing attack. Not typical of how solo-small group practices are breached.

Windows 7 Ultimate/Enterprise has full disk encryption with bitlocker.

There's also the free True Crypt as well.

To a bad actor, nothing says "Buzz Off" when they open a laptop and expect the nice Windows log-on screen, and instead get a terse interface that says please provide credentials to decrypt.

Priceless.

Since a lot of people put everyone in the security permissions. It's probably easier to get on the wireless network and grab the data rather than stealing a computer. That's the preferred method nowadays.

Why not just use the fingerprint reader to lock down the laptop?

Ha, that won't help. Doesn't matter how complicated the Windows password is, it can be removed in minutes. They should do a demo at the ACUC.

Any suggestions on wireless network passwords, or is it the same logic as any password?

If you are talking about about securing your wireless network, lock it down to the MAC IDs of the devices that are practice devices. Then set a 26 character (or your max length) password your device supports.

Also WEP != security - takes second to hack.

Indy is completely right. WPA2/(EAP/RADIUS) is your best bet to avoid hackers trying to get in on the wireless. EAP/RADIUS is the method typically used to business wireless networks. Has controlled credentials like usernames and passwords instead of a pre-shared key.

Definitely listen to Indy and avoid WEP. It's extremely simple to hack. Unfortunately, it's still widely used.

I'm afraid I'm going to have to take issue with that remark. I know of a few laptops right now you'll never get into - at least not within our lifetimes.

JamesNT

Thanks Indy, Sandeep, and JamesNT--you guys are great!!!

I was referring to the Windows password as the sole means of authentication. Can easily be removed in minutes.

I know what you were referring to. The issue is that if a Windows system is properly configured, if you remove the Windows password - or change it - using a third party tool then files that account has access to become unreadable if encrypted with EFS - a built-in Windows tool.

Lastly, the vast majority, if not all, ways to remove or change the Administrator password - to my knowledge - require physical access to the machine in question.

JamesNT

I'm aware ha. That's why I keep saying as the sole means of authentication. How many off the shelf laptops come with disk encryption enabled/"properly configured"? Very very few.


That's what the entire thread is about. We are discussing with laptop theft and measures you can take to secure your computer.

Even so remote attacks are pretty common these days. A little VNC backhook and the hacker can see everything you see. Take over when you go to sleep.

Sandeep,

Quite correct on all points. I missed the "sole means of authentication" part. Apologies.

Security is a journey, not a destination. Unfortunately, most people see it as a turn to avoid altogether.

JamesNT