BlueCross BlueShield is certainly having a busy 2008.  And it’s just the beginning of the year!  A CareFirst BlueCross BlueShield dental HMO, The Dental Network, has announced that the private information, of mostly Maryland and D.C. residents, has been available on the internet for a period of two weeks.  The accident may have affected approximately 75,000 people by exposing names, addresses, and dates of birth.

Incidents like these are nothing new, and will continue to happen due to human error: move or save the contents of a sensitive file to the wrong computer directory (aka, document folder), and all of a sudden it can be found on the internet.  The principle is not unlike that of P2P software, if you’re familiar with such applications.  Most P2P software gives you exact control on which folders are available for sharing.  Share the wrong folder, and all the files in that directory can be accessed by anyone.  Likewise, a website is composed of files, which most people call web pages, within specific directories.  Drop your database file into the wrong directory and anybody on the internet can download it.

Due to the security implications, the practice of having a web server double up as a database is frowned upon; however, a lot people do this despite the risk, usually trying to save resources.  Their reasoning is usually that they’ll be extra careful; many come to regret it.

An easy solution to the problem would be file encryption.  It differs from full disk encryption in that full disk encryption scrambles any and all data found in a hard disk, whereas file encryption protects the one file only.  The latter is appropriate for those instances where a sensitive file may be copied, e-mailed, or stored on a computer connected to the internet 24/7.  This way, even if firewalls and other security measures fail, the hacker cannot read the contents of the file itself. 

Relying on encrypting individual files for protection, however, is no panacea.  Sometimes people will forget to encrypt the file.  One remedy is to encrypt all files that share a common extension, such as *.doc or *.xls.  But as some security experts point out, that’s no guarantee of safety, since the same information can often be found on temporary files created by the application—and over which endusers don’t have any control.

For the above reasons, recommendations are sometimes given to use both types of encryption solutions, disk encryption as well as file encryption, each available in AlertBoot.  This way, the data is protected even if the computer is stolen, and prevents any data breaches if a file is e-mailed to the wrong person.