in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Disk Encryption: WTC Medical Monitoring Program Data Breached

Phiprivacy.net has found that Mt. Sinai Medical Center suffered a data breach when a hard drive with "some patient information" was found missing from their WTC monitoring program offices.  It appears that drive encryption software like AlertBoot was not used to protect the contents.

Stolen From a Computer

The missing hard drive contained "potentially identifying information" such as names, phone numbers, addresses, and limited mental health information, partially or wholly, for 1,500 patients.  The breach notification letter from Mt. Sinai pointed out that SSNs were not included.

Phiprivacy.net noted the incident does not show up on the HHS's medical data breach site (but I figure it will in a couple of weeks or so...patients were sent notification letters on or before September 16, and breached entities have 60 calendar days to notify the HHS).

What I'm most interested in, however, is the following line in the notification letter: "Mount Sinai recently discovered that the hard drive is missing from a computer in the offices of the [WTC] Medical Monitoring and Treatment Program" (my emphasis).

Does this mean what I think it means?  That a hard drive was literally taken out of a computer, and nobody knows what happened to it?  If so, the word "stolen" seems more apt that "missing" even if it's the latter, technically speaking ("stolen" is a subset to "missing.")

Disk Encryption Programs On Desktops--Not a Bad Idea

Phiprivacy.net has taken Mt. Sinai to task for encrypting their hard drives after the above breach incident.  Not because it was the wrong thing to do, but because Mr. Sinai had a breach in 2005 when a laptop was stolen.  Obviously, that incident should have been used to ensure that encryption software is used to protect all computers that are used to store sensitive data.

In my experience, though, there are many people that don't really understand data protection.  It's the same type of people who ensure their doors are locked when they leave home, but also leave their windows unlocked.  They'll encrypt laptops, because they're portable and "at risk of theft," but not do the same for desktop computers, because "they're not portable."

Trust me, desktops are "portable," not in the "designed to be carried around" sense but in the "possible for a guy to steal in whole by picking it up" sense.  Plus, as we see in the above case, there is nothing stopping a guy from stealing the one component in a computer that leads to data breaches, no matter how heavy a computer it happens to be.

So, going back to why Mt. Sinai didn't encrypt all of their computers back in 2005: my guess is a guy in management ran some risk analysis and decided that the breach risk posed by laptops vs other types of computers was higher for the former, and decided to protect laptops only (although, whether they even protected all laptops is speculation on my part).

The thing is, that's the wrong type of risk analysis.  I mean, it might work for certain assets, such as gold bullion--making the bullion big enough that you need a crane to lift it up is security in of itself, so all you need to do is concentrate on providing protection for gold coins or whatever--but this is not what you do with data on computers.  Encryption of data ought to be based on what type of information a computer is holding, not whether it weighs less than five pounds.


Related Articles and Sites:
http://www.phiprivacy.net/?p=4725

 
<Previous Next>

Data Encryption Software: Record Producer Ryan Leslie Offering $20,000 For Stolen Laptop (Updated: It's now $ 1 Million)

Data Encryption: Data Theft Surpasses Physical Asset Theft

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.