in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

June 2012 - Posts

  • Medical Laptop Encryption Software: University of Texas MD Anderson Cancer Center Notifies 30,000 Of Data Breach

    A faculty member with the MD Anderson Cancer Center at the University of Texas had his laptop computer stolen, potentially endangering 30,000 patients.  The laptop computer was not protected with hard drive encryption like AlertBoot, which means not only that data is easily accessible on the stolen device, but that the medical organization probably has a HIPAA data security breach on their hands.

    Stolen from Physician's Home

    According to numerous reports, the unencrypted laptop was stolen from the physician's home on April 30.  There was a two-month delay in sending out notifications, however, as outside contractors ran forensic tests to figure out what type of data was stored on the stolen device.

    It was determined that the laptop contained medical record numbers; patient names; Social Security numbers; and treatment and research information.  Which begs the question: why was this laptop not secured with encryption software?  The use of such data protection programs would have prevented the entire fiasco ( the use of a cloud-managed, easily deployable encryption solution like AlertBoot would have been optimal in this case).

    Also, it should be pointed out that under HIPAA / HITECH, a covered entity is mandated to contact potential PHI (protected health information) data breach victims.  Under the Breach Notification Rule, covered entities have up to 60 calendar days to contact individuals -- although it's not a 60-day pass to wait (the rules do require to send notifications ASAP.  Sitting on one's hands waiting for the inevitable is also a violation of the Notification Rule, and possibly grounds for assessing penalties).

    In this light, the fact that UT decided to send notification letters as they neared the two-month mark is a strong sign that there are HIPAA issues involved.  Not that I'm accusing UT of just waiting for the inevitable:

    M.D. Anderson waited to notify patients until it had a "high degree of certainty" regarding the information, Fontaine said, because the information on the laptop was not consistent for each patient, and the center did not want to cause undue panic.

    "We moved with as much dispatch as we could, not wanting to create unnecessary anxiety" for unaffected patients, Fontaine said. [bizjournals.com]

    Stepping Up Their Encryption Program

    Due to the data breach, UT MD Anderson has

    stepped up its encryption program. The center had been encrypting devices for "quite some time" prior to the theft, Fontaine said. However, factors such as balancing employees' need to communicate with patients via personal devices and dealing with technical problems caused by encryption had made the process slower than desired. Now M.D. Anderson has brought on additional staff and basically has "opened a 24/7 encryption center," Fontaine said. [bizjournals.com]

    Deploying encryption is not necessarily easy.  Sometimes, it's well-nigh impossible (I've heard rumors, for example, that at one point that the Veterans Affairs department temporarily shelved thousands of encryption licenses because they had not real way of deploying them....for two years!  They opted to go with a different solution).

    In a mobile workforce, the problem is compounded by the fact that the hardware sometimes never makes it back to HQ.  I don't mean to say that the laptops are stolen.  Far from it, the employee is happily using it, boosting his efficiency.  But, the thing stays at home because it contains sensitive data and you don't want to be toting that thing around.

    This is the type of scenario that AlertBoot FDE solves quite painlessly.  Because the software is distributed over the internet, an endpoint only requires the presence of an internet connection to start the encryption process.  Plus, the only data stored on our servers are the encryption keys (for distribution and backup), meaning that we never handle sensitive data.  And, it comes with 24/7 support.  Plus, a client's networks are minimally impacted because it's not initiating the deployment from its networks.

    While I can't make any guarantees, it could be that UT's tune would be a different one had they opted for a centrally-managed and deployed disk encryption solution.


    Related Articles and Sites:
    http://www.fiercehealthit.com/story/laptop-theft-risks-info-30000-hospital-patients/2012-06-29
    http://wtaw.com/2012/06/29/patient-data-exposed-in-m-d-anderson-laptop-theft/
    http://www.ihealthbeat.org/articles/2012/6/29/md-anderson-cancer-center-reports-possible-health-data-breach.aspx
    http://www.scmagazine.com/two-month-delay-in-notifying-patients-after-cancer-center-breach/article/248157/
    http://www.bizjournals.com/houston/news/2012/06/28/md-anderson-cancer-center-notifies.html?page=all

     
  • Drive Encryption Software: Alaska DHHS To Pay $1.7 Million Settlement For HIPAA Data Breach

    The Alaska Department of Health and Human Services (DHSS) -- AK's Medicaid agency -- has agreed to settle all HIPAA violation charges for $1.7 Million.  It is, by certain accounts, the second largest HIPAA fine in history and most definitely the first against a state agency.  All of it could have been avoided with the simple use of a disk encryption software program like AlertBoot.

    USB Disk, Car at the Heart of the Breach

    Around October 12, 2009, a USB hard drive that contained electronic protected health information (PHI) was stolen from a DHSS computer technician's car.  The data breach was promptly reported to the US Health and Human Services Department, Office for Civil Rights (OCR).  The OCR started investigating the Alaska DHSS in January 2010.

    The investigation led the OCR to conclude that Alaska DHSS failed in several areas:

    • Did not complete a risk analysis;
    • Did not implement sufficient risk management measures;
    • Did not complete security training for DHSS workforce members;
    • Did not implement device and media controls; and
    • Did not address device and media encryption.

    What HIPAA Requires

    Not all of the above are actions required under HIPAA.  For example, the last point, the use of encryption software is an addressable issue, not a requirement.  That is, a HIPAA-covered entity has the choice of using encryption or something else to protect PHI.  The HHS clearly lets everyone know that you're not required to use data encryption tools to protect PHI:

    Is the use of encryption mandatory in the Security Rule?

    Answer:

    No. The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

    The caveat to not using encryption, though, is that, basically, if you don't use encryption you have to provide some other method of securing PHI.  For example, perhaps you'll weld a completely thief-proof strongbox to an employee's car, to be used whenever an unencrypted laptop is transported by the employee.

    That solution, though, is crazy.  The use of disk encryption is much more advantageous when you consider the time, expense, and vulnerabilities of using the welded strongbox over the use of encryption.  In a sense, the use of encryption is the minimum you can do in terms of PHI protection.


    Related Articles and Sites:
    http://www.alaskapublic.org/2012/06/26/state-pays-large-settlement-for-patient-privacy-breach/
    http://www.healthcarefinancenews.com/news/data-breach-leads-17m-fine-alaska-dhss
    http://www.phiprivacy.net/?p=9683
    http://www.scmagazineuk.com/alaska-department-of-health-and-social-services-facing-17-million-hipaa-fine-for-2009-breach/article/247784/

     
  • Can The FTC Penalize A Company For Being Hacked?

    The answer is no, of course.  That would mean that even companies that fall to hackers despite using data security tools -- like centrally managed data encryption software from AlertBoot -- would feel the sting of the Federal Trade Commission (or, at least, fear it).  And, as security experts note, when it comes to data breaches, it's a matter of when, not if.  Combine these two concepts and you have all companies potentially exposed to the FTC.

    And yet, many news outlets report otherwise.  For example, when I was reading up and posting on the FTC's actions against Wyndham yesterday, I noted that (my emphasis):

    Mind you, the story is making the rounds in business and computer IT / security sites as an "FTC lawsuit for data breaches."  Nothing could be further from the truth...at least, on paper.

    Simply put, the FTC doesn't have the power to sue companies for having a data breach.  But, the Federal Trade Commission can definitely bring action for deceiving consumers.

    Someone else must have caught on to this because today I ran across a Forbes article titled "Why the FTC has hackers' victims in its crosshairs."  In it, the author notes that "most companies that fall victim to hackers never enter the F.T.C.'s crosshairs. As long as businesses have reasonable security measures, they can avoid punishment after even serious breaches."

    The article goes on to quote an FTC official:

    "We have always said that it is not a violation to be hacked," said Kristin Cohen, an attorney in the F.T.C.'s division of privacy and identity protection. "We can only go after companies that have misleading privacy policies -- either they did something that was deceptive or unfair."

    Among other nuggets the article offers:

    • The FTC cannot levy financial penalties for "data protection cases." (In quotes because it makes it sound like being fined for being hacked).
    • But, Congress is mulling whether the Commission should have the power to impose financial penalties.  The FTC already has that power for other types of "corporate misbehavior."
    • The Senate has already introduced such a bill.
    • The FTC has sued or settled with approximately 35 companies for misleading data security promises.


    Related Articles and Sites:
    http://tech.fortune.cnn.com/2012/06/28/ftc-hackers/

     
  • Data Security: FTC Sues Wyndham Worldwide For "Deception"

    The Federal Trade Commission has brought forth a lawsuit against Wyndham Worldwide and three of its subsidiaries (Wyndham Hotel Group, Wyndham Hotels and Resorts, and Wyndham Hotel Management.  The Wyndham family includes the Ramada, Howard Johnson, Super8, and Days Inn hotel chains) for, essentially, deceptive practices.

    This suit part of the FTC's long history of ensuring consumers get what they're promised; it's certainly not the first time the Commission has levied charges against a company when they suffered a data breach.  Which makes me muse: could it ever come to a point where not using hard disk encryption like AlertBoot would be reason for bringing legal action against a company?

    "We Safeguard Our Customers' Personally Identifiable Information"

    The above, in quotes, is what got Wyndham in trouble with the FTC.  Mind you, the story is making the rounds in business and computer IT / security sites as an "FTC lawsuit for data breaches."  Nothing could be further from the truth...at least, on paper.

    Simply put, the FTC doesn't have the power to sue companies for having a data breach.  But, the Federal Trade Commission can definitely bring action for deceiving consumers.  What deception could Wyndham have made?  You can ask Rite Aid, Twitter, RockYou, and other companies: the promise of safeguarding customer info but not actually doing so.

    In its complaint, the FTC noted the following about Wyndham:

    Since at least 2008, Defendants have disseminated, or caused to be disseminated, privacy policies or statements on their website to their customers and potential customers.  These policies or statements include, but are not limited to, the following statement regarding the privacy and confidentiality of personal information, disseminated on the Hotels and Resorts' website:

    . . . We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program (collectively, "Customers"). . . . This Policy applies to residents of the United States, hotels of our Brands located in the United States, and Loyalty Program activities in the United States only. . . . We safeguard our Customers' personally identifiable information by using standard industry practices.  Although "guaranteed security" does not  exist on or off the Internet, we take commercially reasonable efforts to create and maintain "fire walls" and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that the Information is not improperly altered or destroyed.

    And, that this resulted in:

    Defendants' security failures led to fraudulent charges on consumers' accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to a domain registered in Russia.  In all three security breaches, hackers accessed sensitive consumer data by compromising Defendants' Phoenix, Arizona data center.

    The FTC contends that the promises of client data security were not kept.  In fact, their investigation found that Wyndham (as summarized by a commentator at slashdot.org):

    • failed to use ... firewalls
    • allowed ... storage of payment card information in clear readable text;
    • ... permitted Wyndham-branded hotels to connect insecure servers to the ... network, including servers using outdated operating systems that could not receive security updates or to address known security vulnerabilities;
    • allowed ... well-known default user IDs and passwords ... easily available to hackers through simple Internet searches;
    • ... did not require the use of complex passwords for to ... property management systems ... Defendants used the phrase "micros" as both the user ID and the password;
    • failed to adequately inventory computers connected to the ... network;
    • failed to ... conduct security investigations;
    • failed to ... monitor ... network for malware used in a previous intrusion; and
    • failed to adequately restrict third-party vendors' access to ... property management systems ...

    Does all of this sound like obvious security failings?  The FTC certainly does.  The washingtonpost.com notes that,

    Maneesha Mithal, associate director of the FTC's division of privacy and identity protection, said the security failings were "obvious." She added: "We don't bring cases that we think are close calls."

    Wyndham, for its part, has promised to "vigorously" defend themselves.

    Could Not Using Laptop Encryption be the Next Reason for a Lawsuit?

    The above suit is interesting in that the FTC lists certain technologies (or the lack thereof) as partial reasons for suing Wyndham, such as the use of firewalls or the use of complex passwords.

    If we were to follow this line of thought -- and further details found in the Wyndham suit -- it'd only make sense to, for example, fine a financial corporation for not using adequate encryption software to secure the contents of a bank-issued employee laptop that contains sensitive client data (but only if the bank promises consumers that it will do its utmost to protect that data...which it probably will).

    For example, let's say a bank allows employees to tote around client data in laptops and other mobile devices (like smartphones and tablets) as part of their BYOD / consumerization transition and goal.  Since the bank is the enabler of the mobile workforce, and the employees work for the bank, the bank is ultimately responsible for ensuring that client data is secured.

    Not using laptop encryption and other types of mobile security tools -- which, let's face it, are de rigeur in this day and age, despite all the companies out there that don't use it.  I'm not necessarily referring to banks, who've traditionally been very good at -- could conceivably be, then, a sign that the company was being lax in its security and "deceptive" when it claims that it was doing its utmost to protect customers' collected personal details.

    You might raise objections that (a) companies have been promising data security forever and (b) companies have been losing unencrypted laptops with personal information, also forever...so, what's new?  Why would the FTC go after companies that lose laptops now when it let such cases slide in the past?

    And my rebuttal would be: well, (a) companies have been promising data security forever and (b) companies have been hacked for as long as they've been losing laptops, and look at what's happening now.


    Related Articles and Sites:
    http://ftc.gov/os/caselist/1023142/120626wyndamhotelscmpt.pdf
    http://www.networkworld.com/news/2012/062712-ftc-wyndham-data-breach-260497.html?hpg1=bn
    http://www.washingtonpost.com/business/economy/ftc-sues-wyndham-hotels-over-hacker-breaches/2012/06/26/gJQATDUB5V_story.html
    http://www.computerworld.com/s/article/9228534/FTC_files_lawsuit_over_data_breaches_at_Wyndham_Worldwide?taxonomyId=70&pageNumber=1

     
  • Data Encryption: Samsung, LG AMOLED Secrets Leaked Via USB Memory Stick

    The big news tonight, in Korea, was that key technologies related to Samsung and LG's AMOLED displays were smuggled out by employees of an Israeli subsidiary in Korea.  How did these intrepid yet arrested men manage to do this?  With a 4 GB USB memory stick that, last time I checked, cost less than $10.  It certainly makes one wish for AlertBoot managed disk encryption with automatic encryption of external USB devices.

    Seoul Central District Prosecutors' Office Makes Announcement

    The Seoul Central District Prosecutors' Office detained three employees of a local Israeli firm (the PO did not identify the company, referring to it as Company "O", but there are rumors that it's Orbotech, which "makes display inspection equipment that it supplies to customers in South Korea, China and Taiwan" according to theolympian.com) and indicted three others who were apparently released under their own recognizance.

    According to Korean reports, the employees stole the technical secrets between November 2011 and April 2012, using their access as providers of the inspection equipment.  For example, they used the camera on the equipment to take pictures of LG's and Samsung's new 55" AMOLED display panel circuitry on a layer-by-layer basis.  The pictures were later downloaded to a USB flashdrive and the hardware smuggled hidden in shoes, belts, wallets, etc.  At least one article relates that the flashdrives took the form of a credit card.

    It is believed that the smuggled technology made their way to Chinese firms like BOE and CSOT and other display manufacturers.

    "Can't Even Smuggle Out a Sheet of Paper"

    Supposedly, that's how Samsung and LG described their security surrounding their factories.  Companies boasting about their security while not really living up to their claims is yesterday's news.  LG in particular had to eat crow, seeing how they didn't even realize there was a breach of data until the Prosecutor's Office produced a warrant to search (and seize evidence) at Orbotech (yeah, it's just a rumor/allegation that Orbotech is the firm in question, but honestly, there aren't too many Israeli firms in Korea that have a connection to the flat display panel industry whose company name begins with an "O".  My own search only turns up one, so....).

    In some ways, it makes sense that neither company mounted a successful defense.  After all, Orbotech is the best in the field, and holds 70% of the market when it comes to flat panel display inspection equipment.  Such equipment requires periodic calibration and servicing, so outside employees must be let into "the fortress" at some point.  It's the dreaded and nearly-impossible-to-prevent "insider attack."  Kind of like a Trojan Horse move from Greek myth, except there are no Trojans (nor Spartans) and no wooden horses.  Plus, no trickery because the attackers were invited in.

    The use of automatic USB encryption would normally prevent such data theft attempts except that in this case those doing the smuggling were (probably) in charge of securing the USB ports as well.  It's a tough assignment for those charged with securing a facility.


    Related Articles and Sites:
    (in Korean) http://media.daum.net/society/clusterview?clusterId=607344&newsId=20120627175808910&t__nil_news=uptxt&nil_id=8
    (in Korean) http://media.daum.net/society/others/newsview?newsid=20120627163610140&nil_id=1&t__nil_economy=uptxt

     
  • Data Encryption Software: New Haven Rent Rebate Participants' Data Breach

    The New Haven Library was the scene of a data breach late last month, when a thief or thieves made off with a laptop used by an Elderly Services Specialist to enter data for the Rent Rebate program.  The use of laptop encryption software such as AlertBoot -- technically, a managed computer disk encryption program, for those who require management of encryption keys and easy enterprise deployment -- would have ensured that the information on the laptop remains untouched.

    If encryption wasn't used, the city cannot be certain about the data's integrity, and would have to spring for free identity protection (although in many cases, such services are offered regardless of the circumstances).

    No Details

    Other than the offer of the free id protection; when and where the theft took place (May 23, at the Mitchell Branch Library, 37 Harrison St.); and the "belief" that no one has accessed the data, there is not much to the story.  There isn't even a confirmation that encryption or password-protection is (or isn't) present.

    For example, it was not revealed what type of data was compromised as a result of the laptop theft.  A quick search, however, shows that some very sensitive information could have been compromised.

    A Little Digging Reveals Concerns

    If you visit the New Haven website and do a search for "rent rebate" you get pointed to this page, where the office of the Mayor announces the beginning of this year's Rent Rebate Program:

    (5/21/2012) The City of New Haven has begun accepting applications for the State of Connecticut’s Rent Rebate Program. Due to the high volume of applications for this program, residents interested in applying for this program must do so by appointment only. Walk-ins cannot be accommodated. The information below pertains to New Haven residents only. Renters from other municipalities should contact their municipality for information about the application process in their town.

    The state program provides a reimbursement for Connecticut renters who are elderly or totally disabled, and whose incomes do not exceed certain limits. Persons renting an apartment or room, or living in cooperative housing or a mobile home may be eligible for this program. Rebates can be up to $900 for married couples and $700 for single persons. The rebate amount is based on a graduated income scale and the amount of rent and utility payments (excluding telephone) made in the calendar year prior to the year in which the renter applies.

    The program is available to residents age 65 or older as of December 31, 2011, or residents at least 18 by December 31, 2011 who have been found by a government agency to be permanently and totally disabled. Income must be no more than $32,000 for single individuals, or $39,500 for married couples. Individuals receiving state cash assistance are not eligible.

    Last year, 4,654 New Haven residents received $2.3 million dollars.

    Individuals who do not live in senior housing and have received this benefit in the past should have already received an appointment notice from the City.

    Residents of the following housing facilities may schedule application appointments by contacting resident services or management staff for their building:

    [snip]

    A FAQ on the program is also provided on the page, which goes on to show that certain materials must be presented in order to receive assistance.

    Based on what I'm reading -- and what follows is speculation on my part -- it looks like there is a very good chance that Social Security numbers and other personal information (e.g., Medicaid ID numbers, military service IDs, etc.) must have been collected as part of this program.  Vetting the participants' information is at the heart of the program, and to do so would mean checking against income tax filings, aid and support from other government (or other) agencies, etc. which require the submission of information like one's SSN.

    This other document, titled "Rent Rebate: What to Bring" shows the following as necessary documentation.

    • Social Security cards and birth dates for you and your spouse.
    • Proof of 2011 rent/utility payments (not cable):  12 rent receipts or printout or landlord letter, print-out of what you paid UI, SCG, RWA, your oil company, etc.
    • Proof of 2011 Income: salary, interest income, Social Security 1099 form, SSI, pension, annuities, rental income, railroad retirement income, proceeds from sale of property, ANY other source of income.  If you file an income tax return, bring a copy.

    Data Loss Quite Disconcerting

    When I searched "elderly services specialist" in Google News, I was presented with some very harrowing news titles such as "Elder abuse on the rise" and "The scams that target the elderly" and "Elder fraud: one couple's losses and hard lessons".

    That last one is especially attention-grabbing (and long): it shows how an elderly couple got mired in a scam that stole their life savings, turned them into money-mules, and convinced them that they were not victims of a swindle (and then some).  In fact, when the couple's family tried to intervene, they were essentially accused of meddling their noses uninvited.

    The other stories and articles were no less disturbing.

    It appears to me that if the city of New Haven has a data breach on their hands that involves sensitive personal data -- especially information that has been successfully used in the past by scammers, such as SSNs, which are used in a number of fraudulent activities -- they should just come out and say so, as opposed to just springing for one year of identity theft protection.

    I normally would make the argument regardless, but after reading the horror stories, I can't help but be more emphatic on the importance of letting the (potential) victims know as much as possible about the situation.


    Related Articles and Sites:
    http://www.courant.com/community/new-haven/hc-new-haven-laptop-0609-20120608,0,7046773.story
    http://www.nbcconnecticut.com/news/local/Rent-Rebate-Laptop-Stolen-from-New-Haven-Library--158177055.html
    http://www.nhregister.com/articles/2012/06/08/news/doc4fd206134783d161651112.txt
    http://www.databreaches.net/?p=24470

     
More Posts Next page »