in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption: Beth Israel Medical Says Virus Stole Information

Beth Israel Deaconess Medical Center in Boston has announced a data breach that affects more than 2,000 patients.  I bring up this news not because the use of data encryption like AlertBoot would have prevented the breach, but because encryption was used by the malware.

Computer Service Vendor Causes Breach...Kinda

This breach is an example of one those situations where it's kind of hard to pin the blame.  According to boston.com:

The hospital said yesterday that an unnamed computer service vendor had failed to restore proper security settings on a computer after performing maintenance on it. The machine was later found to be infected with a virus, which transmitted data files to an unknown location.

Should the computer service vendor be blamed?  Perhaps.  But, how are they supposed to know what the "proper security settings" are?  In the course of servicing a computer, settings may have to be changed.  In an ideal world, the contractors would keep track of all the changes they made.

We don't live in an ideal world.

Hence, most organizations, if they send equipment to a third party, will perform checks to ensure settings, and other things, are in place before slipping it back into the workforce.  It sounds like Beth Israel didn't perform this check, which means that they're to blame, at least to a certain degree.

On the other hand, did they have a valid reason to perform this checkup?  For example, the fan on my laptop right now is noisy and fails from time to time.  If I have a vendor fix it, and he changes some settings on my computer, I wouldn't have the slightest clue that he did that because I'm not expecting it.  I mean, why would you change the settings in the software for a hardware problem?

On the other other hand, these unexpected circumstances are what drive IT departments crazy to the point of laying down the law that all equipment will be checked, no matter why they were sent to a third party.

Ultimately, I'd say that Beth Israel is responsible despite the involvement of the vendor.  Unless, of course, the virus was transplanted on the computer while the computer was under the vendor's supervision, even if this is the type of "unexpected circumstance" that I referred to above.

Virus Makes Use of Encryption

One of the surprising notables about this story is this:

Halamka [the hospital's chief information officer] said the virus transmitted information in an encrypted form, so the hospital does not know exactly what might have leaked, but wanted to inform patients anyway. [boston.com]

Generally, hackers don't use encryption in this way.  I've heard of instances where data is encrypted in order to blackmail the data owners (send me $10,000 or you'll never see the contents of your server again), or of them encrypting their ill-gotten databases when storing them (in case other hackers hack them).  But sending them in encrypted fashion?  Unheard of, at least to these ears.

On the other hand, if there is any need to keep information secret, the use of encryption software would be the way to do it.


Related Articles and Sites:
http://www.boston.com/business/healthcare/articles/2011/07/19/beth_israel_data_breach_may_affect_over_2000/
http://hipaablog.blogspot.com/2011/07/bosons-beth-israel-seems-like.html

 
<Previous Next>

Data Encryption: Spartanburg Regional Announces CPU Theft, Says It's Encrypted. Say, What?

Cost Of A Data Breach: Sony's Insurer Says They Don't Need To Pay

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.