The News-Times has interviewed one of the doctors that was affected by the recent BlueCross BlueShield (BCBS) laptop data breach. If you'll recall, laptop encryption was not used to protect the computer (and, it was a personal laptop that got lost). The story is that the good doctor is at risk due to the computer theft. After all, who knows if the thief will find the files with sensitive information, and whether she'll be a victim? Overall, the concerns in the original story are very valid, I think. One of the notable things about this story is that BCBS actually encrypts their information. The problem resulted from the fact that authorized personnel decided to act against BCBS data policies and downloaded this information, which shows that human behavior is still, and its modification has to be, a big part of a company's data security. There are a couple of things I wanted to comment on the story, though.
The News-Times has interviewed one of the doctors that was affected by the recent BlueCross BlueShield (BCBS) laptop data breach. If you'll recall, laptop encryption was not used to protect the computer (and, it was a personal laptop that got lost).
The story is that the good doctor is at risk due to the computer theft. After all, who knows if the thief will find the files with sensitive information, and whether she'll be a victim? Overall, the concerns in the original story are very valid, I think.
One of the notable things about this story is that BCBS actually encrypts their information. The problem resulted from the fact that authorized personnel decided to act against BCBS data policies and downloaded this information, which shows that human behavior is still, and its modification has to be, a big part of a company's data security.
There are a couple of things I wanted to comment on the story, though.
The above quote, in the subtitle, is from The News-Times and, unfortunately, a convoluted way of describing what actually happened. Encryption doesn't get "lost." Let me explain. Based on the quote, it seems apparent that BCBS uses full disk encryption. Disk encryption works by encrypting the computer's hard drive (the place where your files are stored). Let me point out that the files are not encrypted; it's the hard drive that's encrypted. And, because the hard drive is encrypted, any files saved to that hard drive are saved in encrypted form as well. Consequently, if any files are copied off of that encrypted hard drive, they will not be encrypted any more. It looks like the encryption on files was lost, but in reality there never was any encryption on those files to begin with. (The technical explanation is much more complicated, but this gets to the gist of how things work.) Why is it important to note this difference? Because file encryption exists as well. If one uses file encryption, it doesn't matter where a computer file is copied to, it will always remain encrypted. Why use one over the other? There can be many reasons, but generally drive encryption works very well if you have to guard many files stored on a server. There are limitations to this type of encryption, though. Overlapping the use of file encryption and disk encryption is not unheard of.
The above quote, in the subtitle, is from The News-Times and, unfortunately, a convoluted way of describing what actually happened. Encryption doesn't get "lost." Let me explain.
Based on the quote, it seems apparent that BCBS uses full disk encryption. Disk encryption works by encrypting the computer's hard drive (the place where your files are stored).
Let me point out that the files are not encrypted; it's the hard drive that's encrypted. And, because the hard drive is encrypted, any files saved to that hard drive are saved in encrypted form as well.
Consequently, if any files are copied off of that encrypted hard drive, they will not be encrypted any more. It looks like the encryption on files was lost, but in reality there never was any encryption on those files to begin with. (The technical explanation is much more complicated, but this gets to the gist of how things work.)
Why is it important to note this difference? Because file encryption exists as well. If one uses file encryption, it doesn't matter where a computer file is copied to, it will always remain encrypted.
Why use one over the other? There can be many reasons, but generally drive encryption works very well if you have to guard many files stored on a server. There are limitations to this type of encryption, though. Overlapping the use of file encryption and disk encryption is not unheard of.
Corporations are usually, in my opinion, cold and heartless. But I don't believe that they "don't care" if sensitive information gets lost. They've got many reasons to care. For one, there are the legal headaches they have to deal with, state and federal (HIPAA being one of them). There's the possible (probable?) threat of lawsuits from the affected. Also, the credit monitoring. With over 800,000 doctors affected, one year's worth of credit monitoring doesn't come at a cheap price for the HMO (assuming it costs them $5 per person, thanks to incredibly reduced rates, it would still cost them $4 million). There's also the--perhaps unrealistic--fear that members will decide to stop becoming a provider to BlueCross BlueShield after this incident (unrealistic because they're biggest such network. There's a reason why roughly 90% of physicians nationwide are providers. On the other hand, ID fraud, if it happens, could be a very strong motivator). Plus, if the company really didn't care, my guess is the company wouldn't have used encryption software at all.
Corporations are usually, in my opinion, cold and heartless. But I don't believe that they "don't care" if sensitive information gets lost. They've got many reasons to care.
For one, there are the legal headaches they have to deal with, state and federal (HIPAA being one of them).
There's the possible (probable?) threat of lawsuits from the affected.
Also, the credit monitoring. With over 800,000 doctors affected, one year's worth of credit monitoring doesn't come at a cheap price for the HMO (assuming it costs them $5 per person, thanks to incredibly reduced rates, it would still cost them $4 million).
There's also the--perhaps unrealistic--fear that members will decide to stop becoming a provider to BlueCross BlueShield after this incident (unrealistic because they're biggest such network. There's a reason why roughly 90% of physicians nationwide are providers. On the other hand, ID fraud, if it happens, could be a very strong motivator).
Plus, if the company really didn't care, my guess is the company wouldn't have used encryption software at all.
Related Articles and Sites:http://www.newstimes.com/latestnews/ci_13681131http://biz.yahoo.com/ic/40/40067.html