There certainly seems to be an odd influx of breach stories related to archives this week. Health services at the University of Maine have reported the breach of medical information for nearly 5,000 students. It's a situation that could have been easily prevented by having the appropriate policies and security tools, like data encryption software.
The breach was discovered when staff at the UMaine Counseling Center noticed that their computers were running slow. An investigation showed that they had been hacked. Unfortunately, the computers contained databases with names, SSNs, and clinical information for 4,585 students who visited the counseling center between 2002 and 2005. A second computer was hacked later, which contained an active database.
The breach was discovered when staff at the UMaine Counseling Center noticed that their computers were running slow. An investigation showed that they had been hacked. Unfortunately, the computers contained databases with names, SSNs, and clinical information for 4,585 students who visited the counseling center between 2002 and 2005.
A second computer was hacked later, which contained an active database.
As I often mention, there is only so much that encryption can do. In the above example, an active database was involved. Now, it's possible to encrypt such a database, which would have protected the students' information if the database file were downloaded wholesale. However, being an active database, at some point someone would have to enter a password to access the data. The hacker could easily obtain the password by installing a keystroke logging program. The only way to protect the active database would have been by ensuring that UMaine's computers were not hacked in the first place. This, however, is not necessarily so with the archived information. There are many reasons for archiving information, but it's usually because it's not used but needs to be kept around. While the danger of gaining a password via a key logger still exists, it's much lower than what would be expected for an active database. UMaine should have stored that archive after running it through some kind of file encryption program, such as AlertBoot, which uses AES-256 based encryption.
As I often mention, there is only so much that encryption can do. In the above example, an active database was involved. Now, it's possible to encrypt such a database, which would have protected the students' information if the database file were downloaded wholesale.
However, being an active database, at some point someone would have to enter a password to access the data. The hacker could easily obtain the password by installing a keystroke logging program. The only way to protect the active database would have been by ensuring that UMaine's computers were not hacked in the first place.
This, however, is not necessarily so with the archived information. There are many reasons for archiving information, but it's usually because it's not used but needs to be kept around. While the danger of gaining a password via a key logger still exists, it's much lower than what would be expected for an active database.
UMaine should have stored that archive after running it through some kind of file encryption program, such as AlertBoot, which uses AES-256 based encryption.
Related Articles and Sites:http://www.sunjournal.com/state/story/870870
The loss of seven CDs means a medical data breach for over 130,000 people who've visited Lincoln Medical and Mental Health Center in New York. The CDs were not protected using disk encryption software, a terrible move, since this seems to qualify as a HIPAA breach.
The information that was breached, sometime between March 16 and March 24, included protected health information as well as personal information: "...name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly a driver's license number if provided." [computerworld.com] Lincoln, as the "owner" of the data, was responsible for ensuring the safety of the data, and hence the notification letters on their letterhead. In reality, the breach was set off by Siemens Medical Solutions USA (Siemens), the billing and claims processor for Lincoln. It was Siemens that had shipped the seven CDs (although, one would have been enough. These were "seven duplicate compact disks," so I assume that the contents on all seven were the same). When they shipped the CDs to Lincoln, Siemens opted to use password-protection vs. something more secure like managed data encryption. Which is unbelievable. As a medical billing company (their name is Siemens Medical Solutions USA, and they were working as a claims processor), they must have known that they need to comply with HIPAA regulations since they are a HIPAA-covered entity. While HIPAA has never required encryption (the latest HITECH updates to HIPAA still don't make encryption a requirement), it does make a point of having any covered entities consider it first and set it aside if there are other adequate security measures. Last time I checked, a FedEx envelope doesn't come with such security measures. So what's Siemens doing sending this stuff without the proper protection in place?
The information that was breached, sometime between March 16 and March 24, included protected health information as well as personal information:
"...name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly a driver's license number if provided." [computerworld.com]
Lincoln, as the "owner" of the data, was responsible for ensuring the safety of the data, and hence the notification letters on their letterhead. In reality, the breach was set off by Siemens Medical Solutions USA (Siemens), the billing and claims processor for Lincoln.
It was Siemens that had shipped the seven CDs (although, one would have been enough. These were "seven duplicate compact disks," so I assume that the contents on all seven were the same). When they shipped the CDs to Lincoln, Siemens opted to use password-protection vs. something more secure like managed data encryption.
Which is unbelievable. As a medical billing company (their name is Siemens Medical Solutions USA, and they were working as a claims processor), they must have known that they need to comply with HIPAA regulations since they are a HIPAA-covered entity.
While HIPAA has never required encryption (the latest HITECH updates to HIPAA still don't make encryption a requirement), it does make a point of having any covered entities consider it first and set it aside if there are other adequate security measures.
Last time I checked, a FedEx envelope doesn't come with such security measures. So what's Siemens doing sending this stuff without the proper protection in place?
I'm assuming that sending the information in unencrypted format was not a one-time mistake because that would be one heck of a coincidence: CDs are lost the one time someone sends unencrypted PHI? No way. The more probable situation is that Siemens always sent these weekly shipments to Lincoln in an unencrypted form. Which means the blame for the breach falls squarely on both, since Lincoln had a chance, on a weekly basis, to request the information be sent the right way. Right? Maybe. The problem with password-protection is that it looks, in many cases, exactly like encryption to the enduser: there's a password-prompt. In other words, the persons who received the CDs couldn't be blamed for reasoning that they were dealing with unencrypted patient information.
I'm assuming that sending the information in unencrypted format was not a one-time mistake because that would be one heck of a coincidence: CDs are lost the one time someone sends unencrypted PHI? No way.
The more probable situation is that Siemens always sent these weekly shipments to Lincoln in an unencrypted form. Which means the blame for the breach falls squarely on both, since Lincoln had a chance, on a weekly basis, to request the information be sent the right way. Right?
Maybe. The problem with password-protection is that it looks, in many cases, exactly like encryption to the enduser: there's a password-prompt. In other words, the persons who received the CDs couldn't be blamed for reasoning that they were dealing with unencrypted patient information.
Lincoln's notification letter ends noting that they've stopped the transportation of CDs from Siemens, and that they're looking into a "more secure manner" to receive the information. If there are any significant holes in their process, well, go ahead and update it. But if not (I mean, with the exception of sending unencrypted PHI), significant changes may actually introduce new weaknesses. I might be a little biased in what I'm suggesting here, but why not just use encryption before burning the information onto the CDs? It keeps the billing process identical to what they had before. You just need to have someone at Siemens use an encryption package like AlertBoot instead of whatever they're using now to create password-secured CDs.
Lincoln's notification letter ends noting that they've stopped the transportation of CDs from Siemens, and that they're looking into a "more secure manner" to receive the information.
If there are any significant holes in their process, well, go ahead and update it. But if not (I mean, with the exception of sending unencrypted PHI), significant changes may actually introduce new weaknesses.
I might be a little biased in what I'm suggesting here, but why not just use encryption before burning the information onto the CDs? It keeps the billing process identical to what they had before. You just need to have someone at Siemens use an encryption package like AlertBoot instead of whatever they're using now to create password-secured CDs.
Related Articles and Sites:http://www.computerworld.com.au/article/351659/new_york_hospital_loses_data_130_000_via_fedex/?eid=-6787http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.htmlhttp://www.nyc.gov/html/hhc/lincoln/downloads/pdf/lincoln-security-notice-2010-06-eng.pdf
One of the main principles of data security is that, if you don't need a particular data set anymore, you're supposed to get rid of it, especially if you're dealing with sensitive information. Think about it: if you don't need it, you're taking the risk of having it breached without expecting any benefits. On the other hand, if you do need it--regardless of the reason why, including federal requirements where you're just supposed to store it long enough--then it stands to reason you need to protect that information (and, when it comes to storing digital data, you'll need a solution like AlertBoot's data encryption.) Hence, it stands to reason that one of the main storage media that require encryption would be backup tapes.
One of the main principles of data security is that, if you don't need a particular data set anymore, you're supposed to get rid of it, especially if you're dealing with sensitive information. Think about it: if you don't need it, you're taking the risk of having it breached without expecting any benefits.
On the other hand, if you do need it--regardless of the reason why, including federal requirements where you're just supposed to store it long enough--then it stands to reason you need to protect that information (and, when it comes to storing digital data, you'll need a solution like AlertBoot's data encryption.) Hence, it stands to reason that one of the main storage media that require encryption would be backup tapes.
University Hospital in Augusta, GA found this the hard way when they had to notify nearly13,000 patients that there was a data breach with a low threat risk: a backup tape, about the size of two dominoes, went missing. It was one of two tapes created in April 2008. The tape was actually lost by an off-site data storage vendor, Augusta Data Storage, INC. While I can't say what type of security they had in place, based on the story and the commentary following it, it sounds like Augusta Data Storage runs a top-notch business. Regardless, the honest truth about data breaches is that they're never really expected. Just like car accidents are a reality of life, but you can sail through life without ever being involved in one, we know that data breaches will occur, but whether it will happen to one of us, specifically--well, there's just no way to know. Which is why if you drive, you automatically need car insurance, and if you store large amounts of patient data, you automatically should require encryption software whenever any data goes into semi-permanent storage, regardless of what physical security might be present.
University Hospital in Augusta, GA found this the hard way when they had to notify nearly13,000 patients that there was a data breach with a low threat risk: a backup tape, about the size of two dominoes, went missing. It was one of two tapes created in April 2008.
The tape was actually lost by an off-site data storage vendor, Augusta Data Storage, INC. While I can't say what type of security they had in place, based on the story and the commentary following it, it sounds like Augusta Data Storage runs a top-notch business.
Regardless, the honest truth about data breaches is that they're never really expected. Just like car accidents are a reality of life, but you can sail through life without ever being involved in one, we know that data breaches will occur, but whether it will happen to one of us, specifically--well, there's just no way to know.
Which is why if you drive, you automatically need car insurance, and if you store large amounts of patient data, you automatically should require encryption software whenever any data goes into semi-permanent storage, regardless of what physical security might be present.
Related Articles and Sites:http://chronicle.augusta.com/news/metro/2010-06-25/university-hospital-rectify-data-breach?v=1277425774
The BBC reports that 24,369 UK citizens were affected by the theft of a laptop computer belonging to an employee of A4e, a training company. While the associated risk is low, people are being notified as a precaution. It goes without saying that the use of full disk encryption software like AlertBoot would have been a better choice over waiting for a breach to occur...but then, how do you control employees who won't follow policies?
The laptop was stolen from the employee's home. It was a personal computer, and contained names, postcodes, dates of birth, and court awards to customers of Community Legal Advice Centers operated by A4e. Isn't that ironic? Releasing data breach notification letters is essentially an admission that the law was not followed, and here we have a company that offers legal advice sending their own notification letters. Of course, the incident speaks less about A4e's incompetence and more about the difficulty in controlling employee behavior. What prompted the employee to save such information to his laptop? A4e is "examining how its data security procedures were breached so it can ensure it does not occur again." The problem with such an action is that the next breach is not going to be like this one. On the other hand, it will most definitely involve an employee that didn't follow the rules.
The laptop was stolen from the employee's home. It was a personal computer, and contained names, postcodes, dates of birth, and court awards to customers of Community Legal Advice Centers operated by A4e.
Isn't that ironic? Releasing data breach notification letters is essentially an admission that the law was not followed, and here we have a company that offers legal advice sending their own notification letters. Of course, the incident speaks less about A4e's incompetence and more about the difficulty in controlling employee behavior.
What prompted the employee to save such information to his laptop? A4e is "examining how its data security procedures were breached so it can ensure it does not occur again." The problem with such an action is that the next breach is not going to be like this one. On the other hand, it will most definitely involve an employee that didn't follow the rules.
Employees need to be monitored. This does not mean that one must track every minutiae when it comes to employee behavior. Rather, a plan must be effected in order to ensure that security objectives are being met. In other words, don't keep track of what Jane and Bob are doing; keep track of where that sensitive file is going (this way, you also fend off accusations of being Orwellian and Big Brother-y). Likewise, you must do the same to ensure that your data protection tools are working. For example, we have an laptop encryption audit report built right into the AlertBoot. This is expressly so you, or an administrator, may keep track of which computers are protected. If you have one computer that requires protection, you don't really need this report. If you have 25 computers or more, you might see the importance of such a report, especially if you're routinely monitoring and running checks, which will allow you to head off any potential problems. For example, there is encryption software out there that can be turned off by employees...which some do. This is not a problem for AlertBoot, since encryption can only be uninstalled by an administrator (of course, regardless, you still need to run checks and audits, which is why the reporting engine comes in handy); however, you can see why a report that updates itself on encryption statuses would be handy for the more "liberal" encryption software out there. Which I don't understand in the first place. I mean, isn't one of the more valid reasons for the deployment of disk encryption programs the fact that employees don't follow the rules? What's the use of using encryption software that can be turned off by these same employees?
Employees need to be monitored. This does not mean that one must track every minutiae when it comes to employee behavior. Rather, a plan must be effected in order to ensure that security objectives are being met. In other words, don't keep track of what Jane and Bob are doing; keep track of where that sensitive file is going (this way, you also fend off accusations of being Orwellian and Big Brother-y).
Likewise, you must do the same to ensure that your data protection tools are working. For example, we have an laptop encryption audit report built right into the AlertBoot. This is expressly so you, or an administrator, may keep track of which computers are protected.
If you have one computer that requires protection, you don't really need this report. If you have 25 computers or more, you might see the importance of such a report, especially if you're routinely monitoring and running checks, which will allow you to head off any potential problems.
For example, there is encryption software out there that can be turned off by employees...which some do. This is not a problem for AlertBoot, since encryption can only be uninstalled by an administrator (of course, regardless, you still need to run checks and audits, which is why the reporting engine comes in handy); however, you can see why a report that updates itself on encryption statuses would be handy for the more "liberal" encryption software out there.
Which I don't understand in the first place. I mean, isn't one of the more valid reasons for the deployment of disk encryption programs the fact that employees don't follow the rules? What's the use of using encryption software that can be turned off by these same employees?
Related Articles and Sites:http://news.bbc.co.uk/2/hi/england/humberside/10453067.stm
The FBI was unable to break TrueCrypt encryption, according to the Brazilian police. It's the saga of one Daniel Dantas, a Brazilian banker who was eventually arrested on charges of bribing a police officer. He got ten years and a $5 million fine. Who knows what would have happened if hard disk encryption like AlertBoot was not as effective at keeping secrets?
Before Dantas became an inmate, he was a banker and financier. He had done post-graduate work at MIT, and eventually ended controlling a holding company with an estimated worth of $11.3 billion. He also controlled several other businesses, including the largest cattle producer in Brazil. As the robber barons from yonder years show, great successes generally tend to have great minds behind it, with practices that border on the criminal, especially in countries where corruption is a way of life. In Dantas's case, it turns out to he made a run for the border, went over it, and never looked back. The banker was originally arrested for money laundering, tax evasion, and embezzling public pension funds as part of Brazil's largest corruption case to date. There were also accusations of "fraudulent management, debt evasion, [and] formation of gangs." Why the innocuous-sounding (in comparison) charge of bribing a police officer? The big stories hit the news in 2008, so I'm not able to find any sources that are not behind a paywall, but I'm assuming that it's a play straight from the Al Capone book: because no other charges will stick. I mean, Capone eventually did time because of tax evasion: all other charges were dropped.
Before Dantas became an inmate, he was a banker and financier. He had done post-graduate work at MIT, and eventually ended controlling a holding company with an estimated worth of $11.3 billion. He also controlled several other businesses, including the largest cattle producer in Brazil.
As the robber barons from yonder years show, great successes generally tend to have great minds behind it, with practices that border on the criminal, especially in countries where corruption is a way of life. In Dantas's case, it turns out to he made a run for the border, went over it, and never looked back.
The banker was originally arrested for money laundering, tax evasion, and embezzling public pension funds as part of Brazil's largest corruption case to date. There were also accusations of "fraudulent management, debt evasion, [and] formation of gangs."
Why the innocuous-sounding (in comparison) charge of bribing a police officer? The big stories hit the news in 2008, so I'm not able to find any sources that are not behind a paywall, but I'm assuming that it's a play straight from the Al Capone book: because no other charges will stick. I mean, Capone eventually did time because of tax evasion: all other charges were dropped.
Perhaps the contents of five external hard drives that were protected with portable disk encryption software--found in a closet at Dantas's home--could have made the other charges stick. Two of them made use of TrueCrypt while the other three were protected with PGP, competitors to AlertBoot. The Brazilian federal police worked on cracking the encryption software for two and a half months without success (some reports claim it was five months). At that point, the FBI was consulted. The FBI worked on it for a year and called it quits. Both the Brazilian feds and their American counterpart attacked the one weak link in encryption: the password. Generally, the password tends to be the weakest link, even with the best encryption packages in the world, because people generally use a weak password. Not so in this case, which is hardly surprising. I mean, the guy did time as a MIT post-doc.
Perhaps the contents of five external hard drives that were protected with portable disk encryption software--found in a closet at Dantas's home--could have made the other charges stick. Two of them made use of TrueCrypt while the other three were protected with PGP, competitors to AlertBoot.
The Brazilian federal police worked on cracking the encryption software for two and a half months without success (some reports claim it was five months). At that point, the FBI was consulted. The FBI worked on it for a year and called it quits. Both the Brazilian feds and their American counterpart attacked the one weak link in encryption: the password.
Generally, the password tends to be the weakest link, even with the best encryption packages in the world, because people generally use a weak password. Not so in this case, which is hardly surprising. I mean, the guy did time as a MIT post-doc.
I've often remarked that, given enough time, any encryption software will fall: this is just common sense. With encryption, that time is counted in centuries. Well, at least it is when it comes to strong encryption, like AES. (Incidentally, it was AES-256, which we use by default in our AlertBoot disk encryption software that Dantas used on his hard drives.) However, I was presented with a factoid that puts the above observation on its head: theoretically, it possible for strong encryption to never be broken. The reasoning goes like this: breaking computer encryption requires the use of another computer. That computer requires energy to run its software. There is a finite amount of energy in the universe. Make the encryption key random and long enough, and at some point you hit that finite amount of energy. Interesting, no? Of course, you could save the energy in the universe and point a gun at some guy's head and encryption is "broken" when he spits out the password. Of course, that kind of stuff is not going to happen to politically-connected billionaires who make the news.
I've often remarked that, given enough time, any encryption software will fall: this is just common sense. With encryption, that time is counted in centuries. Well, at least it is when it comes to strong encryption, like AES. (Incidentally, it was AES-256, which we use by default in our AlertBoot disk encryption software that Dantas used on his hard drives.)
However, I was presented with a factoid that puts the above observation on its head: theoretically, it possible for strong encryption to never be broken. The reasoning goes like this: breaking computer encryption requires the use of another computer. That computer requires energy to run its software. There is a finite amount of energy in the universe. Make the encryption key random and long enough, and at some point you hit that finite amount of energy.
Interesting, no? Of course, you could save the energy in the universe and point a gun at some guy's head and encryption is "broken" when he spits out the password. Of course, that kind of stuff is not going to happen to politically-connected billionaires who make the news.
Related Articles and Sites:http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.htmlhttp://yro.slashdot.org/comments.pl?sid=1699588&cid=32704358http://www1.folha.uol.com.br/folha/brasil/ult96u447378.shtmlhttp://g1.globo.com/politica/noticia/2010/06/nem-fbi-consegue-decifrar-arquivos-de-daniel-dantas-diz-jornal.htmlhttp://www.cipamericas.org/archives/1718http://yro.slashdot.org/comments.pl?sid=1699588&cid=32704358
A new survey has found that 26% of the UK's small and medium businesses consider data security to be a low priority. It's not that they're unaware of the dangers; however, it looks like their knowledge of what's at stake isn't enough for them to realistically consider using data security tools like AlertBoot's hard disk encryption software program.
The survey has some eye-popping results: 78% are concerned that data theft could negatively affect their business 11% have lost revenue due to data loss 12% have lost "competitively sensitive material" 50% of Northern Ireland SMBs rank security as their top priority None of North East SMBs rank security as their top priority 38% rely on passwords to protect their laptop information (they really should opt for laptop protection) 50% manage their IT systems without outside, specialized help
The survey has some eye-popping results:
I started off the blog by noting that the SMBs knew about the dangers of having weak data protection in place. Perhaps not. Isn't it quite telling that 78% are concerned about data theft and that 26% are not at all? Add those two up, and you've got 104%, and with most well-developed surveys having a margin of error of approximately 3%...well, it gets me thinking. What also gets me thinking is, "what's going on in the North East?" Why are none of the SMBs concerned about data security at all? According to an on-line map, Pictures of England dot com, the North East is composed of Northumberland, Tyne and Wear, Durham, and Cleveland. If I were an optimist, I'd imagine it was because they had rock-solid data security in place. (The descriptions of these places certainly are tranquil. Maybe they don't have any crime to speak of?)
I started off the blog by noting that the SMBs knew about the dangers of having weak data protection in place. Perhaps not.
Isn't it quite telling that 78% are concerned about data theft and that 26% are not at all? Add those two up, and you've got 104%, and with most well-developed surveys having a margin of error of approximately 3%...well, it gets me thinking.
What also gets me thinking is, "what's going on in the North East?" Why are none of the SMBs concerned about data security at all? According to an on-line map, Pictures of England dot com, the North East is composed of Northumberland, Tyne and Wear, Durham, and Cleveland.
If I were an optimist, I'd imagine it was because they had rock-solid data security in place. (The descriptions of these places certainly are tranquil. Maybe they don't have any crime to speak of?)
As Mark Twain noted, "there are lies, damned lies, and statistics." Statistics can't give you the whole picture, but it's usually telling once a good number of elements are counted. On telling stat is that 10% of SMBs have experienced revenue loss due to data breaches. As far as I can tell, that's not "10% of SMBs that have experienced a data breach also experienced a revenue loss": that would imply that, if 25% of all small and medium businesses experienced a breach, a total of 2.5% of companies saw loss of revenue. Nope, in this case, 10% of SMBs from the total count lost revenue. Ten-percent of a total is HUGE. I know of definitions for the word "epidemic" that involves much lower rates. Heck, most pandemics seem to start at fatality rates of 25% or more. Most people's top priority, when sick, is seeing a doctor and getting cured. Why the discord when it comes to data breaches? At least, I'm encouraged with the 78% figure. This means that people are willing, but as the "38% rely on passwords only" and "50% manage their own IT" stats show, there is a possibility SMB owners are not quite aware what data security entails.
As Mark Twain noted, "there are lies, damned lies, and statistics." Statistics can't give you the whole picture, but it's usually telling once a good number of elements are counted.
On telling stat is that 10% of SMBs have experienced revenue loss due to data breaches.
As far as I can tell, that's not "10% of SMBs that have experienced a data breach also experienced a revenue loss": that would imply that, if 25% of all small and medium businesses experienced a breach, a total of 2.5% of companies saw loss of revenue. Nope, in this case, 10% of SMBs from the total count lost revenue.
Ten-percent of a total is HUGE. I know of definitions for the word "epidemic" that involves much lower rates. Heck, most pandemics seem to start at fatality rates of 25% or more. Most people's top priority, when sick, is seeing a doctor and getting cured.
Why the discord when it comes to data breaches?
At least, I'm encouraged with the 78% figure. This means that people are willing, but as the "38% rely on passwords only" and "50% manage their own IT" stats show, there is a possibility SMB owners are not quite aware what data security entails.
Related Articles and Sites:http://security.cbronline.com/news/security-least-business-priority-for-quarter-of-uk-smbs-survey_250610