How secure is a 'strong password'? Not very, experts say
Laptop containing health data of 33K N.W.T. residents was stolen in Ottawa
The computer skills of a laptop thief in Ottawa may be the only determining factor on whether the health-care information of 33,000 Northwest Territories residents is compromised.
The laptop was stolen from a vehicle in Ottawa on May 9, according to the territory's health department. It contained data on patients and their health histories, covering approximately 80 per cent of the population.
For some, that information included their history of infectious disease.
- Stolen laptop had health data for 80% of N.W.T. residents
- New details on Inuvik hospital data breach revealed in Privacy Commissioner's annual report
Officials with the Department of Health and Social Services provided information about the breach on Thursday through a statement and teleconference. In both, they said the laptop was not encrypted, but it did contain a "strong password."
Experts weigh in
But how secure is a strong password?
"It might keep you and me out, if we were just clicking on the keys," explained Joe Mayer, the vice-president of Identos, a Toronto-based mobile security firm.
"Anyone with some level of sophistication could get into most systems that are only password-protected."
For Mayer, the issue involved in this breach is the lack of encryption on the device.
"It sounds like many of the right steps were taken, but one key piece was not," he said. "That's to encrypt the data, to encrypt the hard drive so that in the event this were to happen, no one would get access to the data itself."
Devices used by the health department are supposed to have that encryption. But the laptop stolen in Ottawa was part of a pilot program of new laptops, and either they were missed or the encryption process failed, according to a statement from the territorial government.
If someone can bypass the locked door and go in through a window, they can steal other things that you have there.- Robert Biddle
Failing to encrypt a device is like leaving an unlocked window in an otherwise secure house, explained Robert Biddle, a computer science professor at Carleton University in Ottawa.
"If someone can bypass the locked door and go in through a window, they can steal other things that you have there," he said.
"The alternative is if you've encrypted your hard drive ... even if they could bypass the password and crack the hard drive, there isn't much for them to do with it."
For both Mayer and Biddle, the key to protecting data is encryption, following through on keeping device security up to date.
Elaine Keenan-Bengts, the Northwest Territories' information and privacy commissioner, has been reporting on data breaches within the health department for years, making note of issues in annual reports.
- Patient records breached 8 times in 2015-2016, confirms N.W.T. health dept.
- Privacy breach at Hay River clinic prompts discovery of 41 'irregularities' with patient files
The department notified Keenan-Bengts of the latest breach. She acknowledged that it's "disturbing that most of the N.W.T. is affected" by it and said she will be investigating what happened.
Though the department has a history of data breaches, its culture of protecting privacy is improving, she said.
"People who work in the health department are human," she said. "As long as humans work with data, there will be breaches."