NHLBI cardiologist Dr. Andrew Arai had no idea he was on his way to becoming the poster boy for laptop security when he got into his Toyota Camry early on the morning of Feb. 23 to take his daughter to the prestigious Metros high school swimming and diving championships
The annual meet pits the best swimmers in the area against one another in the season’s capstone
event. Not only was Arai’s daughter, 15, competing, but he too was working as a stroke-and-turn judge, making sure that each swimmer
adhered to acceptable technique.
Arai had grown up outside Chicago and swam competitively during summers as a kid. As an adult, he considers his volunteer work at meets a familiar and convivial public service.
As any swim parent knows, meets take forever.
Arai had long been in the habit of bringing work along with him, to make use of the downtime,
and this Saturday was no different.
“I used the laptop that morning during the warm-up session to finish some work before an upcoming trip out of the country,” he said. “I left the laptop in the trunk of the car for the morning swim events while I was volunteering as an official. I felt I might be able to get some work done again later in the afternoon. I frequently work when I have free time.”
During a midday break, he went home briefly, looked in the trunk of his car and discovered that his briefcase had been rifled and the laptop was gone.
“I knew right away I had a problem—
it was very worrisome,” said the 14-year veteran of the Laboratory of Cardiac Energetics. He immediately called the Montgomery County police, who referred him to the U.S. Park Police, under whose jurisdiction the Germantown swim center falls. He also called the NIH Help Desk to report the missing laptop. “I wasn’t 100 percent sure what should be done,” he said.
That Monday, he left for London on previously scheduled
government travel. While there, he got emails from IT people at NHLBI, inquiring about the contents of the missing Dell PC laptop. During Arai’s 2 days in London, he learned that the laptop contained private information identifying people in clinical studies.
“That was my first big lesson—we carry so much information
around with us, a dangerous amount,” he said.
Arai says that his lab was one of the first at NHLBI to have all its laptops encrypted. However, he says, “One of my students lost some information during the encryption process, so we made a request to stop the encryption until the process could be worked out better. Unfortunately, no one ever restarted that process…”
Arai acknowledges that encryption would have prevented the loss of personal data on his machine.
“I travel a fair amount, and work on my laptop so much that it’s just part of my routine,” he said. “I’m often out of the office. I do a lot of work after hours and on weekends.” Knowing that many NIH’ers have similar habits, he now cautions, “Everyone on campus should have encrypted laptops.”
He is also far more careful about what goes on his laptop. “I’ve changed the sorts of information I keep there—only what I really need.”
|“...It educated everyone on the team to only store private information
on secure network servers. We don’t put information like that on portable media anymore.”
Police have not yet found the stolen laptop but the investigation remains open. Arai says he personally lost “a few files and some recent presentations. The most important information is backed up on servers at NIH. As best I can make out, we haven’t lost any important research data.”
Arai says he has “not been privy to a lot of the feedback that has come in” as a result of the media picking up on the story of compromised personal data. “I do know that a lot of people are upset,” he said. “No one wants to hear that their private information was compromised. It’s painful for everyone involved—for the patients and for us.”
He never guessed that South Germantown Recreational
Park, home to both the Maryland SoccerPlex
and the Indoor Swim Center “was a dangerous
place to be—it’s not like it was downtown or something.” He calls the vulnerability that caught him up “a tough scenario” that has yielded
at least three important lessons.
“First, it educated everyone on the team [of about a dozen physicians, nurses, technicians and postdocs] to only store private information on secure network servers. We don’t put information
like that on portable media anymore.
“Second, we have learned to tighten up access to private information. We are working with IT to be ever more restrictive on how data comes out of the database. It’s a long-term solution, and ongoing.
“Lastly, we are learning how to manage the data on our portable devices. Laptops hold huge amounts of information. USB sticks are even easier to lose or have stolen than laptops. BlackBerries and PDAs all can store an incredible
amount of information. We have new procedures
where we don’t download as much to those devices anymore, and when we do download,
we scrub it off when it’s no longer needed. That’s actually a very difficult process.”
He said NHLBI has adopted one of the most restrictive policies on campus with respect to IT: “We are not putting any private information on the laptop.”
Arai still uses one, though. “I need one for my job description,” he says. His team is developing
new ways of diagnosing heart disease with MRI and CT scanners. “It’s mostly diagnostic-level work—I have very limited face-to-face interaction with patients.”
He says he doesn’t know yet whether the uproar over his lost laptop has harmed him professionally,
and admits to having received a mix of emails, some supportive and some angry.
“The issue is not closed yet,” he concluded. “It hasn’t totally settled down for me. But this is an important topic for anyone who uses personal
information. It affects not just NIH, but everyone.”