in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption: Thieves Stick Up Doc, Ask For Passwords To Encrypted Computer

Brigham and Women's Hospital (BWH) has notified nearly 1,000 people that a computer that was protected with laptop encryption software has been stolen.  Normally, the use of encryption would provide safe harbor from sending such a notification letter, not only under HIPAA (the federal set of laws that govern medical organizations) but also under Massachusetts's data protection and notification laws, one of the most rigorous in the US.

This, however, was not to be: the thieves who stole the laptop also forced the password from the doctor by placing him under duress.

Tied to a Tree, Held at Gunpoint

According to the breach notification letter, as well as coverage by myfoxboston.com, the hold up occurred back in September in Jamaica Pond (a Boston neighborhood that is not necessarily known for its safety).  Two assailants stole a doctor's cellphone and laptop:
He was tied to a tree while one man held a gun and the other brandished a knife.

Although both the laptop and cellphone were encrypted, they were stolen during an armed robbery on Sept. 24, and the hospital said the suspects forced the victim to give the pass codes during the robbery.
It sounds like something that came out of a script for a B-film or something.  But then, they do say that art imitates life (and vice versa).  Anyhow, on to security issues.  This story reveals a number of things most people don't really think about when it comes to data security.

First, there are caveats to HIPAA's data breach notification laws.  Many of our clients who call in looking for our managed laptop encryption services are under the impression that the use of encryption gives them complete safe harbor from the breach notification requirements.  This is not so and never has been.

In order for safe harbor under the Breach Notification Rule to kick in, the following conditions also must be met: (1) the encryption used must be something that follows NIST guidelines.  This means strong encryption that is equivalent or stronger to AES-128, along with a number of other requirements.  (2) The HIPAA covered entity must be able to prove that the lost or stolen device was encrypted.  This means there must be some kind of report and paper trail.  (3) The password or encryption key must not be compromised.  If any of these conditions are not met, you won't be able to claim safe harbor.

Second, we've heard from clients who're looking for "NSA-proof encryption".  We don't know what means, but we're pretty sure it doesn't really exist.  Also, why would the medical community be looking for something that's NSA-proof?  Not only does it sound a little overkill, but as the above story shows, two hoodlums can easily succeed where G-men behind a bunch of computer screens cannot (or maybe they can).

Are Laptops Really Stolen for Their Hardware Value?

Last but not least, the above story puts into question past stories where the breached entity proclaims that they "believe that a laptop was not stolen for the data."  Of course, from a very literal and technical standpoint, they're not wrong: the representatives of the breached entity can believe whatever they want; they can believe that the laptop will be used as a beer coaster, however unlikely it may be.

The implication, on the other hand, is that data saved to an unencrypted laptop is probably safe.  The above puts the kibosh on such speculation: if thieves are now willing to tie up people and threaten the beejezus out of them in order to get into a stolen laptop, doesn't it make it more than possible that they've already been scraping for personal data on unencrypted laptops?

It's beyond me how any self-respecting company that claims they've got the security of their clients' information at heart can even be writing such drivel.  Not BWH, though: they had encrypted their laptops.  What happened afterwards was literally out of their control.
Related Articles and Sites:
http://www.phiprivacy.net/brigham-and-womens-hospital-notifies-patients-after-data-stolen-in-armed-robbery/
http://www.myfoxboston.com/story/27410047/brigham-womens-warning-of-privacy-breach-after-laptop-stolen
 
<Previous Next>

Laptop Encryption: Don't Forget To Use Strong Passwords

Data Encryption: Apartment Front Office Broken Into For Personal Info

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.