First Advantage Tax Consulting Services (TCS) has alerted the New Hampshire Attorney General that an employee misplaced a laptop during an airport layover. Whether laptop encryption software was used is not mentioned, although a complex password was used, which was changed remotely (to something even more complex?).
While the ability to change complex passwords remotely is impressive, it doesn't exactly offer security unless that password is tied to encryption software. It's already pretty well known by anyone who's willing to look it up that the use of password-protection only can be bypassed in a number of ways. And, you don't have to be a brain surgeon to use them. On the other hand, the use of encryption is proven to provide security (not total security until the end of the time, but pretty good enough to last a lifetime). Plus, consider the following in AlertBoot endpoint encryption: Able to change passwords remotely, from an internet-based central management console. Features password rate limiting, so each incorrect password locks up the ability to try entering a password in increasing periods (2 minutes, 4 minutes, 8, 16, and so on). This way, brute force password guesses aren't effective. Locking out from entering passwords after so-many wrong attempts (10 attempts is usually used). Passwords can be deleted, forcing a would-be hacker to guess the encryption key, a significant hurdle over guessing the password (which tends to be easier to guess). Most of the above are not featured, for example, in your Windows OS password-protection. And, again, even if they were, you could just bypass it if you wanted to.
While the ability to change complex passwords remotely is impressive, it doesn't exactly offer security unless that password is tied to encryption software. It's already pretty well known by anyone who's willing to look it up that the use of password-protection only can be bypassed in a number of ways. And, you don't have to be a brain surgeon to use them.
On the other hand, the use of encryption is proven to provide security (not total security until the end of the time, but pretty good enough to last a lifetime). Plus, consider the following in AlertBoot endpoint encryption:
Most of the above are not featured, for example, in your Windows OS password-protection. And, again, even if they were, you could just bypass it if you wanted to.
In the copy of the letter to be sent to 32,842 people, TCS notes that "because the security of your information and peace of mind are important to us, we are offering one free credit report and 12 months of one bureau credit monitoring." That's good (not great--most people would prefer not having had the breach in the first place); however, I've been thinking about this, and...well, does it really offer peace of mind? Many companies, not only TCS, make similar offers for purportedly similar reasons. I, however, am not sure I would gain peace of mind because I'm signed up for such services. For example, wouldn't I kind of dread opening those credit report letters? Who knows what this month will bring? That kind of thinking is not something I would consider peace of mind. Of course, having such services is better than not having them...but peace of mind? I guess that depends on your point of view.
In the copy of the letter to be sent to 32,842 people, TCS notes that "because the security of your information and peace of mind are important to us, we are offering one free credit report and 12 months of one bureau credit monitoring."
That's good (not great--most people would prefer not having had the breach in the first place); however, I've been thinking about this, and...well, does it really offer peace of mind?
Many companies, not only TCS, make similar offers for purportedly similar reasons. I, however, am not sure I would gain peace of mind because I'm signed up for such services. For example, wouldn't I kind of dread opening those credit report letters? Who knows what this month will bring? That kind of thinking is not something I would consider peace of mind.
Of course, having such services is better than not having them...but peace of mind? I guess that depends on your point of view.
Related Articles and Sites:http://doj.nh.gov/consumer/pdf/reed_smith.pdfhttp://www.databreaches.net/?p=12784
Montefiore Medical Center has announced two incidents of computer theft. It was revealed that password-protection was used in both cases, but whether disk encryption was present was not mentioned. The latter provides security; the former not so much.
There were two burglaries, affecting five computers in total. In the first, two desktop computers were stolen from the finance department around May 22. Patient names, medical records numbers, and, in some cases, SSNs, dates of birth, and insurer information was included. In the second, three desktop computers were stolen around June 9 from Montefiore's School Health Program administrative offices. They included student names, dates of birth, medical record numbers, guardian contact numbers, and whether the student has a SSN (not the actual SSN itself, but whether a student actually has one). As mentioned before, all computers were password-protected. However, as I've covered before, password-protection doesn't provide protection. It really doesn't live up to its name. Instead, there should have been encryption software like AlertBoot installed on those machines if data protection was paramount.
There were two burglaries, affecting five computers in total. In the first, two desktop computers were stolen from the finance department around May 22. Patient names, medical records numbers, and, in some cases, SSNs, dates of birth, and insurer information was included.
In the second, three desktop computers were stolen around June 9 from Montefiore's School Health Program administrative offices. They included student names, dates of birth, medical record numbers, guardian contact numbers, and whether the student has a SSN (not the actual SSN itself, but whether a student actually has one).
As mentioned before, all computers were password-protected. However, as I've covered before, password-protection doesn't provide protection. It really doesn't live up to its name.
Instead, there should have been encryption software like AlertBoot installed on those machines if data protection was paramount.
Much has been said about the lack of encryption when it comes to sensitive data on laptop computers. But people are very silent when it comes to desktop computers with sensitive information. Why? I mean, desktops can be stolen, too. Try and show me a desktop computer that's not portable, in sense that it cannot be carried. You can't because such a thing does not exist. While desktop computers were not designed for ease of portability, it's also true that they weren't designed not to be portable. Most people can lift one, especially if computer monitors are not involved. How do you think the UPS guy brings a Dell computer up to your porch? The form of the computer does not mean better data security. And yet, people act as if it does. That's not to say there isn't security in shape and weight: gold bullion kept by banks, for example, is heavy by design. They could make each ingot lighter by making them smaller, and allow for easier transportation. But then, thieves could easily transport them, too. So, ingots are kept heavy on purpose, requiring two well-exercised arms to lift them. Also, running with 24 extra pounds on your body doesn't quite allow for a successful escape. Desktop computers were not designed with such physical security in mind. They're actually designed to be as small and lightweight as possible while meeting performance standards. The fact that they're heavier and more cumbersome than laptops doesn't mean more security; it just means they're heavier and more cumbersome. If you have any information that you need to protect on your computers, be they laptops or otherwise, full disk encryption is something you have to seriously consider.
Much has been said about the lack of encryption when it comes to sensitive data on laptop computers. But people are very silent when it comes to desktop computers with sensitive information.
Why?
I mean, desktops can be stolen, too. Try and show me a desktop computer that's not portable, in sense that it cannot be carried. You can't because such a thing does not exist. While desktop computers were not designed for ease of portability, it's also true that they weren't designed not to be portable. Most people can lift one, especially if computer monitors are not involved. How do you think the UPS guy brings a Dell computer up to your porch?
The form of the computer does not mean better data security. And yet, people act as if it does.
That's not to say there isn't security in shape and weight: gold bullion kept by banks, for example, is heavy by design. They could make each ingot lighter by making them smaller, and allow for easier transportation. But then, thieves could easily transport them, too.
So, ingots are kept heavy on purpose, requiring two well-exercised arms to lift them. Also, running with 24 extra pounds on your body doesn't quite allow for a successful escape.
Desktop computers were not designed with such physical security in mind. They're actually designed to be as small and lightweight as possible while meeting performance standards. The fact that they're heavier and more cumbersome than laptops doesn't mean more security; it just means they're heavier and more cumbersome.
If you have any information that you need to protect on your computers, be they laptops or otherwise, full disk encryption is something you have to seriously consider.
Related Articles and Sites:http://www.montefiore.org/?id=2698
The Digital Forensics Association has come up with a report showing the impact of missing laptops in the overall data breach landscape. And, while the numbers make a case that targeted hacks are now the leading cause of actual records compromised, that doesn't necessarily mean that an organization should invest less in data protection tools like full disk encryption software.
The following was reported by the Digital Forensics Association report: 49% of all reported breaches come from the loss of a laptop In 95% of the cases the laptop is stolen Loss of laptops account for 6% of lost records 33% of the laptops are stolen from offices 28% are stolen from vehicles The leading vector for third-party losses is via missing laptops Among the recommendations made is that encryption software be used to protect sensitive data on portable storage devices (laptops, external HDDs, USB flash drives, etc.). It's duly noted that "organizations that rely on the login password to keep the data safe on a laptop that has been lost or stolen are operating under an inaccurate risk assumption." That "inaccurate risk assumption" should really be termed "inaccurate safety assumption," as in people think that they're safe with the use of password-protection.
The following was reported by the Digital Forensics Association report:
Among the recommendations made is that encryption software be used to protect sensitive data on portable storage devices (laptops, external HDDs, USB flash drives, etc.).
It's duly noted that "organizations that rely on the login password to keep the data safe on a laptop that has been lost or stolen are operating under an inaccurate risk assumption." That "inaccurate risk assumption" should really be termed "inaccurate safety assumption," as in people think that they're safe with the use of password-protection.
Six percent is a pretty low figure, I'll agree. This is the thing, though: almost no one in the general community blames the victimized company when the latter is hacked. The hackers are the bad guys. When a laptop with sensitive data is stolen, the bad guy is almost never the thief. You read that correctly; that's not a typo. Instead, the blame falls upon the person that decided that keeping sensitive data on portable devices was a good idea. Do you realize how many times I've read comments to the tune of, "what the heck was my SSN/driver's license/bank account number doing on a laptop computer?! It should be locked up in an office!" If your company, organization, or agency has to deal with sensitive data on laptops, external hard drives, and any other data storage device that can be picked up easily and stolen (or even devices that are not as portable, such as desktop computers), disk data encryption should be used. Otherwise, not only do you risk fines and penalties, and having to comply with breach notification laws--you might also take a harder PR hit than if you're network is breached. Also, remember: any penalties and fines associated with a breach will pretty much amount to the same, regardless of whether a laptop is stolen or your company is hacked. Why open up a vulnerable spot for yourself by not using the appropriate data security tools?
Six percent is a pretty low figure, I'll agree. This is the thing, though: almost no one in the general community blames the victimized company when the latter is hacked. The hackers are the bad guys.
When a laptop with sensitive data is stolen, the bad guy is almost never the thief. You read that correctly; that's not a typo.
Instead, the blame falls upon the person that decided that keeping sensitive data on portable devices was a good idea. Do you realize how many times I've read comments to the tune of, "what the heck was my SSN/driver's license/bank account number doing on a laptop computer?! It should be locked up in an office!"
If your company, organization, or agency has to deal with sensitive data on laptops, external hard drives, and any other data storage device that can be picked up easily and stolen (or even devices that are not as portable, such as desktop computers), disk data encryption should be used. Otherwise, not only do you risk fines and penalties, and having to comply with breach notification laws--you might also take a harder PR hit than if you're network is breached.
Also, remember: any penalties and fines associated with a breach will pretty much amount to the same, regardless of whether a laptop is stolen or your company is hacked. Why open up a vulnerable spot for yourself by not using the appropriate data security tools?
Related Articles and Sites:http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=226200272&cid=RSSfeed_DR_Newshttp://www.digitalforensicsassociation.org/storage/The_Leaking_Vault-Five_Years_of_Data_Breaches.pdf
A small update to the South Shore Hospital data breach: the company which South Shore contracted to destroy 800,000 computer records had in turn outsourced the job to a third party. So far, it hasn't been clarified what type of data protection, if any, existed--although I'm still hoping to hear that something along the lines of drive encryption like AlertBoot was used.
I've already covered the South Shore breach here. In light of the revelation of the subcontracting, I wonder: who's at fault here? The unnamed subcontractor didn't technically lose the information. The claim is that they received a partial shipment, so technically it's not their fault. How can you blame the receiving party, unless they had sent someone to fetch the...whatever it is that was supposed to be delivered (backup tapes? CDs? Hard drives? Etch-a-Sketches? It still hasn't been revealed.) Then, you've got the original contractor in the middle who probably sent the records. Did they, too, receive only a partial shipment? Are they to blame? Why didn't they do the job of destroying the records themselves? The usual answer is, of course, because they could get someone else to do it for them for less. Technically, the breach could have been avoided if the contractor hadn't outsourced the work (but, this is in hindsight and applies to this case only). Should a courier company be blamed, the one that was employed (I'm assuming one was used) by the contractor? And finally, we have South Shore Hospital. Perhaps it should be blamed for the breach. After all, they were the ones that handed the records to the contractor, presumably without using encryption software to safeguard the information (otherwise, we really wouldn't be hearing about this issue). The more parties that are involved, the harder data security becomes. So does pinning the blame. Assigning responsibility, however, is easy (although not always fair): In this case, it's South Shore Hospital that's responsible. That's why their name is listed at the "HHS 500 or more records affected" site.
I've already covered the South Shore breach here. In light of the revelation of the subcontracting, I wonder: who's at fault here?
The unnamed subcontractor didn't technically lose the information. The claim is that they received a partial shipment, so technically it's not their fault. How can you blame the receiving party, unless they had sent someone to fetch the...whatever it is that was supposed to be delivered (backup tapes? CDs? Hard drives? Etch-a-Sketches? It still hasn't been revealed.)
Then, you've got the original contractor in the middle who probably sent the records. Did they, too, receive only a partial shipment? Are they to blame? Why didn't they do the job of destroying the records themselves? The usual answer is, of course, because they could get someone else to do it for them for less. Technically, the breach could have been avoided if the contractor hadn't outsourced the work (but, this is in hindsight and applies to this case only).
Should a courier company be blamed, the one that was employed (I'm assuming one was used) by the contractor?
And finally, we have South Shore Hospital. Perhaps it should be blamed for the breach. After all, they were the ones that handed the records to the contractor, presumably without using encryption software to safeguard the information (otherwise, we really wouldn't be hearing about this issue).
The more parties that are involved, the harder data security becomes. So does pinning the blame. Assigning responsibility, however, is easy (although not always fair): In this case, it's South Shore Hospital that's responsible. That's why their name is listed at the "HHS 500 or more records affected" site.
Related Articles and Sites:http://www.bostonherald.com/business/healthcare/view.bg?articleid=1270526
The story from Cooper University Hospital is that a thumb drive filled with sensitive data has gone missing. Data encryption was not used to protect the contents, meaning over 100 people may be at heightened risk of ID theft.
The device--which included SSNs, addresses, and phone numbers of university hospital residents and fellows--went missing on July 8th. The police are still investigating whether this is a case of theft. It should be noted that patient information was not involved.
The device--which included SSNs, addresses, and phone numbers of university hospital residents and fellows--went missing on July 8th. The police are still investigating whether this is a case of theft.
It should be noted that patient information was not involved.
As the university hospital readily admitted, the device was not protected with encryption software. Seeing how nobody really knows what happened to the thumb drive, the threat of identity theft is quite real (although probably low). If either disk encryption or file encryption had been used, the above doctors--and they are doctors; it's just that they still require supervision--could be at peace knowing that their information was protected. Instead, now they'll have to wonder whether one day they'll find themselves victims of a fraudulent credit application or some other contract. Not exactly what you want surgeons worrying about as they're inserting a catheter down your throat.
As the university hospital readily admitted, the device was not protected with encryption software. Seeing how nobody really knows what happened to the thumb drive, the threat of identity theft is quite real (although probably low).
If either disk encryption or file encryption had been used, the above doctors--and they are doctors; it's just that they still require supervision--could be at peace knowing that their information was protected. Instead, now they'll have to wonder whether one day they'll find themselves victims of a fraudulent credit application or some other contract.
Not exactly what you want surgeons worrying about as they're inserting a catheter down your throat.
Related Articles and Sites:http://abclocal.go.com/wpvi/story?section=news/local&id=7578794http://www.databreaches.net/?p=12735http://www.courierpostonline.com/article/20100728/NEWS01/100728075/Cops-seek-clues-in-missing-personal-data-from-Cooper
Mark Twain once noted, and I paraphrase, "there are lies, damned lies, and statistics." There is also the observation that "to lie with statistics is easy. To lie without them is easier." What all this means is that when reporting a statistic, one also has to consider the information that makes up that stat. Unfortunately, I only have a number, so I'm slightly loath to report this but here it goes.... According to the HIPAA Blog, Roughly 5.8% of American adults have been victims of medical identity theft, with $20,160 being the average cost per victim. The author of the blog picked up the figure at a lunch sponsored by Scott & Scott and Chartis.
Mark Twain once noted, and I paraphrase, "there are lies, damned lies, and statistics." There is also the observation that "to lie with statistics is easy. To lie without them is easier." What all this means is that when reporting a statistic, one also has to consider the information that makes up that stat.
Unfortunately, I only have a number, so I'm slightly loath to report this but here it goes....
According to the HIPAA Blog,
Roughly 5.8% of American adults have been victims of medical identity theft, with $20,160 being the average cost per victim.
The author of the blog picked up the figure at a lunch sponsored by Scott & Scott and Chartis.
The latest US population count lies somewhere around 307 million. 5.8% translates to 17.8 million people and a total cost of--wait for it--$359 billion dollars. That's a mind-boggling amount of money. As a reference point, Microsoft's combined revenues for 2005 to 2009, inclusive, is $254 billion. Of course, for the medical ID theft, we have no reference point whatsoever: are the stats for last year? Or perhaps a combined total for the last 10 years? If so, what does 5.8% figure really mean? I wish some kind of supporting data had also been provided...
The latest US population count lies somewhere around 307 million. 5.8% translates to 17.8 million people and a total cost of--wait for it--$359 billion dollars.
That's a mind-boggling amount of money. As a reference point, Microsoft's combined revenues for 2005 to 2009, inclusive, is $254 billion.
Of course, for the medical ID theft, we have no reference point whatsoever: are the stats for last year? Or perhaps a combined total for the last 10 years? If so, what does 5.8% figure really mean?
I wish some kind of supporting data had also been provided...
Medical facilities have to comply with HIPAA/HITECH, and the use of encryption software is, for the lack of a better word, actively encouraged. I would assume that the use of encryption would curtail, or at least impact, the theft of medical information. However, there is no way to know. Consider all the ways that medical information can be stolen besides surreptitiously lifting laptops and external drives: Internal attacks (less than ethical doctors, nurses, EMTs, etc) Lost or stolen paper documents, folders, etc. A server hacking incident With the exception of the last one, where file encryption or database encryption could prevent access to sensitive data, there is no way for encryption to prevent theft. Digital data encryption can't be used on paper documents, and how can encryption stand against someone who has the required passcodes for accessing encrypted data in the first place? On the other hand, the rate of lost or stolen computers and external data devices (such as USB devices) is high enough that encryption can't be left on the backburner.
Medical facilities have to comply with HIPAA/HITECH, and the use of encryption software is, for the lack of a better word, actively encouraged.
I would assume that the use of encryption would curtail, or at least impact, the theft of medical information. However, there is no way to know. Consider all the ways that medical information can be stolen besides surreptitiously lifting laptops and external drives:
With the exception of the last one, where file encryption or database encryption could prevent access to sensitive data, there is no way for encryption to prevent theft. Digital data encryption can't be used on paper documents, and how can encryption stand against someone who has the required passcodes for accessing encrypted data in the first place?
On the other hand, the rate of lost or stolen computers and external data devices (such as USB devices) is high enough that encryption can't be left on the backburner.
Related Articles and Sites:http://hipaablog.blogspot.com/2010/07/interesting-stat-i-attended-lunch.htmlhttp://financials.morningstar.com/income-statement/is.html?t=MSFT&culture=en-US