A couple of weeks back I picked up on an article that had the Brazilian government mobilizing its intelligence and police forces to recover stolen laptops and hard drives. The devices stored data on recently discovered oil and gas fields found off the coast of Brazil. The loss of data led to much speculation on who could have done it and why, including whether it was a case of industrial espionage.
I pointed out at the time that I couldn’t see how spies would make use of any stolen data: oil fields hundreds of feet beneath the sea surface are not something you can steal. (On further thought, perhaps the data will be useful if the rights to pump parts of the field are auctioned off or something. I mean, who wants the risk of pumping the wrong part of the field, eh?) I also pointed out that all the furor would be moot if the laptops and hard drives in question had been encrypted using advanced encryption like AlertBoot.
Well, it turns out that the devices were stolen by four security guards working in Macae, Rio de Janeiro (the state, not the city). The guards had routinely stolen stuff from trucks, and this time they messed with the wrong truck. Once they realized the ramifications of their actions, no doubt alerted by media coverage of the lost devices, they attempted to get rid of the stolen goods. Quite successfully, it seems. But they got caught in the process.
Ah, yes. The police in Brazil. I remember the strict warning I had gotten from Cariocas (that’s Rio people, just like New Yorkers are NY people) when I used to live in Brazil, over ten years ago. They looked me straight in the eye and told me that under no circumstances should I ever stop at night if the police flagged down my car. In fact, if anything, I should speed up, as they would pursue me if they had a police car, and not just because it was their duty. Run! Run away!
Me: What happens if you get caught?
Answer: The point is not to get caught. Speed up, moron.
But what happens if you do get caught? If they catch up in their Golf zerinho? Well, if they’re honest police, you can explain you thought they were dishonest police; they’d understand. Chances are they would give you a ticket—which in all seriousness you’d have to fill out for them. (Again, with the serious face.) If they were not honest police…well, you’re screwed. Which is why you must run. Run away!
They weren’t kidding at all. I thought I’d share that particular gem. I am not sure if the above is still valid advice. (On a personal note, I’ve never had a problem with Brazilian police. But then, I have never been flagged down.)
Anyway, the question of who will police the police has been an issue from time immemorial for all societies. You can chalk this up to another one of those data breach instances because things don’t go as they should: surprising developments, accidents, etc. It’s because of such vagaries in life that you want to use encryption to secure your data. Especially if spies may be after it.
Fairfax County police in Virginia have busted a small theft ring that was operating out of a Life Time Gym. (My interest was piqued because I read that as LifeTime Gym. I don’t know what I was expecting to see. Wronged women bulking up to enact revenge on their wayward husbands, I guess.)
By the time the ring was busted, police found in the thieves’ possession “33 iPods, seven BlackBerries, three Treos, two cell phones, a Nokia PDA, two Apple TVs, 24 Toshiba disc drives, two digital cameras, a Dell computer, a credit card, 33 bags of marijuana and three digital scales.” [connectionnewspapers.com]
That’s a heck of a haul. And also, let us remember, this is what was found at the end of the investigation. I’m sure that there were plenty of other things that were sold off prior to the thieves getting busted.
BlackBerries, Treos, PDAs, computers, disk drives…these are all products that, traditionally, have been used by business people, although their use is gradually filtering down to laypeople. In certain cases, such as laptops and external disk drives, it’s already widely used in the realm of the average population. Due to their nature, it’s not a wild guess that a lot of these mobile devices, if not most, contain sensitive information in them.
Some devices already have security built in mind, like BlackBerries: passwords can be alphanumeric, and longer than the usual 4- to 5‑character long passwords found on phones. Plus, ten wrong guesses will delete everything on the device. Now, that’s security; a little heavy‑handed perhaps, but I’d definitely put it under the “pros” column when evaluating products. However, there are plenty of devices out there that aren’t designed with data security in mind. Left unprotected without encryption, getting information from such devices is a walk in the park.
For the disk drives, it’s just a matter of connecting it to a computer; plug and play. With a laptop, it’s just a matter of booting it up. If there’s a password in place, you can bypass it quite easily (Google it up if you’re really curious—not that I’m advocating doing this to machines other than yours). BlackBerries,Treos, and PDAs? You could pop out the SIM card, if the device has it, and read some or all of the contents (Google gives results on that, too). Plus, four starred‑out numbers? An afternoon and a half is all it takes to break that obstacle for most digital devices; you just try all combinations from 0000 to 9999. Two days if it’s five stars. Combine that “security” with the unbreachable citadel that is one’s gym locker and you’ve got…little security. Two times nothing is nothing; two times one-one hundredths of something is virtually nothing.
What you want is real security. Since you can’t have two‑inch thick steel gym locker doors, and at some point you’re going to forget that you had that PDA in your gym bag, there’s only one thing you can do to protect your data and prevent a data breach: encrypt your devices. In this day and age, it’d be insanity not to. With an encryption service provider like AlertBoot, you can easily encrypt and keep track of devices, including PDAs and SmartPhones. It will encrypt whole disk drives on laptops and desktops, of course. Or, if you prefer, you can opt to encrypt files only.
Healthcare organizations are beginning to feel the heat. First, there is the surprise HIPAA security audits the Feds are planning on conducting. I already blogged about it before, and how it was just a preliminary one. The exercises to be conducted this year are to figure out how to approach such audits, and affect a list of pre-approved medical centers (pre-approved because they know the audits are coming. It’s not a total surprise).
However, once the preliminary studies are conducted, the results will be used to expand the audits nationwide. Unlike the past decade since the law took effect, auditing will be performed to ensure HIPAA compliance.
What’s worrisome, though, is the growing feeling that healthcare organizations are being targeted for information and data theft. It’s not big, not yet. However, there are signs that the problem is growing. A networkworld.com article quotes SecureWorks as seeing an 85% increase in attempted attacks towards its healthcare clientele.
Medical data is not just your past medical history. It also includes insurance numbers, credit cards numbers, SSNs, names, addresses, etc. People engaged in medical fraud are as interested in obtaining such information as your average credentials peddler (read: purveyors of fake IDs. Nothing like what I had in college, though).
And the attacks come from the inside as well. Plenty of people over the past year have been caught collating and selling patient information for personal gain. In fact, makes me wonder if the growing numbers of stolen and lost laptops are in some part mirroring insider thefts.
What can hospitals, HMOs, and other covered entities do? Well, there is no one-shot answer to the problem of ensuring patient privacy and confidentiality. However, there are certain steps one can take to ensure the basics are covered.
One that I would be remiss in not mentioning would be full disk encryption. Laptop encryption, desktop encryption—it doesn’t matter what type of information processing device you have. As long as there is sensitive data saved on it, temporarily or otherwise, you want to encrypt the computer if it’s not chained down to the floor. And even then, you might want to employ data encryption because some crooks will steal the chain and the floor tiles along with the computer.
Encrypting devices will not prevent theft; however, it will ensure that there are no data breaches—which is what HIPAA and the medical industry is trying to prevent (well, the latter is interested in both). There are many encryption services out there, but you want to ensure that they are using proven encryption like AES or RSA. Unbreakable ciphers are notoriously hard to create, which is why the field is dominated by a handful or companies: the others found their products were not as unbreakable as they thought. Plus, if you’re actually in the medical field, you may want something that lets you keep track of the encryption status of each machine. AlertBoot, for example, not only uses AES and RSA for encryption. It also comes with a suite of reporting options—including one for HIPAA and Sarbox auditing.
Irish Blood Transfusion Services did not breach the Data Protection Act when their donors’ information got stolen earlier this month. Or rather, when the laptop containing their donors’ information was stolen.
So, how remote are the possibilities of someone breaking the encryption? Well, it depends on two factors: the strength of the encryption key itself and the strength of the passwords. The encryption key is what is actually used to scramble the information on the laptop. The longer the key, the harder it is to break the encryption—and this difficulty increases on an exponential basis. That is, the difference between 128‑bit encryption and 256‑bit encryption is 2128 vs. 2256, and both are available in AlertBoot, as well as stronger forms such as 1024‑bit encryption. According to some calculations, going through all possible key combinations to find the correct one would take anywhere from at least a couple of centuries to until the universe becomes a cold mass, even with all the processing power found in the world right now dedicated to fnding it—including supercomputers.
This is why people trying to hack into encrypted systems try to find other ways of doing it. The easiest? Try to figure out the password. This why a lot of emphasis is placed on alerting endusers to select a strong password.
A strong password is not only long; it has to be as random as possible. The importance of the randomness lies in the fact that one of the methods employed in cracking passwords is to use a dictionary. A computer is employed to read words from a dictionary, try it as a password, and see if it gives one access. If not, a new word is selected from the list and the process is repeated. When you consider that computers can go through this process with extreme speed, it makes sense not to use a simple word as your password. This also extends to reversing the spelling of words, since it doesn’t take much time to a computer to reverse words and give those a try. Combining two or more words that normally wouldn’t be combined (such as a dioxin-parasol-kielbasa) would be better; and yet, such techniques are still a matter of time before being broken up.
The point is to make passwords so random that a hacker is faced with either guessing with randomly generated passwords (a poor chance of success) or going through every possible combination using the alphabet. Or, you could also decide to use AlertBoot encryption services for your laptop security. One of the features in AlertBoot is limiting the number of wrong username/password tries. For example, if the limit is set at seven, you only have seven chances to supply the correct credentials. Once over that limit, it doesn’t matter that you supplied the correct username and password—you’re locked out until you call for help; only when your identity has been verified will access be given to your machine.
California has recently passed a law updating their state Data Breach Notification laws. In addition to reporting those instances where financial information was breached, businesses with clients in California will have to notify instances where medical information was compromised.
Those who haven’t been following such things closely may wonder if this is truly news (and whether it can be described as “innovative,” as some people covering the issue are calling it). After all, doesn’t HIPAA cover all that stuff? I was in that camp until a couple of weeks ago. It turns out that I had made some assumptions regarding HIPAA.
What set me straight was an article in SmartMoney, which was quite lucid a read. Essentially, it was pointed out that HIPAA applies to “covered entities,” meaning health care‑related businesses such as health‑care providers, insurers, and health‑care billing services. I’m sure there many businesses that would fall under this covered entity status.
There are many companies that aren’t or wouldn’t be, though. For example, Google and Microsoft. These two are trying to get into the personal health records business (there’s lots of controversy, including what Google may do despite their “first, do no evil” creed). However, despite the fact that they’d be handling sensitive medical information, since they’re not covered entities, they wouldn’t have to report to anyone that they had a data breach regarding health records under current HIPAA rules.
That’s not to say that they don’t have something in place for ensuring medical data security. Companies like Google and Microsoft would set up their businesses to be compliant with HIPAA, or to mirror them. But as the SmartMoney article noted, the companies can change these terms any time they want, since they usually reserve the right to change things around—including without prior notification. (I can bear witness to that. I’ve read a lot of on‑line fine print).
For mega-titan companies like the above, I don’t worry too much about them not doing the right thing (I can already hear the snickers and snorts). My reasons are quite simple. They’ve got the money to implement good security; offer positive and negative incentives so employees follow proper security practices; and—this is the big one—they’ll be lambasted and sued for muchisimo dinero if they hide an instance of a data breach (whereas, if they alert the public, they’ll be sued for only mucho dinero). But, knowing that they’d be acting illegally by not alerting people is reassuring.
Since the California law is an extension to the original data breach notification law, I’m assuming that the new law also preempts notification if the data was on an encrypted device, such as those protected by AlertBoot.
The office of Kurt Bischoff Tax & Accounting, Inc. in Wisconsin was burglarized last week. A desktop computer got stolen. The office being what it is, there was a lot of sensitive data stored on that computer, including names, addresses, birthdates, SSNs, and bank account numbers of 600 individuals.
Was the burglar going after the computer because it contained all that data? There’s no way to know. There’s no mention on whether something other than the one computer was stolen. But this is indicative of why computers ought to be encrypted lest something happen to them. Now, Kurt will have to spend quite a bit of time getting in touch with customers who may decide not to use his services anymore. Plus, the negative publicity will probably have an effect when it comes to attracting new business.
You know, for MBA types as well as for anyone who’s had a course in statistics (and don’t let that last word make your eyes glaze over if you haven’t), there is something called expected value that is mighty useful in such instances. It’s also called expected risk by some. It’s essentially asking one‑self, what are the chances of my having to shell out this much cash if the probabilities are such‑and‑such?
For example, if you have a coin toss game, and heads I win $5 and tails I lose $1, then my expected value is ((0.5) x $5) – ((0.5) x $1) = $2. In other words, in the long run, I expect to make on average $2 per toss. After 100 tosses, I’m expecting $200 in my pocket. The 0.5 represents the 50% chance of getting heads (or tails). Each chance is multiplied by the payout, be it a gain or a loss, and this total gives me an expected value—again, either a gain or a loss.
So, if I have a 1 in 10 chance of losing a computer and it is worth $1 million, then the expected loss is $100,000. Of course, the actual loss is $1 million; however, supposedly such exercises allows one to place an expected value to an outcome. For example, you could interpret the $100,000 to mean that you should set aside $100,000 every year, since in ten years you’ll have to replace that computer.
Of course, this doesn’t quite work for theft of data and information security breaches; there’s nothing to replace there. One way of using the above results, however, is to make a value comparison. Let’s say that I’ve got $1 million worth of data in that computer, and my probabilities of having that data stolen is 1 in 10. Then on any given year I expect to “lose” $100,000. If I can find a way to ensure that my data doesn’t get lost and costs $100,000 per year or less, then I’ve actually found a solution to my problem that is worth spending money on. The lower the price I spend on preventing the loss, the more value I’m getting out of my solution.
The hard part in the above is figuring out the probability of losing something. The easier part is hypothesizing about and calculating the various costs of a data breach—including replacement of the computer; mailing customers; setting up a toll‑free answering service for questions; sales lost to teed‑off customers; etc. The easiest part? Selecting a provider of whole disk encryption services. AlertBoot allows you to quickly and easily deploy advanced encryption services across your company, be it 10 computers or 1000 computers. And it’s a very cost‑effective solution, not only because of its cost per computer, but also because it doesn’t require the IT department to get involved directly—eliminating operational and support-related costs of the encryption program.