in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Encryption: Medical Researchers Get Some Recommendations From Colleagues

In a paper titled "How Strong are Passwords Used to Protect Personal Health Information in Clinical Trials?" El Emam et al. note that most researchers involved in clinical trials are not properly using data security tools like encryption.  This is not necessarily because the researchers are not trying but because they're not aware that there are potential problems with what they're using.

Researchers in Clinical Trials are Aware of the Need for Security

Researchers conducting clinical trials are very aware for the need for data security.  Not only do they handle sensitive information on a regular basis, which would definitely be classified as protected health information (PHI), they also need to ensure "data integrity" and deal with aspects dictated by the Food and Drug Administration (FDA).  Not complying with regulations would not only mean potential fines (say, under HIPAA/HITECH) but also losses due to delays in rolling out a new drug.

Consequently, there is a lot of effort spent on ensuring data security. The paper's authors found that most researchers who participated in a survey used encryption to secure data.  But, this did not necessarily mean that things were OK.

Weak Passwords, Weak Encryption, Shared Passwords

The authors of the paper concluded that clinical researchers were not up to snuff when it came to data security.  As already mentioned, it's not because they were not trying.  Rather, it's because they failed to grasp certain intricacies when it came to data security.

One area that needed shoring up was the use of weak passwords.  El Emam et al. were able to recover passwords to 14 out of 15 encrypted files provided by researchers.  The authors of the paper were not hackers themselves.  Rather, they found two off-the-rack solutions ($30 and $130 each) that searched for passwords brute-force.  All 14 passwords that were recovered were done so in less than 24 hours.

(The authors of the paper are aware that 15 samples is not a statistically relevant data pool.  However, the authors also note that those who provided the files were comfortable in the strength of their data security, so it's expected to be biased towards researchers who are security-aware and actively protecting data.)

Finding such passwords, in such a short time, is only possible when passwords are weak: because it's too short, or because the password is composed of a word found in a dictionary, or because it's an often-used password.

The authors also found that many of the files were protected with weak encryption.  For example, Microsoft Word has a built-in ability to encrypt files.  However, versions of the word processor (Word 2003 and earlier versions) use a weak form of encryption.  What this means is that, instead of figuring out the password to the encrypted file, one can search for the encryption key, an attack that could be easier and faster.

Weak encryption was especially deemed a problem because files are frequently e-mailed.  E-mail is by design an insecure messaging system.

And, last but not least, the authors of the paper found that researchers would share passwords, a data security affliction that is not unknown in less security-intensive businesses.

Recommendations

The authors recommend three general practices to bolster data security: strong encryption of e-mails and files, enforcing the use of strong passwords, and minimizing the sharing of passwords.

It was also recommended that electronic data capture (EDC) systems be more inclusive, so that the security built into EDCs is accessible to "stakeholders in clinical trials" such as statisticians and other external consultants.  Such a move could terminate the need for the above three recommendations in one fell swoop.

And finally, the authors of the paper noted that "encryption exemptions in breach notification laws should explicitly consider the strength of the passwords that are used."

That's an interesting proposition.  That strong encryption be used is codified into many state data breach notification laws, in the sense that safe harbor is only granted if professionals working in the data security industry would deem a particular encryption algorithm as "secure."  What is, and what is not, deemed secure is left up to the pros to figure out.  This is a smart move, since vulnerabilities pop up unexpectedly, and would be impossible to write into law.

I don't think anyone has suggested doing the same for passwords, though.  In many ways, this could reduce many of the data breaches we've seen in the past.


Related Articles and Sites:
http://www.jmir.org/2011/1/e18/

 
<Previous Next>

Laptop Encryption Software: A Key Tool In HIPAA/HITECH

HIPAA-HITECH Security: Weak Encryption Is Tantamount To Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.