The University of Minnesota’s Reproductive Medicine Center has announced that a doctor lost information on 3,100 patients. The information was contained in a USB flash drive that was used as a backup to a computer. Contrary to the University of Minnesota regulations, this particular flash drive was not encrypted.
More specifically, the lost USB drive includes the details of infertility treatments for the patients, some of the records going as far back as 1999. No financial information or Social Security numbers were included. As things stand right now, anybody who finds the drive can access the information just by plugging it in to a computer.
The doctor involved in the matter is mortified, appropriately so, and sending letters of apology to the affected patients. Naturally, instances such as this bring HIPPA regulation breaches to one’s mind. I will not make any extensive commentary except to say that this obviously is in violation of that particular act.
What I just realized (I’m slow this way) is that letter of apology or not, this doctor is probably going to get sued. Nothing surprising there. However, I also know that doctors spend a considerable amount of their money buying insurance. Medical lawsuits are big business. Do doctors get any rebates on their insurance premiums for protecting their patient data? Or is something like this totally separate from medical insurance—just like homeowner’s insurance doesn’t cover damages from flooding (and must be bought separately).
Because I think I see an alignment of interests in both industries that is quite synergistic. With encryption, doctors and patients are protected in the event of theft. And because they’re protected, a lawsuit would not be brought forth; or, if a doctor is sued anyway, chances are that the defendant would win—meaning insurance companies can keep their money. And since there is a lower risk of financial payout to the disaffected party, insurance companies can lower their premiums, acting as a behavioral incentive for doctors to encrypt their data. It probably would work better than writing up some policy on page twenty‑five of a manual that nobody ever reads and expecting it to be followed.
It’s quite obvious that encryption is the best way to enforce patient confidentiality in a digital world. What’s not so obvious is that encryption (something offered as a managed service by AlertBoot) is probably the easiest way to protect it as well—from the standpoint of total coverage, including random events such as thefts or the classic “we have no idea what happened to it—I guess it must have been stolen” cases. I think not enough people are getting the message. Perhaps a little cash intensive by medical insurance firms is in order.
Well, the rich certainly have it better than the hoi polloi, even when their identity might be misused.
T. Rowe Price has alerted that thieves were able to make off with two laptops containing the personal information of 401(K) participants. The laptops were stolen from the offices of a contractor, CBIZ Benefits and Insurance, and 35,000 people might be affected by this particular data breach. CBIZ prepares tax forms for T. Rowe, and hence the presence of sensitive data such as names and Social Security Numbers.
The two laptops were stolen on Christmas Eve. Quite a sizable time lag there between the theft and public announcement. If any of these clients lived in California, T. Rowe would be in breach of California’s laws requiring companies to immediately divulge the data breach.
T. Rowe has stated that laptop encryption and other forms of data protection were not specified when they signed up the contractor, and do not hold CBIZ liable for the data breach. In fact, T. Rowe has claimed responsibility for any future cases of ID fraud, and has generously offered credit monitoring and $25,000 in identity theft insurance (hence my glib remark about the hoi polloi). That five‑figure number certainly is unheard of.
Perhaps I’m reading too much into the news article that covered this story, but it almost seemed as if T. Rowe Price, while concerned enough about the situation—all laptops used by CBIZ have since been encrypted—was treating the situation as a dry, unusual exercise that wouldn’t happen again. If you want a positive spin on it, I guess you could say that they were being pragmatic and logical about the entire situation, accepting that it was a random incident that probably won’t be replicated any time soon. However, how am I supposed to interpret the following sentence?
“Geffert said the CBIZ division affected by the breach - CBIZ Human Capital Services - has since installed encryption software on its laptops, but it is not considered industry standard to do so.” [From SC Magazine. My emphasis.]
Geffert is associate counsel for CBIZ. He must be a lawyer, because no PR agent would say something like that—it almost seems to imply, hey, we did our best according to what other people have in place. Never mind that we could have done more to begin with. Hmph. I guess I’m admitting that there is value to PR folks. Or perhaps Geffert meant that encrypting laptops that are used in a secure environment, within the office for example, is not an industry standard, which makes sense—if physical security is airtight.
While I cannot give specific examples, I happen to know that many financial companies are actively engaged in encrypting their computers, especially laptops. The reasons for doing so are quite obvious. Besides the T. Rowe case above, which has affected a relatively small number of clients, there have been other high‑profile cases where potentially affected clients numbered in the hundreds of thousands. However, those cases reflected instances where a laptop was lost or stolen outside the confines of the office.
Here’s the reason why it’s a fallacy to encrypt laptop computers only, or computers that are constantly on the move: Things get stolen from within a company’s walls all the time. We have instances of “poseurs” who infiltrate companies specifically for stealing computers. The janitorial staff may decide to haul some hardware and quit their job. Security guards are known to have stolen from the job. This is not news; it happens, and it’s quite commonplace, some more than others. Does it happen at a greater rate than lost laptops? Probably not.
But it happens—and since security tends to be more lax for such computers (i.e., there’s a lack of encryption), when it does happen the repercussions are going to be dire. In fact, my belief is that once the world finishes encrypting all laptops with encryption services like AlertBoot, they’re gonna find that all the data thefts are coming primarily from inside—you know, where security is the weakest.
The Royal Bolton Hospital in England has fallen victim to computer theft—twice. In each instance, medical information was on the stolen devices. The thefts took place in October and November, but the public is being alerted only now. I guess someone is thanking an all-powerful being that the UK does not have HIPAA legislation to follow. Although, that Data Protection Act they have is nothing to sneeze at.
I used to have a beef with PR people stating that a stolen computer had “password protection but was not encrypted” trying to reassure the public about the safety of their data. Of course, the general populace started getting wise to the fact that it meant absolutely nothing security‑wise, so it seems to have been dropped in favor of other stuff. Such as this one: There is no evidence at all that whoever took the computers took them for the data. The thieves probably targeted the computer because of its monetary value and portability, and other reasons for inducing stickyfingernessity.
This one is not soothing to the troubled mind as the other one—for one, it doesn’t have that forward‑projection of safety: Woo! Passwords! Double-layer! Protection! Bam! Whamo! Encryption? What’s that? Doesn’t that require passwords as well?
Plus, it’s relatively easy to draw a parallel to show the above pronouncement as meaningless. I might steal a bag, but not because it’s a bag. It’s Prada. (Thank you, Wayans Brothers.) A portable thing of high value. But, hey, what’s this? Credit cards? We-heh-hell, I’m eating tonight! The problem with this new line of “don’t worry, be happy” pronouncement is that one has to presume that a thief steals a computer either for its resale price or its data but not both. Most people know better.
At any rate, the hospital has waited several months to alert their patients of the breach and that they should watch out for any forms of ID theft—if they haven’t become a victim already, I guess. Perhaps in an effort to create a bulwark against criticism, over 300 laptops and desktops are being recalled from staff to have encryption software installed, a step in the right direction.
Another step in the right direction? They’re going to centralize the data, so that individual laptops will not be carrying all that data, all the time. Of course, they’ll want to make sure there are restrictions on what can be saved locally to the laptops’ hard drives, but it should help to improve overall security. One wonders why they didn’t do these things sooner. Though, if my military experience is any guide, you really start to move once the other cheek has received a good kicking as well.
The recall of 300 computers will have a temporary impact on the workforce; it has to. If the Royal Bolton Hospital had signed up with AlertBoot, they would not have needed to recall the laptops. A 2 MB file could have been sent via e-mail, downloaded, and installed by each user—a file size that is smaller than that of a digital picture captured by a high‑end camera phone. Plus, the reporting engine would have allowed the IT staff to keep tabs on users actually encrypting their machines. But, hey, better someting that nothing; better late than never.
Horizon Blue Cross/Blue Shield of New Jersey is notifying over 300,000 members that their names, Social Security numbers, and other information was in a laptop computer stolen on January 5 from the home of an employee who was authorized to take the data home. Well, I’m assuming it’s her home, although the health insurance company pointedly stated that is was not stolen during a robbery. (If it’s not a robbery…what the hell is it? I mean, it’s kinda hard to “pickpocket” a laptop. Or perhaps someone just sauntered in to her home and left with it—no breaking in or anything violent at all?) The employee was allowed to take the data home because Horizon has a work‑at‑home program and, yes, they do have policies in place to protect their member data. Any personnel who travel would also have to adhere to these policies.
The policies include ensuring the physical security of a laptop, and keeping it in the possession of the employee at all times. Plus, it seems other contingency plans were in place as well. The press release by Horizon stated that the data would be automatically destroyed by the computer on January 23. Only if they had included encryption as part of their data protection efforts. Supposedly encryption of all laptops was already under way at the company, but this particular laptop had not been equipped with it.
As is usually the case in such matters, Horizon stated that there were different levels of password protection.
It’s hard to criticize an organization that has done the right things in many ways. The presence of automatic data deletion is quite rare for most companies; it’s probably rarer than encryption, and to me it shows Horizon is serious about data protection. So why do they have the one and not the other? Beats me. It could be that the last time they reviewed different data protection technologies, whole disk encryption was nixed. Encryption has traditionally had quite an impact on computer performance, and only recently have advances in hardware performance allowed that impact to decrease to barely perceptible levels.
And the thing about encryption is that it has to start from somewhere, and the process is not instantaneous. Even with a managed encryption service like AlertBoot, it would take about 10 minutes on average for equipping one computer (be it a desktop or a laptop) with encryption software. Of course, for companies like this insurer, AlertBoot offers something much more convenient—and something that nears instantaneous installation. I don’t want to get too technical, but AlertBoot can make use of Microsoft Active Directory, for example, to synchronize encryption software installation. Now, chances are that any company that has over 1000 employees is also using Active Directory, so we’re using existing infrastructure to install the encryption software, saving in the process a serious chunk of time—and offering faster, and hence better, data protection.
Of course, my personal feelings are not universally shared. The politicos of New Jersey are grandstanding, saying that they’ll have an investigation into this matter—which they should; I’m not saying that Horizon did good—I’m saying that their efforts are probably better than many companies out there, but still failed. So, they should face the consequences. However, some of these remarks…tsk, tsk. I realize that they have to quell any ire from their constituents, but do politicians really have to sound like they have no idea of what’s going on?
“They treated this information as if they were running a roadside lemonade stand” is supposedly what the Honorable Kevin O’Toole said regarding the incident. Perhaps he didn’t get the memo, but self‑destructing data is closer to Mission: Impossible rather than your local lemonade stand.
Numerous students, alumni, staff, and faculty may be affected by the theft of a hard drive. The external storage device contained the Social Security numbers of nearly 40,000 people, and was reported stolen earlier this month. The device was unencrypted.
The external hard drive was used as a backup to a computer that contained billing information for a number of student services. Backing up one’s data is an action that should be applauded, although it is apparent that this is one of those cases where doing something is worth doing well.
The most detailed article is being carried by The Hoya, Georgetown University’s student newspaper, available electronically and carrying the usual accoutrements for commentary and submitting to feed sites. And what commentary!
As a university with a law school, several students (or former students?) are declaring their intention to sue the university, possibly getting a class‑action lawsuit going. Talk about teaching a man to fish. Others are saying that the university should never contact them for donations; they’re that angry—their posts are anonymous, though. Good luck with that. And I don’t mean to be disparaging (well, perhaps just a little bit); university alumni lists don’t have a purge option, per my experience. Another has stated that the information is being used maliciously and that he or she had lost approximately $20,000—some would call it a rumor, mostly because it was posted anonymously. However, he (she?) goes on to state how he lost the twenty grand in a very detailed manner (supposedly all you need to close an account at Bank of America is a Social Security number, a date of birth, and a name. What, no picture ID? That’s…problematic, no?). I trust this particular anonymous guy; something tells me a lot of people are going to be affected financially due to this particular data breach. Other people are beginning to complain about ID theft as well. One must take into account that the hard drive was stolen almost a month ago, so there was plenty of time for the thieves to paint the town red.
Some interesting commentary revolves around the fact that Georgetown University might be in breach of the California law that requires the public announcement of data breaches. The reason for that is because the California law is not based on where the data breach happens to be; rather, the affected organization is supposed to announce the breach if one of the parties affected happens to be a California resident. I’d say Georgetown University doesn’t have anything to fear even if they are in breach of the California law—unless they’re looking to open an L.A. campus. Of course, I’m not a lawyer—I’m basing this on (numerous) episodes of Law & Order where one state extradites criminals from another state, and cops tug over jurisdiction.
What horrors. A simple, managed data encryption service like AlertBoot would have made the above incident a moot point. Heck, Georgetown University could have encrypted both the hard drive and the desktop computer it was hooked up to, just in case. Instead, it looks like a $100 device will cost Georgetown quite a bit in alumni donations. Someone had stated anonymously that he had donated $25,000 over the years, but that’s coming to an end.
And I bet GU won’t be getting love from current students who are affected by this incident, either.
If you’ve been following the news, you probably know that a “rogue” trader at the French bank Société Générale has cost the bank 7 billion dollars (4 billion Euros, if you hate exchanges). While the details are slowly coming out (it’s day two of questioning by the French police for Jérôme Kerviel, the rogue trader), it seems that enough information has been leaked to understand how Kerviel was able to amass such a debt for the Red‑and‑Black‑Rising financial group. From the New York Times:
“The unions also want to address the possible loopholes in the bank’s internal security systems that may have allowed Mr. Kerviel to use log-ins and passwords of his colleagues to execute his fictitious trades.”
“The unions also want to address the possible loopholes in the bank’s internal security systems that may have allowed Mr. Kerviel to use log-ins and passwords of his colleagues to execute his fictitious trades.”
Let us assume that the above was a contributing factor to the 7 billion dollar loss. Ah, yes. Using the user names and passwords of colleagues. Unfortunately, this kind of thing happens all the time. I might have to taste my feet later for the following comment, but I’ll bet there’s nothing tremendously wrong going on at Société Générale, from a security standpoint. Every air‑tight security system falls victim to the weakest link in that system: the people.
Technically, you’re supposed to keep your user name and password private. Let no one know it, including your mother. In practice, it’s safe to say that a majority of the time this is not followed. Busy day at the office? Out to lunch with an important client? Someone you trust needs access to something? Oh, here’s my password…just don’t spread it around. (Right. It won’t happen. Revealing one’s password is like peeing in a pool: no way to stop the spread…)
Or perhaps you are a C-level executive (or are darn close to becoming one), and commandeer a platoon of secretaries. You let them take care of passwords. Why not? They take care of your bills as well. What’s a password when they can already access your money and your 401K? C-level, coming through! Too busy to take care of my own phone bill or to establish a password! Or remember a password, for that matter.
The problem with the above is that you never know when one of your trusted colleagues, agents, secretaries, or what‑have‑you will turn “rogue,” which is just the expression “turn bad” enveloped in a cloak of sensationalism for selling newspapers and keeping a story alive. (I can only concede to using the word rogue for financial types if they handle explosives and are a killing machine—like Jason Bourne. Oh, they exist. That’s what NOCs are for. Jérôme Kerviel? Not rogue. To begin with, he’s in prison. No way Bourne‑types being imprisoned could be public knowledge.) When do people turn bad? Why do they turn bad? That’s a philosophical question without a perfect or permanent answer. But for pragmatic purposes they turn bad when they screw up, like blowing your last wage on losing lottery tickets to pay off the loan shark. So, now you have to turn to crime to ensure your bones are not broken by cousin Vinny. Or something along those lines…
The best security system in the world is useless if people don’t do what they’re supposed to do. Let’s take for example encryption for your computers. Laptop encryption nowadays means RSA 128-bit, and this is what AlertBoot uses (among other strong encryption standards, if you prefer them over the original) to protect data storage devices. Developed back in the late 1970s, RSA is to this day THE method for encrypting electronic data (note the emphasis). It is so powerful, if used correctly, that it would take over a billion years to crack it using all the computing power in the world right now. And even factoring in (incorrectly, may I add) Moore’s Law, it would still take several lifetimes to crack it. This means you can take off a couple of zeros from a billion years—still a very long time.
Which is why anyone trying to crack the security system for an encrypted computer guns for the username and password, and not the encryption key. The user name and the password is the key to accessing the data, so it’s necessary; and yet it is also the weakest link in your security chain because you rely on people to keep it safe. If several people hold a user name and password for a critical piece of machinery, or worse yet, if one person holds several user names and passwords for critical pieces of machinery….well! A guy could log onto several terminals and execute trades under different names to the tune of seven billion dollars in losses. It doesn’t happen all the time, but look at what happens when it does. And it’s not as if this type of stuff is uncommon—Nick Leeson bankrupted Barings over ten years ago, although the security flaw involved in that case was something else.
Keep your passwords safe and private. A secret shared with another is a secret shared with the world.