Over at firstlook.org, The Intercept has an article on creating passphrases (not passwords) that are strong and memorizable. The trick lies in the number of elements (that is, how many words are used in the passphrase) and randomness. Indeed, the principle is not different from how encryption works to secure data. For example, AlertBoot's managed laptop encryption relies on AES-256 encryption to secure a laptop's sensitive data.
First, get yourself a die, that six-sided cube with dots or numbers that's used at a craps table. You only need one (hence die and not dice). Then grab a copy of the Diceware word list. Each word is preceded by a 5-digit number.Roll your die five times to get a word. Do this for a total of seven words (so, 35 rolls). Then, chain these words together for a super-duper secure passphrase.Why is this so secure that "not even the NSA can crack it"? Again, the answer lies in the number of elements and randomness.
The Diceware word list contains 7,776 words. If you only used one word as the password, there's a 1 in 7,776 chance that it can be guessed at random. With a fast enough computer, one can go through the entire list of words in a matter of seconds (this act of going through the entire set of possibilities is known as "brute forcing").When two words are used, the set of possibilities increases to over 60 million (7,776 x 7,776 – also known as 7,7762). This offers better security but computers can go through trillions of these per second, so it's not actually secure enough.It turns out that 7,7767 (that raised 7 is where the seven words come into play) is a huge number. Even at a brute force rate of a trillion tries per second, it would take 27 million years to exhaust the list of words. If someone were to get lucky and manage to find the passphrase within the early stages (say, the 10% mark), that still represents 2.7 million years. The 1% mark? 270,000 years.Cool. So what's the deal with the die? Can't you just pick any seven words?
Nope. Because when you pick random words, they're usually not random. They tend to be words you know. And words you know are probably those that most people know and use. This tends to limit the set of words (for example, you probably wouldn't select "zootropic" from the top of your head). Furthermore, chances are you'll arrange them in a linguistically logical way so you can memorize the passphrase more easily. Again, the effect is to limit the passphrase set.Of course, using the Diceware method above doesn't provide failsafe randomness. For example, you roll five numbers and look up the word…and it's a word you don't like / can't memorize / never seen before / is against your religion / whatever and roll again, finding a word that is more suitable for your awesome passphrase.Such an act also artificially limits the set of words. People in the business of hacking passwords don't rely on brute force methods. Rather, they try to get into your head, have a stab at what you may have decided to choose as a password or passphrase. That's why names of family members, dates of birth of loved ones, your personal heroes, the name of your first pet, etc. are generally considered to be valuable clues, as these and other personal information is generally used as a basis for a password.Only true randomness protects you from yourself. Which, incidentally, is the basis of modern encryption.
If you're not a gamer or interested in computer games, you may not be familiar with Twitch, a site that streams live feeds of people playing (and commenting on) titles like League of Legends or Counter-Strike. However, the site is extremely popular – techcrunch.com notes that it's the "fourth largest site… in terms of peak traffic" – and, thus, it shouldn't surprise anyone that it's a target for hackers. It looks like the hackers finally had their day: the team at Twitch notified users that they were forced to reset all passwords because of a data infiltration.They also noted that all passwords were "cryptographically protected"… so what's the deal with the password being reset? After all, isn't encryption supposed to be nearly impossible to break?
When it comes to encryption, though, encryption is not encryption is not encryption. That is, there are all sorts of cryptographic solutions, each meant to do one thing (and not another). For example, a common misunderstanding that we at AlertBoot run into is how laptop disk encryption works.A sizable minority are under the impression that disk encryption allows files to be sent over the internet securely. Or that, since the laptop is encrypted, data copied to a backup disk will also be encrypted automatically. This couldn't be further from the truth, and is an excellent way to increase the risks of a data breach. Disk encryption works by literally encrypting the hard disk of a computer…and nothing more.
Technically, files on an encrypted disk are not encrypted. As I noted above, it's the disk that's encrypted. The files just happen to be protected because they're in an encrypted storage medium. This is why if the same files are copied to an (unencrypted) external hard drive or sent as an attachment via email, they'll be sent and received as plain, unencrypted files.File encryption would resolve the problem but introduce its own: each new file would require encryption. Accessing already encrypted files would require that password be entered each time you try to open them. Data security blind spots like temporary files would become a problem.So, each type of cryptographic solution has its pros and cons.
When it comes to passwords something known as a cryptographic hash is used. Technically, this is not encryption. This is a process where plain text is converted into gibberish…but it cannot be converted back. It's ideal for passwords because it ensures that only the user and no one else (not even system administrators) knows the password.So, why did Twitch reset these passwords? Because there is still a way to figure out these hashed passwords. Essentially, you hash a list of common passwords and see what you get. Because the hash algorithm will always return the same output for an input, it's a matter of comparing the stolen passwords to known input-output outputs.Granted, the hackers won't be able to figure out each and every single password, but the sheer size of Twitch's user base guarantees that the hackers will uncover enough of them to cause damage.
I've just run across a data breach notification that is a first of its kind: a data breach where the affected organization tells its clients (technically, patients) that nothing happened. It's like the Seinfeld show of data breaches. The breach notification letter is about nothing. Absolutely nothing. Yet, there is something there.All kidding aside, this situation is a novel reason for deploying HIPAA encryption software in medical environments.
According to ktvz.com, Mosaic Medical in Oregon has notified 2,207 patients of a "possible" breach of medical information. In January of this year, Mosaic discovered traces of a break-in at their Health Information Technology department. Indeed, the organization said:There was nothing stolen from the office, and there was no breach of our electronic medical records system. There is no evidence that anything in the office was disturbed.Why the breach notification letter? The problem lies with their non-digital (i.e., paper) documents:we cannot say with certainty that no medical records were accessed. The personal information that was possibly accessed was on paper documents within the office and included health information, medical insurance information, phone number, and e-mail addresses.Of course, there is always the possibility that these medical records were not accessed – it could be that the guy doing the B&E got cold feet as he (or she or they) was crossing the threshold from vandalism to outright burglary.
There was nothing stolen from the office, and there was no breach of our electronic medical records system. There is no evidence that anything in the office was disturbed.
we cannot say with certainty that no medical records were accessed. The personal information that was possibly accessed was on paper documents within the office and included health information, medical insurance information, phone number, and e-mail addresses.
The above highlights an interesting situation. Forget for a moment that a medical office tends to have paper documents with sensitive data on them (for one, incoming patients have to fill forms). Let's imagine a situation where all data is computerized and that "to suffer from a data breach" means an unauthorized third party accessed medical data.Under the current HIPAA/HITECH regulations, covered entities and their business associates are to assume that a potential data breach situation ("potential" because it's not known whether a data breach occurred or not. For instance, if a laptop is lost) will actually result in a data breach, and thus is a data breach, unless it can be proven otherwise.In this light, one can easily see why the use of disk encryption software provides safe harbor from HIPAA/HITECH when dealing with lost or stolen laptops: knowing that the odds of brute-force hacking into an encrypted laptop are minimal, one can assume that the contents of the device are safe if encrypted. There are, of course, caveats: if the password was written to a post-it and stuck to the laptop, or if the person who absconded with the laptop is the user (think of ex-employees, for example).With Mosaic above, even if they operated a fully digital office without a trace of paper, they'd still have to notify their 2,000-odd patients of a potential data breach if they don't use computer encryption software. The reason being that it's not really possible to figure out whether a computer has been accessed or not: sure, you can set up a system to log all such all instances. At the same time, erasing such logs and cleaning up any digital traces is not exactly rocket science.
Is the use of encryption a silver-bullet for HIPAA covered entities that are looking to gain safe harbor from the notification policies found under the HITECH Breach Notification Rule? Generally, yes. There is a caveat, however, as Amedisys's recent breach notification shows: you must be able to prove that the encrypted data remains secure after the data breach. Otherwise, what's the use of using HIPAA-grade encryption software for laptops?
What happened at Amedisys? On March 2nd, the hospice care provider revealed that they were unable to account for 142 encrypted computers and laptops. Which is unusual for a number of reasons:That's a lot of devices. Was the company not doing regular checks, say every 12 months or so? Because that's a lot of devices to go missing unless audits were pretty rare.These devices were encrypted. Although there's always room for mistakes and paranoia, if the company determined that all of these were encrypted when they went missing, there's really no reason to notify anyone about it. (It should be noted that Amedisys issues a press release, which means they elected to notify basically everyone who had an internet connection.)While the ratio of missing desktop to laptop computers was not given, it's hard to imagine that it took an inventory check to see whether desktop computers were missing. Even if only one were missing, it tends to raise alarms in a way missing laptops do not.The company further stated that the following personal information could have been stored on these devices: "name, address, Social Security number, date of birth, Medicare and insurance ID numbers, medical records and other personally identifiable data."Amedisys revealed that a total of 6,909 patients were affected. Where did these laptops and desktops go?
As it turns out, these devices were "assigned to Amedisys clinicians and other team members who left the company between 2011 and 2014." And that's a problem in many ways.The last time I checked, computing hardware still costs a bit of money. That these devices were essentially given away when people left employment means either that Amedisys had poor controls or is (was?) a very generous company. (On second though, it could also mean the devices were so subpar technologically that management decided giving them away would be cheaper than collecting them back.)Also, the software that is installed on these unaccounted-for machines can be costly. For example, the cost of AlertBoot's full disk encryption is on a "per machine" basis, regardless of how many logins are tied to each one of those machines. Let's say that Amedisys was using AlertBoot. Unless the licenses are retrieved from missing devices, the company would be footing the bill for machines they no longer had control over. Admittedly, we cannot exclude the possibility that the company was using free software like the recently-deceased TrueCrypt, which would allow such actions to be impact-free from a financial perspective.The biggest problem, though, and the one that touches on the HIPAA encryption caveat I mentioned at the top of this post, is that the information of patients can be breached despite the use of strong encryption: the clinicians and other team members have the passwords and can access the data.
One of the rising problems of medical data breaches centers around employees: while most can be trusted, there is that small faction with a bent towards malfeasance. If we can claim that around 2% of employees engage in activities like stealing medical IDs for resale on digital black markets, and that each missing Amedisys device represents one person, then about 3 people could have made use of the fact that they conveniently hold the passwords to encrypted data.(One way of preventing of such scenarios from occurring, assuming that devices cannot be collected, is to trigger a remote wipe of the data – if the encryption solution has such a capability built-in the way AlertBoot does).
One of the worst US states in which to have a data breach, especially a medical data breach, is probably California: in addition to federal HIPAA regulations, California has shown itself to be quite aggressive when dealing with medical entities that experience a data breach. Indeed, there's some (valid) criticism that the CA Dept. of Public Health is a bit more heavy-handed than its federal counterpart. So, it always catches me by surprise when I see a California health organization filing a data breach notification and admitting to the lack of disk encryption on its stolen laptops.
Valley Community Healthcare (VCH), according to databreaches.net, has filed a breach notification letter with the Office of the Attorney General (California). In the letter, the organization divulges that a laptop computer that was used in conjunction with an EKG machine was stolen. This was discovered on February 24.The machine contained names and dates of birth but no SSNs, driver's license numbers, ID card numbers, or financial data (that last one, if it were present, would be quite surprising; why would you load financial details on an EKG machine?). The machine was "secured" with password-protection but did not make use of medical laptop data encryption solutions like AlertBoot.The importance of encrypting laptops that contain sensitive data can hardly be overstated. This is especially true when it comes to medical data because the government, at the state and federal level, take data breaches very seriously: increasing financial penalties as well as other forms of censure (biannual reports on the state of IT security; unannounced audits; etc) are evidence to the greater importance placed on personal medical data security.
Possibly as a reflection of this, VCH has also promised to "additional security measures, including IT encryption and storage of medical databases, and securing computers so that they cannot be removed."While such an action is to be welcomed, the truth is that it's quite disappointing. Why do it after you've experienced a data breach? Why not do it before it happens? It's like promising to always wear a seatbelt after you've been in a near fatal accident.
According to dailymail.co.uk and other sites, the offices of Dr. Johannes Peil were broken into last week. Whether this caused a data breach hasn't been revealed but it has certainly raised the alarm because Dr. Peil is the doctor to F1 racecar driver Michael Schumacher and other prominent individuals. One would hope, based on the patients the doctor ministers to, that the stolen device was properly protected with the likes of medical laptop encryption solutions like AlertBoot.
As scandals have revealed over the past number of years, celebrity news and star gazing (not the interstellar kind) is big business in the European continent. The competition among celebrity rags is so fierce that certain publications willfully crossed the line and surreptitiously hacked cellphones and other devices to get the inside scoop, literally.Not even private health data was verboten from consideration, as Schumacher's family found out last year: a man who had helped the F1 champion during a skiing accident tried to capitalize on his services by offering details of Schumacher's medical condition to the rags. He was subsequently arrested and later committed suicide while behind bars.Based on such experiences, the latest laptop theft does not bode well for Schumacher's privacy: despite items other than the laptop having been pilfered (including petty cash, perfume, and prescription forms), the assortment is odd enough to make one wonder whether they were a smokescreen for the real prize, the contents of the laptop, especially when taking into account that several men were involved. I mean, can you imagine a band of male thieves saying to themselves, "quick, grab that perfume on the doc's desk"?
We live in a world where access to sensitive information can be restricted, and quite successfully. The use of disk encryption software is one such way, as governments keep reminding us: in the same breath they condemn its use (because encryption makes it harder for law enforcement to do its job) and encourage it as well (because data breaches in all forms are growing exponentially and don't show any signs of abating).Assuming that the doctor's stolen laptop was encrypted, the odds are that any information within it will remain secure. In fact, I cannot imagine it not encrypted: in addition to Schumacher, the Dalai Lama is also a patient to Dr. Peil. If memory servers, spyware (supposedly created by China) had been found on His Serenity's laptop, which is a tricky maneuver. Hiring some goons to break into his physician's office would be, in comparison, a cakewalk. Encrypting any and all data storage devices as a contingency would be prudent, I think, to most people.