Mac Ping List now 299 Freepers Strong!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 04/05/2008 9:21:25 PM PDT by Swordmaker
Employees who store medical records on laptops must use systems that run either on Microsoft's Windows operating system or Linux.
In the wake of a widely publicized security breach that left thousands of patient records exposed, the federal government's National Institutes of Health is forbidding all employees who use Apple's MacBook laptops from handling sensitive data as of Friday, InformationWeek has learned. Employees at the health agency who store medical records and other personal information on laptops must use systems that run either on Microsoft (NSDQ: MSFT)'s Windows operating system or Linux, according to an agency memo.
Those systems must be equipped with Check Point Software (NSDQ: CHKP)'s Pointsec encryption tool as of April 4, according to an NIH mandate. Systems running Windows Vista can also use Vista's built-in BitLocker disk encryption tool.
NIH imposed the no-MacBooks rule because there is no Apple-compatible version of Pointsec. To date, Check Point has only released a beta version of Pointsec for Macs that's not yet ready for government use.
"Computers that cannot be encrypted by Pointsec at this time (e.g., Macs) are waived from the encryption mandate, but only with the stipulation that they do not contain any PII or sensitive government information," the NIH Office of Research Services said in a memo to NIH staff. PII refers to personally identifiable information.
NIH said it's been given no estimate as to when a final version of Pointsec for Macs may become available. It was not immediately clear how many Apple MacBooks are in use at the NIH. It also wasn't clear whether the ban extends to the whole of the U.S. Department of Health And Human Services, of which NIH is a part.
An NIH spokesman did not immediately respond to an inquiry seeking more information.
The MacBook ban applies to in-house NIH workers and also to contractors employed by the agency to handle sensitive data, according to the memo.
NIH employees who use laptops that are permanently anchored to a desk or research equipment can ask for an exemption from the encryption mandate as long as they place a "Do Not Remove" sticker on their machines.
NIH's decision highlights one of the biggest challenges facing Apple as it seeks to make greater inroads against Microsoft in the business and government computing markets. Commercial software developers have little incentive to port business applications to the Mac because the platform holds only a tiny share of the business computing market.
NIH imposed the April 4 deadline in the wake of an embarrassing incident in February in which a laptop containing records on 2,500 patients enrolled in a medical study was stolen. The laptop was not encrypted, despite a 2-year-old federal policy that mandates encryption on government systems.
NIH did not disclose the type of laptop that was stolen. Apple officials were not immediately available for comment.
If you want on or off the Mac Ping List, Freepmail me.
This makes me feel just so much more secure.
Does anyone know what the brand of notebook stolen recently was?
“Systems running Windows Vista can also use Vista’s built-in BitLocker disk encryption tool.”
WTF?
Guess nobody pointed out to the idiots that they could have used the built in OS X feature “FileVault” and been just as secure.
Idiots.
I guess they’re afraid that their people are dumb enough to go to a website they’ve been told to visit, download a specified file that they have no prior knowledge of, and then install the application on their MacBook.
I’d be worrying about more than the security of the computer if I had people like that working on sensitive material.
Sounds like red tape. A software company won a contract, and now to justify the contract they have to use the software, which coincidentally has no Mac version.
US Health Agency demonstrating typical government incompetence.
Nope. If you re-read the top of the thread, the software is simply in beta, meaning that it hasn't yet been officially released. Your response is similar to those who get pissed off at software vendors who had software that worked with Win2K/WinXP, but no longer works with Vista.
I'm not an expert on Macs, however there are a number of software packages that no longer work with the current version of OS-X. For example, the CEO of my company decided that he needed one of the brand new MacBook AIR laptops. The data files on our corporate network are stored on a Novell file server, and unfortunately, the Novell Client software for OS-X simply doesn't work with the latest version - The manufacturer is working on a new version of the client (for security purposes, CIFS and NFS are disabled on the Novell server - we require NCP packet signature). In a nutshell, what this means is that he can't access his files on the network from the MacBook Air until the new client comes out.
Security is often a pain. The company I work for requires that all mobile devices (laptops, smartphones) be encrypted.
Mark
Doesn’t Leopard have a built-in encryption program? Pretty sure I’ve run across it poking around in my Mac Book.
Doesn’t Leopard have a built-in encryption program? Pretty sure I’ve run across it poking around in my Mac Book.
True. The issue would be a bureaucratic one as to whether government security types accept File Vault as meeting their standards.But considering that there is no way of actually proving the security of an encryption technique (but only of proving the insecurity of such technique), and considering the consequences which can flow from the failure of encryption, caution is a rational response. Whoever made this decision had to cover himself, and guarantee that he would not be responsible for a security breach which occurred because he allowed nonstandard security measures.
Whether or not the File Vault system is in actual fact equal to or better than the approved Pointsec encryption method. Fact of life.
Frankly, I don’t understand why any sensitive material in on a laptop to begin with.
Heck, I do online banking and NEVER from my laptop. And my laptop spend 99.9% of its life sitting on the floor in my house.
If I were in charge, the people would have to plug their laptops into an external harddrive while in the office and not be able to download any sensitive file onto their machines, period.
Idiocy. The “widely publicized breach” is, of course, unexamined by the media and apparently by the systems admins who made this astonishing directive. Dig deeper and you’ll find a little more to the story:
1) The Mac vulnerability had been snagged by the winning hacker months before. Rather than report it to Apple, he (dishonorably) kept it in his hip-pocket. He built a web-page to exploit it, and when his turn in the PWN 2 OWN competition came, he used it. (In the previous competition, it took nine hours to break the Mac.)
2) The prize for cracking a computer was a bit of cash ...plus the computer. By far the hottest of the computers in the contest was the wafer-thin Macbook Air. There was a veritable pile-on of hackers who lusted for that machine and wanted to take it home. This early and intense enthusiasm might have skewed the results.
3) Several comments were made that there are dozens of known vulnerabilities to Linux, but no one has wanted to invest the time to exploit them. Why’s that? (Full disclosure: I’m a Linux fan and am running Linux as I post this.)
4) The winning Macbook Air hacker, Charlie Miller, uses... a Mac [http://dvlabs.tippingpoint.com/img/charlie_miller.jpg]
Meanwhile, the sysadmins in the current story are idiots, plain and simple.
Actually, what you're describing is "ass-backwards" and it's a failure in management, not procurement. The way things are done, at least if you want them to work properly, is to evaluate your needs, determine which software is required to satisfy those needs, and then select the platform upon which to run that software. The simple fact is that if the government agency had selected Checkpoint software, and if there was no version for OS-X, then laptop users within that agency should not have been issued systems that used OS-X. Plain and simple.
When someone in the company I work for states that they need to make something work, say on a new home computer with Vista, the answer is the same. "We do not currently support Vista." In the case of security software, if someone violates the policy, they get a written reprimand the first time, and terminated the second.
Mark
I was mistaken. I had assumed that PointSec worked with earlier versions of OS-X, and it was the only the latest version OS-X that didn’t work with PointSec. PointSec has never had an OS-X version. I got them mixed up with another company or software package that my company was evaluating, and not just for security, but client access as well.
Mark
The likely hood was that it was a PC notebook... The Government has been requiring the use of Windows on computers for the last five years...
Yep. And these are the people the Dems want to make all our healthcare decisions for us.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
