in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Disk Encryption Software: Ashford and St Peter's Loses USB Drives, Pledges Better Handling

Three missing USB memory drives have prompted the Ashford and St Peter’s Hospitals NHS Trust to sign an undertaking with the Information Commissioner's Office.  The missing devices, which did not use full disk encryption, held cancer patient data.

The Details

The data included full treatment and diagnosis of cancer patients, and was stored in Microsoft Word format.  This last detail is sufficient to deem that the information "could have been easily accessed by anyone with use of a computer." (I've often wondered about this.  More on that later.)

The USB sticks were used to transfer patient data at "weekly multi-disciplinary clinical team meetings." (More on this later a well).

Information Saved In Word Format

When sensitive data goes missing, spokesmen for the affected organizations often proclaim that the risk of accessing the data is low because they're stored in an uncommon (not easy to access) format.  I've often wondered what this means.

I've often presupposed that it meant the missing files were stored in a relatively "obscure" format like Microsoft Access (a database program, if you're familiar with it).

Only in a couple of cases was the missing data in proprietary format (meaning, the software was custom created for a company and cannot be found off-the-shelf).  Just because data happens to be saved in a proprietary format doesn't mean that it cannot be read, however.

I remember how I tested out Google Desktop back in the day.  It's software that, among other things, can index your computer's files for easier and faster search.

My recollection may be wrong, but I seem to recall that Google Desktop was able to find content within files that I forgotten about.  Files to which the corresponding applications I had deleted in order to free up some space.  With such search software (and there are many others similar to Google Desktop, but geared towards mining information, such as SSNs), the format of a file doesn't matter.

About the only thing that can stop such software from finding sensitive information is encryption software, in the above case, file encryption.

Using USB Sticks

Some of the more frequent comments I read when sensitive information goes missing is "sensitive information should always be on a secure server, and accessed via some dumb terminal," or something thereabouts.

My own stance has been, yes--but there's always exceptions, and this probably one of them.  Medical establishments are generally a mishmash of different technologies.  The truth is, whatever technology one has in place probably cannot cater to the demands of a multi-disciplinary team.

Which is why methods that don't follow the workflow in place are invented and used--the transfer of data via USB sticks being one of them.  Instead of blowing money on a custom-built solution that promises more than it can deliver, maybe a more pragmatic approach can have more impact.  For example, using USB drives that are protected with whole disk encryption.  The devices are already being used, and it's just a little step to secure them.


Related Articles and Sites:
http://www.databreaches.net/?p=8001
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/ashford_hospital_undertaking.pdf

 
<Previous Next>

North Carolina Data Privacy, Data Breach, And Encryption Law

Data Security Update: Lost CalOptima CDs Found

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.