Providence Hospital, in Southfield, Michigan, has mailed breach notification letters to an undisclosed number of patients. An external hard drive used for backup purposes went missing in February of this year; there is no word on whether data encryption software like AlertBoot was used to protect the contents.
As hospital breaches go, this one appears to be pretty...mild. While there is very little to go on, it has been revealed that the breached information contained the Social Security numbers of 12 patients, who are offered one year of credit monitoring. The number of patients affected seems very low. Why? Did the hospital engage in data redaction, deleting any information that was deemed unnecessary after particular tasks? Or perhaps they used encryption software to encrypt a partition, and the 12 patients in question had their files saved outside of that secure zone?
As hospital breaches go, this one appears to be pretty...mild. While there is very little to go on, it has been revealed that the breached information contained the Social Security numbers of 12 patients, who are offered one year of credit monitoring.
The number of patients affected seems very low. Why? Did the hospital engage in data redaction, deleting any information that was deemed unnecessary after particular tasks? Or perhaps they used encryption software to encrypt a partition, and the 12 patients in question had their files saved outside of that secure zone?
The accompanying video report, however, paints a slightly different picture. First off, the hard drive went missing from a locked office suite, which, as far as I know, is in compliance with HIPAA: as long as the sensitive data is in a locked and secure environment, it's considered to be "safe." (Apparently, breaking and entering is not cause for concern? Encryption is not required, only recommended as a complementary aid to a locked environment.) The reporter also shows us a copy of the breach notification letter, and points out that the missing drive may have contained names, medical record numbers, and/or clinical information. Also mentioned is that the addresses and phone numbers of some employees were present, as well as proprietary business information. Discipline was imposed, but the hospital was vague on details. This probably explains why the affected number of patients is so low: the hard disk was used in an office setting, not a medical one, and the contents of the external drive reflect this: one does expect to find employee and "proprietary business" information in a strictly medical setting. The presence of patient data may have been for claims processing or such.
The accompanying video report, however, paints a slightly different picture. First off, the hard drive went missing from a locked office suite, which, as far as I know, is in compliance with HIPAA: as long as the sensitive data is in a locked and secure environment, it's considered to be "safe." (Apparently, breaking and entering is not cause for concern? Encryption is not required, only recommended as a complementary aid to a locked environment.)
The reporter also shows us a copy of the breach notification letter, and points out that the missing drive may have contained names, medical record numbers, and/or clinical information. Also mentioned is that the addresses and phone numbers of some employees were present, as well as proprietary business information. Discipline was imposed, but the hospital was vague on details.
This probably explains why the affected number of patients is so low: the hard disk was used in an office setting, not a medical one, and the contents of the external drive reflect this: one does expect to find employee and "proprietary business" information in a strictly medical setting. The presence of patient data may have been for claims processing or such.
One of the things that surprised me about the story is the comments section. One commentator noted that a "techie guy" he knows "busted several truecrypt files as well as more advanced stuff than that. Longest time so far... 25 minutes" and implied that encryption was useless. Of course, that sounds ridiculous; I found myself loudly proclaiming "BS!" in my office. While TrueCrypt has its strengths as well as limitations--for one, the logistics to deploy it as the encryption measure across hundreds of computers in an office environment are mind-boggling; the other, there's barely any support, although technically-oriented people will disagree with that statement--it is as good an encryption software package as its for-pay rivals (yes, including our own solution, AlertBoot). Except that it doesn't feature rate limiting for incorrect passwords guesses. And that's when it clicked: technically, the weakest part of any encryption application is the password. While attempting to guess the encryption key is a foolish act, brute-forcing the password is an often successful endeavor. What's a rate limit? That's when you limit how often you can enter a password when the previous attempt was a wrong one. For example, for the first three wrong attempts, perhaps the encryption software instantaneously checks the password to see if it's valid. But, the fourth attempt is delayed by two seconds, the fifth by 5 seconds, the sixth by 10 seconds, the seventh by 20 seconds, and so on. Soon enough, you can only enter a password per minute, dashing any hopes of guessing the correct password any time soon. Obviously, not all disk encryption packages are created equal. Had the commenter's techie guy friend faced up against AlertBoot, some people might be singing a different tune. The truth is that encryption works; but as with any security tool, you've got to go with something that also shores up any inherent weaknesses. Or, at least pick a better password (always recommended, rate limiting or not).
One of the things that surprised me about the story is the comments section. One commentator noted that a "techie guy" he knows "busted several truecrypt files as well as more advanced stuff than that. Longest time so far... 25 minutes" and implied that encryption was useless.
Of course, that sounds ridiculous; I found myself loudly proclaiming "BS!" in my office. While TrueCrypt has its strengths as well as limitations--for one, the logistics to deploy it as the encryption measure across hundreds of computers in an office environment are mind-boggling; the other, there's barely any support, although technically-oriented people will disagree with that statement--it is as good an encryption software package as its for-pay rivals (yes, including our own solution, AlertBoot).
Except that it doesn't feature rate limiting for incorrect passwords guesses. And that's when it clicked: technically, the weakest part of any encryption application is the password. While attempting to guess the encryption key is a foolish act, brute-forcing the password is an often successful endeavor.
What's a rate limit? That's when you limit how often you can enter a password when the previous attempt was a wrong one. For example, for the first three wrong attempts, perhaps the encryption software instantaneously checks the password to see if it's valid. But, the fourth attempt is delayed by two seconds, the fifth by 5 seconds, the sixth by 10 seconds, the seventh by 20 seconds, and so on. Soon enough, you can only enter a password per minute, dashing any hopes of guessing the correct password any time soon.
Obviously, not all disk encryption packages are created equal. Had the commenter's techie guy friend faced up against AlertBoot, some people might be singing a different tune. The truth is that encryption works; but as with any security tool, you've got to go with something that also shores up any inherent weaknesses. Or, at least pick a better password (always recommended, rate limiting or not).
Related Articles and Sites:http://www.clickondetroit.com/health/23070110/detail.htmlhttp://www.clickondetroit.com/video/23071691/index.html