in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

November 2016 - Posts

  • UMass Amherst Settles HIPAA Violation for $650,000 and Corrective Action

    In 2003, the University of Massachusetts - Amherst (UMass Amherst) was embroiled in a health data security breach. A workstation computer was infected with malware, leading to a HIPAA violation involving patient data for 1,670 people. Skip to three years later, and UMass Amherst has settled legal actions related to the breach, brought by the US Department of Health and Human Services (HHS).
    According to the terms, the teaching hospital will cough up $650,000 and will implement a corrective action that will hopefully prevent similar and other future incidences.  

    Wrong Classification

    Malware. Just like you never know when some guy's going to stick a computer down his pants in order to boost it, malware can attack you in the most unexpected ways, in the most unexpected of times. (Incidentally, people have been caught sticking desktop computers down their pants, not just laptops. And not just from Walmart, either. There's video footage floating around of a man doing so at a hospital).
    Combating malware is not easy, but it is made easier by following certain rules. Install a good antivirus software. Ensure that it receives updates regularly. Make sure your firewall is up and running correctly. Don't visit sites that have a high probability of hosting malware. Don't download and install untrustworthy apps and software.
    It looks like UMass Amherst had all of this in place, which is de rigueur for covered entities. However, they had decided – incorrectly in hindsight – that their Center for Language, Speech, and Hearing (CLSH) was not a "health care component," and hence not included under HIPAA compliance rules.
    In turn, this probably led them to be more relaxed when it comes to data security. And the rest, as they say, is history. A three year-long, half-a-million dollars' worth of history.  

    The More Things Change…

    About, say, 5 years ago, the big thing when it came to medical data security was the loss and theft of devices that held patient data: laptops, desktops, external and portable data storage devices, paper files, smartphones, etc.
    As businesses and organizations made greater incursions into the cloud, public and private, we've seen less (at least, there's been less reports) of the old-time data security breach and more of the "new" type: your average malware, your specialized malware (like ransomware which uses encryption), DDoS, accidental leaking of files, and so on. In the past month, St. Joseph Health also settled with the HHS (for $2.14 million) because their internal files were accessible to search engines.
    It feels like things have changed. And in a sense, it has. But not really.
    The need to properly protect patient data (not computers; the focus has always been on the data) has existed forever, and in the US it was made into law twenty years ago under Bill Clinton's presidency. We must assume that the law arose because there was a need at the time. Regardless, the government, it can be safely said, gave it a low priority and businesses proceeded to pay little to no attention to medical data security for the next 15 years or so.
    With the passage of HITECH, the government gave data security more attention. Businesses started taking notice. And then, Boston's Massachusetts General Hospital got fined $1 million in 2011 for a data breach. Businesses started doing more than taking notice.
    Because, if MGH can be fined a million bucks for less than 30 pages of patient print outs, it certainly won't hesitate in fining the loss of a computer or USB stick with information on thousands of patients. People started encrypting their laptops.
    Why? Because the loss and theft of laptops was trending in the news. Then USB stick losses started trending. External drives and USB sticks got encrypted. Basically, HIPAA covered entities have been playing catch-up ever since HITECH.
    And, in that sense, not much has changed.  

    Precision Security

    For a while, security experts were suggesting that covered entities encrypt anything that allowed digital storage. With people emailing, FTP-ing, uploading, downloading, backing up, and copying and pasting sensitive files, it was impossible to tell where a file would end up – so, just encrypt everything you possible can.
    Others suggested that a more thought-out method was necessary. It was the more realistic approach in terms of money and time. If a company has 1,000 laptops but only 10 need encrypting, why spend the time and money to protect the remaining 990? Furthermore, a company would be more likely to encrypt if faced with a less financially arduous assignment.
    In the end, the more precision-oriented approach won out. But as events show, the flip side of it is the increased need for constant vigilance and proper understanding of what organizations are doing, a feat that is near impossible once you reach a certain size.  

     

    Related Articles and Sites:

    https://www.databreaches.net/umass-settles-potential-hipaa-violations-following-2013-malware-infection/
    http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/umass

     
  • California Amends Data Breach Notification For Encrypted Data

    Beginning on January 1, 2017, organizations in California cannot automatically assume that personal details are safe if they were encrypted at the time of a data breach. This, in turn, means that businesses and other organizations will have to give some thought as to whether a data breach must be made public.  

    Encrypted Personal Information Could Trigger Breach Notification

    Per natlawreview.com, California's AB 2828 contains this update:
    Beginning in 2017, notification will be required for breaches of encrypted personal information of California residents under the following conditions: encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, the encryption key (confidential key or process designed to render the data readable) or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and there is a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
    As you can see, all three of the above conditions must be satisfied for the breach notification to go into effect. This is only sensible.
    And expected.
    One of the contentious aspects of the original California data breach notification legislation, from back in 2003, was that companies need not report a data breach if data was encrypted, regardless of the details surrounding the data breach. This is problematic: What if the encryption key or the password for accessing the encrypted data was also stolen along with the protected data? Does that merit a respite from notifying people?
    While the spirit of the law may have been that companies should go public with the situation, the truth is that the law had a loophole that allowed the opposite. Since the law stated that the loss or theft of encrypted data was excluded from the definition of a data breach, companies were free to do whatever they wanted if, say, an encrypted laptop was stolen… but the password to it was taped to the bottom of the device.
    This latest update closes the loophole.
    A second criticism was that the legal definition of encryption was not as stringent as it should have been. The data security community pointed out that in the initial version of the breach notification law, "hashing" could also be seen as "encryption" based on how the latter was defined in the books.
    (Hashing is essentially the practice of feeding data to an algorithm and consistently getting the same result for the input. For example, the input is "as" and the output is always "3n23nfs9d2." Producing the output is a complex process. But, as a security measure it's moot if you decide to feed the algorithm as many inputs as possible; note the result; and link and save both of them in a file to look it up later).
    In the past ten years, we've seen how that turned out. Not only is hashing not enough, apparently salted hashes (where random data is added to the original input, making the output harder to reverse engineer) offer subpar security as well. Whether adequate security was in place depends on what was used and how it was implemented, along with many other factors.
    The definition of encryption in California was amended quite recently, it seems, by including that it is a "security technology or methodology generally accepted in the field of information technology."
    It only took ten-plus years since the initial criticism.  

    A History of Updates and Upgrades

    Looking back on this blog's entries, it's apparent that California has been doing the best job when it comes to data breach notifications. It's not only the first state that passed such a law, even beating to the punch the US federal government, it has also regularly updated the original bill.
    At the beginning, only "personal information" was covered (i.e., names and SSNs, plus some other sensitive data). Later, medical information was brought into the fold as well.
    The law was amended so that the state's AG is alerted if more than 500 Californians are affected.
    The breach notification's content and format was also legislated so that companies would be forced to declare things transparently, at least to a point. (You'd be amazed how many companies would employ verbal judo and write two or three pages with words that mean absolutely nothing in the end).
    I guess, under the circumstances, the California should be applauded for continuously improving the law that covers data breaches and the notification thereof.
    Of course, if they really wanted to effect changes, they'd heavily fine companies that don't satisfy a certain security standard. That's what the federal government did with HIPAA/HITECH, and it really lit a fire under HIPAA covered entities once Massachusetts General Hospital was fined $1 million.  

     

    Related Articles and Sites:

    http://www.natlawreview.com/article/california-amends-its-data-breach-notification-law-again

     
  • Data Breach Reparations: Still Evolving, Consumers Begin To See Glimmers

    According to idtheftcenter.org, the US has seen over 858 data breaches that involved over 29 million records in 2016 (to be more specific, up until November 8). The list of breaches does not include those that go unreported, for obvious reasons, as well as those that weren't vetted by credible sources like state Attorney General offices or the news.
    These numbers are nothing to be surprised about. The past ten years had data breaches numbering in the tens of millions of records and, in unusual yet not so rare cases, in the hundreds of millions. Indeed, this year should also be a "hundreds of millions" year, what with the Yahoo data breach that was reported a couple of months ago. However, idtheftcenter.org currently classifies the number of records exposed as "unknown," most likely because it's still being looked into.
    These numbers are relegated to the US, however. If you consider that the same thing is happening around the world, and has been happening for the past decade, it is astounding that nobody has come up with an implementable solution to this growing problem.
    It is also astounding that nothing has changed in the past decade when it comes to individuals affected by data breaches despite a better understanding of its ramifications. But, it looks like the courts are reconsidering what these data breaches mean to ordinary people.  

    UK Courts – Awards for Psychiatric and Psychological Injury

    This past week, a court in the United Kingdom ruled that
    victims of a data breach, in this case asylum seekers, successfully sought compensation for the shock and distress caused to them by the accidental publication of their personal data. (jdsupra.com)
    It turns out that the UK Home Office mistakenly uploaded to the internet unanonymized details of approximately 1,600 refugees. Of those, 6 people successfully made a claim for reparations and 2 of them won in court.
    Now, these figures aren't a resounding win for data "breachees," although the two people who did win received £12,500 each. But, it's worth noting that these were awarded in line with "awards for moderate psychiatric and psychological damage" (my emphasis).
    This is unheard of when it comes to data breaches. Generally, people must show, shall we say, a "real" harm – something for which reparations can be made. For example, your neighbor accidentally trashed your car. The courts rule that he replace the car. Maybe you make your living with your car. So, the courts rule that he also compensate for unearned wages. You also experienced mental duress. Well… what price do you put on that? Chances are the courts will throw that one out.
    A data breach brings up the question: what exactly needs to be made whole? It's not as if your name is a secret. This goes for most of your personal information. Yeah, it's personal, but it's not a secret. You've probably given it out to complete strangers without thinking twice about it. And if you claim psychological duress because it was added en masse to the interwebs… well, what does that mean? Is that even a real thing, in terms of being harmed?
    In 2003, California became the first entity to create a data breach notification law. Back then, it can be said that people generally had very little concern regarding data breaches because nothing seemed to come out of it. In 2016, the story is quite different. People are generally concerned due to the many ways personal information is used to commit fraud or is illegally monetized. You could say that many people are in a state of heightened anxiety when it comes to data breaches.
    And with people from every walk of life being affected – including the same lawyers and judges who oversee proceedings – it seems like the courts are rethinking what it means to be the victim of a data breach. On the other hand…  

    US – Anxiety Not a Claim for Damages

    Around the same time that the surprising UK decision was announced, the US ruled on a Barnes and Noble data breach from 2012. The court decided that customers whose information was breached didn't really have grounds for compensation. Essentially, the ruling said that you can't sue a company just because a data breach caused you anxiety.
    The ruling was not surprising. It served merely to further hammer the fact that it was nearly impossible for consumers to get satisfaction if they were embroiled in a company's data breach. Yet, there is something of a silver lining here as well.
    In past cases, a data breach lawsuit against a company was usually tossed out of court. In this case, at least the courts agreed to hear and judge on the plaintiff's case. Granted, they lost for basically the same old reasons (apparently, some are calling this a pyrrhic victory of sorts, in that it got to the courts at all).
    But, it does show that some progress is being made, that people everywhere are more aware. Dare I say, the courts are beginning to admit that there's something there, even if the law, as of yet, does not quite cover it, and are willing to look into it.  

     

    Related Articles and Sites:

    http://pennrecord.com/stories/511037406-anxiety-not-a-claim-for-damages-in-data-breach-case

    http://www.jdsupra.com/legalnews/tlt-v-sos-how-do-you-quantify-damages-75193/

     
  • Habitat For Humanity Data Breach Affects 5000+ People

    Habitat for Humanity, the charity that builds affordable housing across the globe for the underprivileged, was found to be leaking sensitive information online, according to dailydot.com. Over 400 gigabytes of information – including detailed information on approximately 4,600 people – was left unsecured in the cloud. (More specifically, it was Habitat for Humanity Michigan).
    The situation was discovered by Chris Vickery, a man who's been in the news quite a number of times in the past year. As dailydot.com notes, Vickery helped secure US voter records (twice!) and was invited to Mexico by its government after exposing a misconfigured database that exposed information on 87 million Mexicanos.  

    Backups Encrypted, the Actual Data Not

    Per Vickery, Habitat was holding the exposed data on a virtual hard drive (VHD). This VHD was apparently being backed up using rsync, a protocol used for making backups. The backups had "decent…encryption" but the actual VHD was not encrypted. Vickery placed the blame with whoever was in charge of "backing up Habitat's data."
    Per usual, the observation in such cases is that the original files should have been encrypted, just like the backups.  

    An Advancement: Cloud Security

    There are many aspects to security when it comes to data and the internet. Keeping passwords safe; running antivirus software to combat malware (often times, ineffectively), not using unfamiliar public Wi-Fi; the list goes on and on. Included in this list is the use of encryption to protect data.
    It is rare, if not unheard of, to encounter an instance where backed up data was protected whereas the original was not. This appears to be only possible because cloud services, whatever those services may be, are heavily vested in using encryption to secure data, whereas people in general don't go as good a job, regardless of how knowledgeable they may be when it comes to computers. (Which I think is probably the case with Habitat. You don't go around using VHDs and backing up with rsync if you're uncomfortable or unknowledgeable about computer technology).
    This story may be the so-called apocryphal data: statistically invalid since it represents one specific instance. But, I think this may also very well be a sign that we've reached a watershed moment where the different attempts to increase security on the internet is finally beginning to bear fruit.
    The problem, though, is that internet services are only half the equation. It's like living a healthy life: sure, medical technology can do wonders, in certain cases bringing people back to life from the firm grip of death. But, people still have to do their part by eating right, exercising, getting health checkups, etc.
    Likewise, data security requires computer users to do their part as well.  

    An Irony

    There is an ironic side to this story. Apparently, when contacted by Vickery regarding their exposed data, Habitat's IT provider was led to believe, at the onset, that Vickery was a hacker looking to pull off a phising scam.  

     

    Related Articles and Sites:

    http://www.dailydot.com/layer8/habitat-for-humanity-applicants-michigan-data-breach/