Compliance, Protection, Recovery. A Layered Approach to Computer Security for Healthcare Organizations by Absolute Software

1 Compliance. Protection. Recovery. A Layered Approach to Computer Security for Healthcare Organizations A lost or stolen computer puts healthcare organizations at risk Healthcare organizations are embracing electronic health records and laptop computers to drive down costs, increase employee satisfaction and deliver higher standards of care and member service. However, the loss of even one computer exposes organizations to damaging publicity, HIPAA compliance challenges and ultimately affects patient outcomes. A multilayered approach to computer security that includes physical deterrents, encryption, IT asset management, theft recovery and remote data delete capabilities, ensures that both payers and providers are delivering the highest standard of protection for their computers and the information on them. Table of Contents Executive Summary................................................................................................... 2 Paperless Healthcare’s New Technology Challenge ................................................... 3 Compliance: Healthcare Organizations Must Protect Health Information ................. 4 Lessons from Recent Health Information Breaches .................................................. 6 A Case Study in Preparedness: Florida Hospitals ...................................................... 7 Encryption Cannot Prevent Public Data Breach Disclosure ....................................... 8 Essentials for Multilayered Health Information Protection .......................................10 Computrace: At the Heart of Healthcare Data Security............................................12 More Information......................................................................................................13 Executive Summary 2 In an attempt to streamline inefficiencies, reduce errors and drive down the costs associated with delivering medical coverage and care, healthcare organizations worldwide have transitioned abruptly from a largely paper-based administration system to one based on electronic health records (EHRs). While the widespread adoption of EHRs and new, mobile computing technology have narrowed the administrative gap between healthcare and the standards of other industries, it has exposed another, new threat: data breaches associated with lost or stolen computers. This, coupled with recently-enacted governmental legislation specifically tasking healthcare organizations with controlling access to electronic protected health information (EPHI) has created a new challenge for healthcare Information Technology (IT) departments. Laptop Theft is Staggering Safeware The Insurance Agency claims that over 600,000 laptops are stolen annually, resulting in an estimated $5.4 billion loss of proprietary information1. As healthcare organizations turn to laptops for increased productivity, the theft of laptops is influencing the security of health information. Thirty-nine percent (39%) of Providers and 33% of Payers reported having experienced security incidents in the last six months. With EPHI stored on laptop computers in the hands of physicians, nurses, HMO brokers and insurance underwriters, health organizations face negative publicity, fines and increased costs if even a single laptop goes missing. Healthcare IT professionals must now demonstrate that they can accurately track computers, protect the information on them and plan effectively for possible loss or theft. According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must use some form of encryption to protect EPHI that is stored on open networks such as laptops2. However, encryption alone does not protect health organizations from the human factor. According to a recent survey of 1,400 enterprises, more than 60% of data breaches are the work of those operating within the firewall – insiders such as employees, contractors and others with ready access to sensitive information3. Intentionally or unintentionally, insiders such as physicians and HMO brokers with wide-ranging access to both EPHI and the necessary passwords and encryption keys represent a glaring hole in security policies that rely heavily on encryption alone. Single-point security solutions cannot adequately protect healthcare organizations from all points of possible data breach. Instead, a multifaceted or layered approach to computer security and data protection is required, comprised of “CPR”: Compliance, Protection and Recovery: • Compliance – Complying with all applicable mobile data protection regulations, with an easily accessible audit trail • Protection – Protecting data on mobile computers includes encryption, strong authentication and the ability to remotely delete sensitive data on stolen devices • Recovery – Recovering lost or stolen devices returns them to the control of the organization and facilitates prosecution. By adopting the multilayered CPR approach to computer security, healthcare organizations can minimize the risks to health information resulting from lost or missing computers. Together, documented security policies, physical theft prevention, accurate IT asset tracking, encryption, remote data delete and theft recovery capabilities provide the highest level of protection available to healthcare organizations. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Paperless Healthcare’s New Technology Challenge 3 In 2008, one in every two computers in the world will be a laptop.5 Health organizations including health maintenance organizations (HMOs), clinics, hospitals and related organizations such as pharmacies and home care services are participating in this trend. At the same time, pressure to drive down costs and improve administrative efficiency has fueled a convergence of electronic protected health information on laptops6. Together, these trends make healthcare organizations uniquely profitable targets for would-be identity thieves and other computer criminals. A New Brand of Identity Theft Identity thieves typically attempt to use stolen information to obtain credit cards, mortgages or travel documents. Healthcare has seen a new breed of thief who uses stolen identities to procure free medical care. For example, having gone into hospital for shoulder surgery, a 56-year-old retired school teacher was shocked to receive a bill for the amputation of her foot. While her foot was intact, the person who had stolen her identity had received the operation free of charge. The victim faced a lengthy process to prove that she was the victim of identity theft rather than the perpetrator.4 For Payers Unlike their colleagues in other areas of corporate business who may have access to isolated pieces of personally identifying information such as an address or credit card number, information contained in the laptops of healthcare organizations is incredibly comprehensive.7 Serving as a vital connection point between employers, individuals and a myriad of provider contacts, payer records typically include: names, social security numbers, treatment information, credit histories, physical addresses and current contact information. Because this information is often handled by a complex network of thirdparty brokers, sales managers, admin. staff and underwriters – many of whom take their laptops home – payers are natural targets for sophisticated computer criminals such as identity thieves. For Providers The access to information afforded by laptop computers enables anytime, anywhere decision making in a provider environment while dramatically reducing opportunities for errors in administrative processes. Operating on the mantra that health information should be at the bedside because that is where the patient is, physicians, nurses and admin. staff use laptops containing EPHI such as treatment information. However, holdovers from paper-based administrative systems often mean these laptops also contain non-clinical data used as patient identifiers – most often social security numbers8. While many may not be concerned over public disclosure of past surgeries, virtually everyone is concerned over the loss of their credit card number. Like the laptops used by insurance payers, provider laptops represent very attractive targets for identity theft. As a result, IT professionals at both payer and provider organizations must be able to accurately track their computers regardless of location, routinely audit computers and what is installed on them and ensure that EPHI is protected in the event that a computer goes missing. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Compliance: Healthcare Organizations Must Protect Health Information No single factor in recent memory has had a greater impact on the administration of healthcare than regulatory compliance. For healthcare IT professionals, the impact of regulation ranges from relatively non-technical auditing requirements to sophisticated technical procedures aimed at protecting health information. The Health Insurance Portability and Accountability Act and California Security Breach Information Act, in particular, have far-ranging implications for healthcare. Mandating tight control over computer assets, the 2002 Sarbanes-Oxley Act has had a great impact on IT departments in health maintenance organizations – which are often publicly-traded companies. Failure to comply carries fines of up to $5 million and imprisonment for senior management. 4 At its most general level, HIPAA requires health organizations to demonstrate that they have control over their computer assets; where they are, who is accessing them and what happens when they are lost or retired. Some specific mandates that impact the IT department include: • Creation of a contingency plan – a series of policies or procedures to implement in the event that health information is at risk of exposure or loss • Implementation of device and media controls – policies and procedures that ensure health organizations can effectively monitor health information-carrying hardware and its movement in and out of a facility • Removal of health information – ensuring that health information is completely removed from computers before they are retired or put into reuse • Encryption – health organizations must take steps to encrypt health information • Audit controls – implement procedures for regularly examining the activity of systems and hardware that contain health information Importantly, HIPAA requirements apply not only to health organizations but also to associated suppliers, business partners, contractors and brokers who may also have access to health information9. The 2002, California Senate Bill 1386 added a new, public dimension to regulatory compliance in healthcare. In the event of a data breach such as a lost laptop computer containing sensitive information, the bill requires organizations (healthcare included) to notify all parties whose personally identifying information has been exposed.10 Following California’s lead, 36 additional states have enacted similar data breach laws. So, while HIPAA tasks healthcare organizations with protecting heath information, recent statelevel regulation can bring media scrutiny, breach-mitigation costs and a damaged public reputation in the event that an unprotected laptop goes missing. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Compliance: Healthcare Organizations Must Protect Health Information 5 Ponemon Institute estimates that it costs a company $197 per missing record when a breach occurs.11 In many breach situations, the number of records affected is in the hundreds of thousands, with the most extreme case involving 27 million current and former U.S. military personnel. In such cases, the cost to manage the breach can reach into the tens of millions – providing strong motivation for organizations to protect their data and themselves. # of records x $197 per record = Cost of Breach Until recently, the costs of healthcare computer security included antivirus software, firewall systems and encryption technology licenses. With the development of state data breach laws, healthcare organizations must now consider the quantifiable costs associated with the management of health information breaches. Current estimates suggest that these costs can exceed $197 per health record. Data Breach Legislation has been Enacted in 37 US States WASHINGTON MONTANA NORTH DAKOTA MINNESOTA SOUTH DAKOTA WYOMING NEBRASKA IOWA PENNSYLVANIA NEVADA UTAH COLORADO KANSAS MISSOURI KENTUCKY CALIFORNIA OKLAHOMA ARIZONA NEW MEXICO TENNESSEE ARKANSAS SOUTH CAROLINA GEORGIA NORTH CAROLINA ILLINOIS INDIANA OHIO WEST VIRGINIA WISCONSIN VERMONT MAINE OREGON IDAHO MICHIGAN NEW HAMPSHIRE NEW YORK MASSACHUSETTS RHODE ISLAND CONNECTICUT NEW JERSEY DELAWARE MARYLAND VIRGINIA LOUISIANA HAWAII Hawaii TEXAS MISSISSIPPI ALABAMA FLORIDA States with data breach laws States without data breach laws Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Lessons from Recent Health Information Breaches Austin, Texas – Seton Family of Hospitals announced in a press release that the health information of approximately 7 ,800 patients without health insurance had been exposed when a laptop was stolen from its offices. The information included Social Security numbers, health plan numbers (such as CHIP or Medicaid) and dates of birth. The hospital’s senior VP said that although the laptop was password protected, a “determined” hacker could access the information. Austin police were alerted in an attempt to recover the stolen computer.12 Data breaches that went unnoticed historically are now highly-publicized as a result of recent state data breach legislation. 6 Detroit, Michigan – Blue Cross Blue Shield of Michigan announced in a Website statement and via personalized letters to members that the information of approximately 1,560 members and two staff had been breached. Information contained in a laptop stolen from an employee’s home included names and health insurance contract numbers. Approximately 120 records also included Social Security numbers. Despite BCBSM internal policy that requires the encryption of health information and closelymonitored circumstances that allow downloading health information onto portable devices, the employee’s laptop was unprotected. Disciplinary actions are pending completion of investigations into the incident.13 Ontario, Canada – More than 2,900 patients at the Ontario Hospital for Sick Children were notified via press release that their health information had been breached when a physician’s laptop was stolen from an automobile. Hospital officials believed that the information was unlikely to be accessed because the laptop was password protected. Ontario’s Privacy Commissioner responded via press release demanding that the hospital take immediate steps to better protect patient information – including encrypting health information. The laptop computer was never recovered.14 Aspen Hill, Maryland – U.S. Department of Veterans Affairs announced that a notebook computer containing the names, birthdates, Social Security numbers and limited health information of 26.5 million veterans and active-duty military personnel had been stolen. It took Veteran’s Affairs officials more than two weeks to publicly disclose the breach. The laptop, stolen from the data analyst working for VA, became part of the largest data breach in U.S. history. The theft prompted a series of hearings in the U.S. Congress that criticized the VA’s data security processes and resulted in legislation that compels the VA to immediately notify congress in the event of a data breach.15 Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com A Case Study in Preparedness: Florida Hospitals 7 With seven hospitals and 14 Centra Care walk-in medical centers, Florida Hospital is one of the largest hospital systems in the country, caring for almost one-million patients every year - more inpatients than any other hospital system in the Unites States. When the information technology team at Florida Hospitals planned for the deployment of 1,200 new laptop computers, the security of the information they would ultimately contain was a top priority. As a result, Florida hospitals opted to protect all 1,200 computers with Computrace® Computer Theft Recovery, Data Protection and Secure Asset Tracking™ services from Absolute Software. Using Computrace, Florida Hospital’s IT team logs into the Absolute Online Monitoring Center to track up to 100% of its computing assets whether they are in the hospital or out in the field. Computrace also assists in creating audit records that can account for the status of each computer, who is using it and the hardware and software configuration – including detecting unauthorized software installation and the removal of hardware components such as computer memory. Should a computer go missing, the Absolute Recovery Team recovers the computer backed by a $1,000 Recovery Guarantee.16 Using the tamper-resistant, BIOS-embedded17 Computrace agent, Absolute can also remotely delete sensitive data such as health information to ensure it doesn’t fall into the wrong hands. Florida Hospital’s decision to protect its computers with Computrace proved a good one when one of the organization’s laptops went missing. Absolute’s Recovery Team used the Internet to track the computer to two separate IP addresses. The first address was that of a hospital security guard. The second address was that of a local computer store where the alleged thief had just had the computer reformatted. The computer has now been recovered by police and the alleged thief was dismissed by Florida Hospitals. According to Keith Paul, MIS Director at Florida Hospitals, “Just the fact that I got that guy out of our organization has saved us. ” Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Encryption Cannot Prevent Public Data Breach Disclosure 8 IT and security staff at a 2,400-physician Michigan-based hospital were justifiably concerned when they learned that a nurse’s laptop computer had been stolen. More concerning was the fact that the nurse had contravened the hospital’s data security policy and affixed the laptop’s encryption key to the front of the computer. Fortunately, the hospital had protected the laptop with the Computrace tracking solution from Absolute Software. Stopping Up Data Leaks: First You Must Find the Hole In a recent survey of more than 400 organizations, 62% of companies believe that the disappearance of company computers has historically, gone unnoticed. A further 22% of those organizations surveyed feel that sensitive information has also been breached from the organization without company knowledge.18 After alerting police, the hospital contacted the Absolute Recovery Team and let the team know that they were very concerned over the health information contained in the laptop. Rather than attempting to physically recover the computer, the Absolute Recovery team recommended an immediate data delete operation to remove the sensitive information from the laptop. Having promptly deleted all health information from the computer, hospital officials maintained the computer’s security. Hospital officials estimate that the quick action resulted in cost savings of between $80 and $100 per health record in data breachrelated costs. Data Encryption = A False Sense of Security The encryption of health data that could be exposed to unsecured systems such as laptop computers that leave healthcare facilities is required for compliance with the Health Insurance Portability and Accessibility Act. However, encryption alone is not adequate protection for health information or the public reputations of healthcare organizations for a number of primary reasons including: • Encryption cannot track and recover computers – Returning a missing computer to the control of its healthcare organization owner is a powerful capability in terms of both data security and public relations. Encryption technology does not assist in tracking or recovering computers. Without the ability to physically recover lost computers, healthcare organizations may struggle to prove that data on lost computers remains encrypted. • Encryption is subject to user error – Many data encryption tools depend on the endusers of computers to ensure that health data is effectively protected. Busy hospital staff, HMO brokers with intermittent Internet connections while on the road and technology-averse staff may intentionally or unintentionally leave health information unencrypted despite organizational policy. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Encryption Cannot Prevent Public Data Breach Disclosure 9 • Health organizations must disclose data breaches – Unable to rely on encryption to foil determined hackers in possession of a stolen laptop, health organizations must publicly disclose the fact that they have experienced a data breach. While health information may ultimately remain inaccessible to computer criminals, the public reputation of the healthcare organization may still suffer while a computer remains missing. • Encryption does not alert IT to missing computers – In many organizations, computers are rarely, if ever audited. In such cases, it may be days or even months before a computer containing health information is reported missing – giving wouldbe identity thieves the time they need to decipher encryption codes. • Encryption does not protect against “inside jobs” – According to a recent survey, more than 30% of companies believe employees are actively involved in the theft of company computers17. Armed with the necessary passwords and encryption keys to access health data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone. Health organizations need physical control over their computer assets. Organizations that process health information need to provide layers of protection for the sensitive data they hold – each layer working to bolster protection. The highest level of protection includes: thoughtful organizational policy and education, physical deterrents, secure IT asset tracking, encryption, remote data delete and theft recovery capabilities. A Layered Approach to Computer Security Organizational policy Physical deterrents i.e. locks & cables Encryption technology Health data Data Delete capability Computrace computer theft recovery Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Essentials for Multilayered Health Information Protection 10 Encryption of health information is a necessary step and is required for HIPAA compliance. However, encryption technologies rely heavily on the human factor, endusers to remain effective. To provide both health information and the public reputation of health organizations with the maximum level of protection, a robust, multi-level approach to protecting health information should be taken. Organizational Policy For hospitals, clinics, health maintenance companies and other healthcare organizations, the first step in protecting health information from possible breach is determining which files or systems are important and acknowledging that they need protecting with formalized policy. Obvious health information includes treatment information, health plan numbers, and prescription information. Often overlooked by providers, other information such as Social Security numbers, patient addresses and other personally identifying (but not treatment-related) information must also be considered when planning for data security. Next, agree on a code of conduct for the use of the organization’s equipment and information. The most essential components of this should include: • Identification of information that strictly cannot leave the company premises • Agreement on software or hardware products that are not permitted for use on company equipment • Educating employees on company policies and security measures to ensure their buy-in • Measures to protect data held by third-parties such as contractors or brokers Having put appropriate policies in place, the next challenge is ensuring that the policy is enforced by highlighting common-sense and taking advantage of readily available technology. Physical Deterrents For both regulatory compliance and public relations, there is no substitute for preventing the theft of computers before they leave the control of health organizations. Keep laptops inconspicuous while they are out of the facility by covering them when in cars, locking them out of sight and avoid carrying them in tell-tale laptop bags. Take advantage of physical deterrents such as cable locks at home and in the office, which can slow or deter thieves but, like car door locks, shouldn’t be relied on to prevent all computer thefts. In order to comply with governmental regulation such as HIPAA and SOX, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. Gartner studies suggest that most companies are only able to locate 60% of their mobile computer assets.19 In such cases, as many as 40% of computers holding health data may be victims of “organizational drift” Taken out . of service, allocated to new employees or hidden under a pile of paperwork in an office drawer, these computers often contain health data. Having fallen off the IT security radar, computers that have drifted in this manner can undermine the most robust security policy. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Essentials for Multilayered Health Information Protection 11 Another challenge for healthcare IT professionals is effectively tracking mobile computers as they pass in and out of healthcare facilities and offices. While traditional IT asset management systems can assist in tracking computers that are connected to local area networks, difficulties in auditing computers that are off the network present a glaring hole in health data protection strategies. Products such as Computrace from Absolute Software address this challenge by using the Internet to audit computers that are in the hospital or a continent away. By using products like Computrace, IT professionals can produce near real-time reports on the location and configuration of up to 100% of their computer assets. Data Protection with Remote Data Delete Tools The ability to delete health information from computing assets regardless of their location is essential. Remote data delete software such as ComputraceComplete, ComputracePlus and Computrace Data Protection provide this capability, and can remove data at the file, directory and/or operating system (OS) level. Computrace utilizes an algorithm to delete data that exceeds the United States Department of Defense (DoD) deletion standard DOD5220.22-M and meets the NATO deletion standard. DOD5220.22-M is a DoD specification for wiping disk storage to guarantee that all data previously contained on magnetic media is permanently erased. In the case of lost or stolen computers, Computrace can create auditable reports to help prove that health information has not been accessed by thieves. This can reduce or eliminate the requirement to publicly disclose data breaches. Theft Recovery The ability to physically recover a lost or stolen computer containing health information brings health data back under IT’s control, assists in prosecution of thieves and any disciplinary action for employees while providing reassurance that heath information is safe. If law enforcement officials are able to locate and recover a stolen notebook, police are in a better position to find and prosecute the perpetrator. Similarly, with the asset recovered and the perpetrator identified, the scope of the information breach can be defined and swift corrective action taken, whether this means dismissal or prosecution. Well-publicized repercussions send a clear message that healthcare organizations have the ability to strike back. Theft recovery tools such as ComputraceComplete are highly effective because thieves know that hardware is more valuable if they can prove that it is in working order. To do so, they inevitably turn the hardware on and – as the vast majority of notebooks today are wireless-enabled – it connects to the Internet, at which point the stealthy Computrace agent quietly reports its location information to the Absolute Theft Recovery Team. The central administrator can then provide the necessary information for local law enforcement to recover the computer. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com Computrace: At the Heart of Healthcare Data Security 12 Computrace from Absolute Software forms an ideal platform for supporting a multilayered approach to protecting the health information contained in laptop and desktop computers. Embedded in the BIOS of computers from the world’s leading computer manufacturers during the manufacturing process, Computrace is uniquely able to address the health data protection requirements of healthcare IT professionals. Perfectly complimenting organizational policy and encryption technologies, Computrace addresses several major compliance challenges for healthcare organizations including: Accurately Inventorying Computers – By logging into the Online Monitoring Center, healthcare IT personnel can create near real time reports on the computers in their inventory, their configuration, current user and location – whether they are connected to the local area network or in the field. Recovery – Using Computrace, the Absolute Recovery Team can track missing computers and work with local law enforcement to recover the computer backed by a $1,000 recovery guarantee. Emergency Data Delete – Computrace allows IT professionals to remotely delete health data from missing laptops and determine whether data has been accessed by thieves. Organizations can then assess whether they are required to publicly announce a data breach. Policy Enforcement – Computrace can detect unauthorized software installations, missing hardware and can report on software installed – allowing IT departments to ensure that key programs such as antivirus or anti-spam are up-to-date and current. Lifecycle Management – In addition to remotely deleting health information in emergency situations, Computrace can be set to automatically delete data from computers at lease end or at a pre-determined retirement date. This ensures compliance with HIPAA data delete requirements. When a computer protected by Computrace is reported stolen, the embedded Computrace agent sends a silent signal to Absolute’s Monitoring Center providing critical location information. Absolute then works with local law enforcement to recover the computer backed by a $1,000 recovery guarantee. The stealthy Computrace software agent can survive accidental or deliberate attempts at removal or disablement. With embedded support in the BIOS of a computer, the Computrace agent is capable of surviving operating system re-installations, as well as hard-drive reformats, replacements and re-imaging. How Computrace Works Remote Computer Location, user, hardware and software data is transmitted daily without user input or knowledge. (client-initiated, TCP-based and encrypted). Absolute Monitoring Center Information is confidentially stored in our secure offsite facility. IT Administrator Responsible for managing remote / mobile computer assets and for setting up Data Delete Online Customer Center Absolute Website: Log onto Customer Center to track and manage your PC assets. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com More Information References 1 13 Ken Bates and Chelle Pell, Keeping You and Your Property Safe: A Guide to Safety and Security on the Stanford Campus, Stanford University Department of Public Safety, http://ora.stanford.edu/supporting_files/keep_safe.ppt. Health Insurance Reform: Security Standards; Final Rule, February 20, 2003 Department of Health and Human Services. The Inside Job, August 13, 2007 Information Age , Medical identity theft on the rise as health care desperation leads to crime, September 26, 2006, NewsTarget.com Are Fortified Notebooks the Answer?, May 19, 2006, Processor.com. I.T. Threats: Obvious, Unknown or Hyped? May 2007 Health Data Management , Free Healthcare via Identity Theft, January 27 2007 Grindstone Healthcare Consulting , , Blogspot Using the SSN as a Patient Identifier, American Health Information Management Association Absolute Software is not an authority on regulatory compliance. References to regulatory compliance are included for discussion purposes only and do not constitute legal advice or interpretation of current or future regulations. Bill 1386 Chaptered, February 12, 2002, California State Senate Cost of Data Breaches Keeps Rising, November 28, 2007 InfoWorld , Hospital Laptop Stolen; Info On 7 ,800 Patients At Risk, February 2007 , InformationWeek BCBSM Responds to Protect Members Affected by Security Incidents, July 2007 BC , BCM Corporate Website Sick Kids’ laptop theft angers watchdog, May 2007 The Star , Two Charged in VA Laptop Theft, August 2006, CSO Certain conditions apply. For full details visit: www.absolute.com/pdf/eula.pdf For a complete list of BIOS-supported computers visit www.absolute.com/BIOS Survey of 400 Absolute Software Corporate Customers, June, 2007 Absolute , Software 2002, Gartner 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 For more information on Compliance, Protection and Recovery, and the software tools used in a layered approach to computer security, contact Absolute Software today. Absolute Software Suite 1600, Four Bentall Centre Vancouver, BC, Canada V7X 1K8 Toll-Free: 1 800 220 0733 (US & Canada) Tel: 604 730 9851 Fax: 604 730 2621 About Absolute Software Absolute Software Corporation (TSX: ABT) is the leader in Computer Theft Recovery, Data Protection and Secure Asset Tracking™ solutions. Absolute Software provides organizations and consumers with solutions in the areas of regulatory compliance, data protection and theft recovery. The Company’s Computrace® software is embedded in the BIOS of computers by global leaders, including Dell, Fujitsu, Gateway, HP Lenovo, , Motion, Panasonic and Toshiba, and the Company has reselling partnerships with these OEMs and others, including Apple. For more information about Absolute Software and Computrace, visit www.absolute.com. Suite 1600, Four Bentall Centre | Vancouver, BC, V7X 1K8 | 1 800 220 0733 | www.absolute.com