in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

August 2011 - Posts

  • Encryption Laws In The UK: Must Personal Data In Computers Be Encrypted?

    Let's get one thing out of the way: there is no such thing as "encryption laws in the UK".  Certainly, the Information Commissioner's Office (ICO) highly recommends the use of strong encryption software, like AlertBoot, to safeguard personal data in laptops and other portable media devices.  But, technically, there is no such thing as encryption laws in the United Kingdom.

    What the country does have are data protection laws, which include the use of encryption software as well as other technologies and strategies.

    Read the (ICO's) FAQ

    Trust me when I say that navigating the UK's Data Protection Act (DPA) is not an easy matter. Based on the EU Directive 95/46/EC (the EU's Data Protection Directive), the UK's DPA regulates the processing of "personal data".  As to what constitutes "personal data", the situation is complex enough that even with a definition of the matter, the ICO felt compelled to publish a personal data flowchart to make things clearer, which I'll explore in an upcoming post.

    While the above are interesting to read, it might make more sense to take a look at a FAQ published by the ICO, the government body charged with upholding the DPA.  In that FAQ, the following question is asked and answered (my emphases):

    Q: Must I encrypt all the information I store on computer?

    Not necessarily. The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction.  Encryption might be a part of your information security arrangements – for example, in respect of confidential personal data stored on laptops or portable storage devices. On the other hand, you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose. Even where you do encrypt personal data, you will probably need to take additional steps to comply with the Act’s information security requirements. Read more about complying with these requirements in the section about information security.

    As the above shows, the data protection laws in the UK cannot be called "encryption laws".  This is especially true if one is able to find, say, "appropriate security measures" other than laptop encryption to secure a portable computer.  For example, a windowless, double-locked room with the notebook computer fixed to a counter via a cable lock is, arguably, just as good as encryption since it would prevent the theft of the computer to begin with.

    On the other hand, there is no guarantee, for example, against an employee stealing this same device or the laptop disappearing during a move.  And this poses a problem because the ICO's passage above notes that security measures must also "guard against unauthorized use or disclosure...or its accidental loss or destruction".  All of a sudden, the claims of "you don't have to use encryption" ring kind of hollow.

    But, that's because we're talking about laptops.  Remember, data can be stored in a variety of digital devices, including mainframe computers and blade servers (which generally tend to be behind several locked doors in a guarded facility).  So, it makes no sense for the law to require the use of encryption for all computer data when there are clearly instances where exceptions can be made (it also doesn't make sense to list out all the exceptions when technology progresses at the pace that it does).

    Whole Disk Encryption a Good Horse to Bet On

    There are oddities in the DPA that makes safeguarding data a nightmare.  Here's a taste.  From the ICO's personal data flowchart I mentioned before:

    Information may be recorded about the operation of a piece of machinery (say, a biscuit-making machine). If the information is recorded to monitor the efficiency of the machine, it is unlikely to be personal data (however, see 8 below).  However, if the information is recorded to monitor the productivity of the employee who operates the machine (and his annual bonus depends on achieving a certain level of productivity), the information about the operation of the machine will be personal data about the individual employee who operates it.  [section 7.2]

    Remember, you're not actually recording personal data in the above example.  You're recording biscuit machinery efficiency data that will be used later to evaluate someone's performance.  If you lose a laptop with this information (and, say, a name), you'd technically be in violation of the UK's DPA, something most people don't take into consideration.

    The more I read about issues like these, the more I understand why the ICO's Undertakings (signed promises by a breached organization's data controller to the Information Commissioner) include the promise to use encryption for laptops and portable devices.

    Despite assertions to the contrary, the use of encryption is pretty much de rigueur if you're looking to comply with the DPA when it comes to data in a computer.


    Related Articles and Sites:
    http://www.ico.gov.uk/Global/faqs/data_protection_for_organisations.aspx#fF8660356-D8D9-4116-9A19-ED39632567D1

     
  • Laptop Hard Disk Encryption: Finland Chiropractor Computer Found In Ditch

    According to yle.fi (via phiprivacy.net) a computer was found in a ditch along a Turku (Finland) freeway.  The computer contained medical information on thousands of people, including politicians, businessmen, and top athletes.  Apparently, drive encryption like AlertBoot was not utilized.

    Belongs to Chiropractor, Wasn't Aware of Theft

    The computer belonged to a private chiropractor.  When asked about the computer, the staff at the clinic expressed surprise.  It is now believed that the computer was stolen when the practice moved venues 18 months ago.  Aside from these meager facts, not much else has been revealed on-line (at least, not in English).

    However, this is enough to note that the chiropractor (unnamed) is in violation of Finland's Personal Data Act, a direct response to the EU Directive 95/46/EC, the EU's Data Protection Directive.

    While different EU members have different implementations of it, they all adhere to (or at least, are supposed to adhere) the seven governing principles of personal data protection.  Of the seven, data security plays a big part: member nations promise to protect collected data from any potential abuses.  Included in such data is medical data, which can mean diagnoses and treatments, but also a patient's name and address.

    Encryption Software Prevents Data Breaches

    There is an easy solution when it comes to adhering to data security, especially when we're talking about computerized data security: encryption.  Solutions like AlertBoot hard disk drive encryption ensures that all the contents within a device are protected if it were to be misplaced or stolen, triggering a data breach.

    This is the reason why the UK's Information Commissioner's Office (the UK also has data protection laws in keeping with the EU Data Protection Directive) always includes a clause in its Undertakings with organizations where the latter promises to encrypt any laptops and other portable digital media devices that hold personal data.


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=7471
    http://www.yle.fi/uutiset/news/2011/08/patient_medical_data_on_computer_found_in_ditch_2806423.html

     
  • Medical Laptop Encryption Software: Mount Sinai Hospital Has Another Breach

    Databreaches.net brings us slightly old news that Mount Sinai Medical Center has had a data breach.  According to a notice posted at the hospital's site, two laptops were stolen, affecting over 700 patients.  It appears that drive encryption software like AlertBoot was not used.  Despite their other data breaches.

    Two Laptops Stolen

    According to Mt. Sinai's press release on July 11, 2011, two laptops used at the Multispecialty Physicians Practice went missing.  The two laptops contained protected health information (PHI) such as names, SSNs, and diagnoses.

    One of the laptops was secured with password protection which people with "sophisticated computer abilities might be able to bypass the password protection."  To be honest, it doesn't need to be sophisticated computer abilities at all...since when is swapping hard drives considered to be "sophisticated"?  It's about as sophisticated as switching one Nintendo64 game cartridge for another.

    [Side note: one of the ways of bypassing password-protection is by "slaving" a hard drive.  This is when another hard drive is attached to a computer, such as when you plug an external drive to your computer.  The external drive would be a "slave" to the "master" drive in the computer.  This can also be done by taking the master drive from one computer and attaching it to another computer.  In such a case, the first master drive is now a slave to the second master drive.  Easy-peasy.]

    Of course, the fact that only one laptop is mentioned as having password protection seems to imply that the other didn't have any protection at all because no other data security tool is mentioned.

    All Computers in the Practice Secured

    According to the same press release:

    To ensure there is no recurrence, all computers in the Practice have been physically secured and the hard drives that contain confidential information have been encrypted.

    Generally, I tend to publicly applaud organizations that do the above.  Not this time, for a couple of reasons.

    First, you'll notice that it's "all computers in the Practice" that have been secured and protected with encryption.  This means that other departments at Mount Sinai have not been deployed with encryption software.

    Which brings me to the second reason why I'm less than enthusiastic about Mt. Sinai's encryption practices.  This is not the first time Mt. Sinai has had a data breach.  In this blog alone I've covered an October 2010 data breach at Mt. Sinai where disk drives were stolen from a desktop computer.  That post also makes reference to a 2005 breach involving laptop computers.  Who knows what other breaches they've had that I haven't come across?

    It's quite obvious that the piecemeal approach to deploying encryption software is not working for the medical organization.  And yet, here is Mt. Sinai announcing that they've secured another "piece" of their organization.  What other practices or departments are still waiting for encryption to deployed?  And, will it happen after there is a data breach?


    Related Articles and Sites:
    http://www.databreaches.net/?p=20214
    http://www.mountsinai.org/about-us/newsroom/press-releases/public-notice-july-11-2011

     
  • UK Disk Encryption Software: Harley Street Clinic Signs Undertaking

    HCA International Limited, the data controller to Harley Street Clinic, has signed an Undertaking with the UK's Information Commissioner's Office, admitting to a data breach which appears to have been completely avoidable: while the use of data encryption software such as AlertBoot was foregone, there were other protections in place.

    But, they did the equivalent of writing the password to an encrypted laptop on a yellow sticky note, as you'll see.

    Locked Rooms, Cancer Treatment Data

    According to the Undertaking, two laptops were stolen from the Harley Street Clinic in March 2011.  Laptop encryption was not used in these devices, and yet sensitive personal data was stored in them, ensuring that their loss or theft would automatically make it a breach of the Data Protection Act (DPA).

    This is not to say that attempts to protect the computers were not made.  The laptops were "kept in a locked room in the administrative and laboratory area."  However, this is the kicker: the key to the locked room was "kept on a hook on the inside of the door" of the next office, which was not locked because it contained the fire escape.

    It's time like these that one gets to the use the expression "wwwwhhhhhhhaaaaaaaaaaaaaaaa.........???"  Isn't this like taking your house key and leaving it under the welcome mat?  What were these people thinking?

    Now, the laptops were used in the course of cancer treatments so it seems apparent that "sensitive personal data", as defined in the DPA, was stored in them (it's not revealed, however, what type of data was actually stored in the laptops).

    Makes you wonder why they didn't use encryption software, especially when you consider that this technology is exactly what they turned to when Harley Street Clinic got replacement laptops.

    Voiding Warranties

    According to the Commissioner's Office,

    enquiries revealed that the devices, which were used for specific cancer treatments, contained custom software and neither would be covered under the supplier’s warranty if encryption or other software were added.

    This is the first time I've read where the use of laptop disk encryption would have voided warranties.  I mean, certainly, the use of encryption with a power-on-authentication (or preboot authentication) component messes a bit with the operating system (just a wee bit -- the master boot record gets affected), but to the point of voiding warranties?  What kind of cancer treatment software needs access to the MBR?

    Regardless, this goes a long way towards explaining the lack of encryption in this particular case.  After all, the use of encryption is not mandated under the DPA as long as the data is kept safe.  In the ICO's FAQ, on whether encryption must be used on computers:

    The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction...you might not need to encrypt data which always remains on your premises, provided you have sufficient other controls on who can access it and for what purpose.

    Obviously, the stolen laptops were not meant to be off premises.  However, thieves may not be cognizant of that fact.


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=7416

     
  • Drive Encryption Software: UK Bennetts End Adventure Playground Has Data Breach

    Thieves have stolen a computer from an adventure playground, affecting approximately 1,000 children.  The use of disk encryption software like AlertBoot would have ensured data integrity.

    On the other hand, what kind of data could it be holding on children that it deserves going public with a data breach?

    What's an Adventure Playground?

    Apparently, in the UK the term "adventure playground" refers to an enclosed area where children can learn to takes risks without seriously hurting themselves.  Adventure playgrounds may also have areas where children can read or do homework.  In essence, it's the English version of an after-school activity center.

    Based on cached version of the actual Bennets End Adventure Playground site, it looks like the facilities has an outdoor jungle gym as well as recreational games such as pool, foosball, and table-tennis.

    I just don't get.  Besides a name and address and perhaps a phone number, what other information could these places possibly be collecting that warrants coverage in the local paper?

    This is a Data Breach Under the Law

    The matter of fact is that this is a data breach under the UK laws.  In the UK, under the Data Protection Act, personal data is explained/defined as:

    data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. [ico.gov.uk]

    As I understand it, the definition is overly broad on purpose, and as such, even the loss of names is enough to trigger a data breach.  It sounds crazy, but personal privacy laws are much stricter in the UK (and countries in Europe, in general), and the above emphasizes the point.

    Again, the use of encryption software would have ensured data integrity and safety, turning the above data breach into your average theft (like, I don't know, the theft of a bicycle).

    I've got to admit, though, that I'm left scratching my head over whether this warrants going public over the incident. (It probably does...but it doesn't feel like it.)


    Related Articles and Sites:
    http://www.databreaches.net/?p=20184
    http://www.hemeltoday.co.uk/news/local/children_s_details_stolen_in_playground_raid_1_2973887
    http://www.ico.gov.uk/for_organisations/data_protection/the_guide/key_definitions.aspx

     
  • Data Encryption Software And HIPAA Top 7 Hot Spots

    HealthLeaders Media has an interview with a former senior advisor at the OCR, the Office for Civil Rights, who has revealed the "top areas of interest" on HIPAA issues.  While you might think that laptop encryption software like AlertBoot only covers point #5 below, it actually covers more than that.

    1. Incident detection and response
    2. Review of log access
    3. Secure wireless network
    4. Management of user access and passwords
    5. Theft or loss of mobile devices
    6. Up-to-date software
    7. Role-based - lack of access management

    Hospital Laptop Encryption Proof and Other Issues

    Encryption software is not a silver bullet against all data ills.  In fact, it can only protect you against a very thin (but also very important) slice of your data breach pie.  For example, disk encryption for medical laptops only protects patient data when the device is in the "off" position at the time it is lost or stolen.  Compare that to all the numerous ways in which you can have a data breach (including the theft of a laptop that's up and running), and it looks like disk encryption is extremely limited in what it does.

    On the other hand, if you consider that lost or stolen digital data storage devices account for over 60% of all medical data breaches, then you understand why disk encryption plays an important role in keeping your PHI safe.

    But, the use of encryption is not the end of it.  Sometimes, the use of encryption can force HIPAA breaches.  For example, if your staff share passwords, that is a breach of the HIPAA "access control" rule (#4, #7).  So, you must ensure that everyone gets their own username and password to encrypted devices (such as computers at a nurses' station).

    Furthermore, if something does go awry, then chances are you'll have to be able to prove that a device was protected (#1, #2).  Knowing that you encrypted it and proving that you encrypted it are two different things.  You could keep a written record, but will it be enough?

    Managed Encryption to the Rescue

    This is where a managed encryption package like AlertBoot shines.  First off, our encryption software uses the cloud to do its deployment.  Due to this characteristic, it also requires forward-looking ways to track which computers are encrypted, which has led to the integration of an advanced reporting engine. 

    Not only does this mean that a hospital's IT department (or in some cases, the lone IT guy) can easily and quickly manage numerous encryption installations, it also means that a log can be kept of the current encryption status of a computer.  In return, that means that if a computer was encrypted five years ago, you can see that (and later prove) that the computer was still encrypted as of last night.

    And, if you see that a machine has switched its status, you can also get on top of it (although, I have to confess that this would be impossible in AlertBoot unless initiated by an administrator).

    The encryption also supports multiple usernames and passwords attached to one computer, meeting the requirements for access control and management.  Plus, extended security for USB devices can be offered via the "automatic encryption setting," where any storage devices connected to an encrypted computer are also encrypted


    Related Articles and Sites:
    http://hipaablog.blogspot.com/2011/08/hipaa-hot-spots-dom-nicastro-and-adam.html
    http://www.healthleadersmedia.com/page-1/LED-269794/OCR-Unveils-HIPAA-Hotspots

     
More Posts « Previous page - Next page »