in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

July 2010 - Posts

  • Data Encryption And The Cost Of Data Breaches: FTC Says Put Your Money Where Your Mouth Is?

    If you're a HIPAA-covered entity, you probably want to use data encryption software to protect any sensitive patient data.  Otherwise, when a breach occurs, you'll have to notify a number of people: under current HIPAA regulations, it means the HHS and affected patients.

    If a recent proclamation by the FTC is any indication, covered entities will have to watch out what they claim.

    "Deceptive and Unfair"

    Rite Aid recently settled with the FTC and the HHS on charges that it failed to protect sensitive financial, medical, and health information.  It's kind of expected, seeing how they were found dumping job applications and pharmacy labels full of personal information into your average open dumpster.  The FTC and the HHS had launched an investigation after seeing on TV that Rite Aid had engaged in lax security.

    So far, nothing surprising about all of this.  What caught my eye, however, is the following in the FTC press release:

    Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.[My emphasis]

    Yikes.  That quote by Rite Aid is pretty much standard in all the breach notification letters I've read to date.

    You might be wondering what the FTC has to do with all of this.  Basically, the FTC is also supposed to get involved, per the HITECH Act, whenever there is a HIPAA breach, until a final rule is enacted.

    What if Laptop Encryption was Used?

    Not just laptop encryption like AlertBoot, but what if any type of tool or technology meant to protect data was used?  It's debatable, and ultimately depends on what the HHS and the FTC want to do, I guess.

    We know, for example, that safe harbor--from sending breach notification letters, if a laptop is lost, stolen, missing, etc.--is granted by the HHS when protected health information is guarded with encryption software.

    On the other hand, look at the list of Rite Aid's "failures," per the FTC press release:

    • Disposing of personal information,
    • Adequately training employees,
    • Assessing compliance with its disposal policies and procedures, and
    • Employing a reasonable process for discovering and remedying risks to personal information.

    I'm willing to bet that failure to adequately comply with the above also impacted the final settlement figures.  You'll notice that the use of encryption tools would not impact the above at all.

    One thing to be said about the use of encryption is that, if I recall correctly, you don't have to contact anyone about the loss of an encrypted device: not people "affected" by the breach, not the HSS, no one.  And, if you don't alert anyone outside the business, there is no reason for the FTC or the HHS to come investigate you.

    Which means that, perhaps, the use of encryption could resolve a lot of headaches, more than the technology is intended to.

    I'm not too enthused about this conclusion, since proper data security requires a data security frame that includes medical encryption and other information security tools as well as the above four points (and others) detailed by the FTC.

    However, if I am a company that needs to comply with HIPAA, I'd be crazy not to accept any advantages extended to me.  Data security is already pretty hard as it is.


    Related Articles and Sites:
    http://www.databreaches.net/?p=12712

     
  • Data Encryption Software: Perhaps Solution To SCADA Is USB Port Blocking?

    As I've noted before, the SCADA worm (or, more accurately, the Stuxnet worm/Trojan) has nothing to do with drive encryption software like AlertBoot.  But, perhaps a service that's included in AlertBoot could be of help.

    Fractured Reporting

    I didn't realize it last week, but the worm affecting SCADA is actually parceled up with the Microsoft .lnk shortcut vulnerability, an attack that is spread around via USB drives.  The attack kicks in automatically when a shortcut icon is displayed (I want to say "infected shortcut icon" but it sounds wrong for some reason).  Disabling autorun and autoplay in Windows can't prevent the infection, according to zdnet.co.uk.

    In other words, you pop in an infected USB memory drive, open it up, and you're now infected.  In order to prevent this from happening, you can get Sophos's Windows Shortcut Exploit Protection Tool for free.  This was designed for people who don't use Sophos's antivirus software but need the protection.

    Microsoft currently doesn't have a fix.

    Why Does A SCADA System Have USB Ports?

    The above was the question a commenter left after reading the zdnet story.

    Hm.  That's an interesting question.

    As another commenter noted, probably because of the keyboard and the mouse: PS/2 ports are generally not found in modern computers, so the same port that is used to read and write to USB thumbdrives are also used for hooking up your input devices.

    Of course, perhaps the real question is "why are people popping in their USB flash drives into a critical system?"  And maybe the answer is, "because they can."

    While encryption can't do much in the above situation, perhaps a security tool in AlertBoot's arsenal could be of help: Port control software.

    Port control allows an administrator to specify which devices can communicate via the USB ports.  For example, mice and keyboards generally don't pose a risk and are required to make use of critical systems like SCADA, so they're allowed.  On the other hand, perhaps that's not the case with other USB-based devices (your iPod, for example, shouldn't really be connecting to a machine that regulates a power plant).

    You can see how such an application would be invaluable for managing the security of critical systems.  In fact, here's what our company's page on port control has to say:

    AlertBoot Port Control prevents unauthorized use of serial, parallel and other ports and controls access to CD-R of DVD-R drives

    • USB ports (USB keys, personal music players, external hard drives, PDAs)
    • Serial ports (PDAs, old communication devices)
    • Parallel ports (Printers, old communication devices)
    • FireWire (external hard drives, personal music players, PDAs)
    • IrDA® (Infrared receivers, handheld portables, cell phones, cameras)
    • CD-R/DVD-R (burning data on CDs or DVDs)

    Selective access control based on device classes, brand, and ID

    Extended features of Port Control allow an organization to adapt the security control policies to accommodate new devices or ports. Organizations can also discriminate between "good" and "bad" devices based on the devices classes, brand, and ID. This allows organizations to continue to use selective USB tokens or keys that are approved for use while excluding the use of other devices on that USB port.

    Related Articles and Sites:
    http://www.zdnet.co.uk/news/security/2010/07/16/spy-rootkit-goes-after-key-indian-iranian-systems-40089564/

     
  • Disk Encryption Software: HK Hospital's Computers Stolen During Break-In

    Hospital volunteers and patients at Hong Kong's Queen Mary Hospital are at risk because of a computer data breach.  Two desktop computers and an external hard disk were stolen, and it looks like drive encryption software was not used.

    700 Affected

    One of the stolen computers contained the information of 700 cancer patients and dozens of volunteers: Chinese and English names, ID card numbers, phone numbers, and addresses.  ID card numbers across the world are regularly traded in the electronic underground market, since they can be used for bypassing on-line verification services.

    It's not apparent whether the thieves were after the data or not.  Besides the computers and the hard disk, three computer monitors were also stolen.  Seeing how this is a literal break-in--door locks were broken and there were other signs of forced entry--it could very well be that thieves just wanted to get their paws on anything of value.

    On the other hand, once you have such goods in your hands, it doesn't take much to run cheap software that looks for sensitive data.  After all, if a thief steals a car, he'll probably go through the glove compartment and trunk as well, just to see what's in there.  I don't see why it would be any different for a computer.

    Hard Drive Encryption Software Would Have Helped

    This is not the first time a hospital in Hong Kong had to announce the breach of patient data.  About a month ago, two other HK hospitals announced a data breach, and I've also covered numerous cases of lost or stolen USB memory sticks and computer thefts in the past.

    Perhaps I shouldn't be, but I'm surprised when I hear that computers are not protected with encryption software when it comes to Hong Kong.  If a data breach happens in the US, it's kind of understandable because the country is so large: one might not hear about a breach or what it can be done to contain it, etc.

    Hong Kong has something on the order of 6 million people and a land area about 5 times of Boston.  In other words, it's a pretty small city but densely populated (fourth highest population density in the world, according to Wikipedia).  I bet you can't help but overhear--two tables to the right, while you're ordering steamed dumplings--what medical illness a stranger's cousin caught.

    My guess is that most medical establishments know of the dangers of not having their machines adequately protected.  Which in turn implies that a conscious decision was made not to use data encryption programs in this case.

    A shame, if this true.  While hard disk encryption cannot prevent all types of data breaches, it is very useful for preventing those related to the physical theft of computers and other digital data storage devices.


    Related Articles and Sites:
    http://www.thestandard.com.hk/news_detail.asp?we_cat=4&art_id=101008&sid=29035889&con_type=1&d_str=20100727&fc=1
    http://www.phiprivacy.net/?p=3147

     
  • Drive Encryption Software Not Used On Missing Thomas Jefferson U Hospital Laptop

    Thomas Jefferson University Hospitals (TJUH) has announced a medical data breach today.  Approximately 21,000 patients are affected because a laptop was stolen from the hospital's premises.  Disk encryption software was not used to safeguard the contents of the laptop.

    "Renegade" Employee

    On June 14 (the breach notice was posted on July 23, so a month after the original breach), a university hospital employee alerted security personnel that his personal laptop was stolen from an office.  This personal laptop contained protected health information (PHI, or what patient information is called under HIPAA) for 21,000 people who received inpatient care at TJUH over a six-month period in 2008.

    The university forbids the storage of protected health information (PHI, or what patient information is called under HIPAA) on non-university issued computers, a policy that the employee didn't follow.

    The PHI included consists of names, dates of birth, gender, ethnicity, diagnosis, SSNs, insurance information, hospital account number, and other internal codes.

    The employee had turned on password-protection on his device; however, this is not considered to be adequate protection. (TJUH's security breach notice keeps emphasizing the lack of encryption software on the machine for a reason.)

    Allowing Personal Laptops in the Workplace

    One thing I noticed about the breach notice's contents is that, while saving PHI to non-university devices is prohibited, it was never mentioned whether it was also forbidden to bring in and use a personal laptop in a hospital setting

    Personal machines being used in the workplace are a missed blessing.  On the one hand, it could conceivably lower the hospital's own costs and increase productivity, since a new machine doesn't have to be issued to an employee and the employee doesn't require retraining on that new machine.  I'm assuming, naturally, that one knows how to navigate one's own computer.

    I'm also reminded of an experience I had in grad school: I was dealing with an inordinate amount of information for a spreadsheet.  I needed to create some graphs using this information and it took forever to graph them in the computer labs.  In fact, some machines were underpowered to the point that they would hang up.  I could either try to gain access to the computer science department's machines (not a CS major) or use a personal device.  I chose the latter.

    If an employee is issued a dinosaur of a computer, it's not inconceivable that he would bring in his own device just to be a good trooper and finish his task.

    On the other hand, it does mean an increased risk of a data security breach for a number of reasons:

    • The employees' machines may be infected with malware that now has access to the workplace's network, effectively invalidating the organization's firewalls;
    • There's probably no automated backup for personal machines, meaning that there is a loss of work if a computer malfunctions;
    • Troubleshooting, if extended to personal devices, would be nearly impossible with everyone's own configurations (one way to ease troubleshooting queries is to have everyone use the same machine); etc.

    Ultimately what it comes down to is: there is a lack of control.  While ruling an organization's IT realm with an iron fist tends to work contrary to an organization's interests, keeping it loosey-goosey does so as well.

    Using Data Encryption Software on Personal Devices?

    Theft is not the underlying problem here.  If one assumes that a TJUH computer had been stolen from the same office, it wouldn't have resulted in an information data breach because, as the hospital implies, all TJUH laptops are protected with an encryption solution such as something similar to AlertBoot managed encryption.  (Plus, one's got to face up to reality that things will be stolen from any open environment like a hospital setting.)

    So, perhaps, having personal computers encrypted by the hospital would make sense?  After all, if an organization is not going to frown on it, they should do the minimum to support it--at least, when it comes to data security.


    Related Articles and Sites:
    http://www.jeffersonhospital.org/Patients/data-security.aspx
    http://www.phiprivacy.net/?p=3138

     
  • Drive Encryption Used In Missing Iowa Dept. Agriculture Laptop? Why The Notification?

    The theft of a laptop from an employee's car has led the Iowa Department of Agriculture and Land Stewardship (IDALS) to announce a data breach.  The laptop computer made use of data encryption software (something similar to hard disk encryption, probably).  So they the announcement of a breach?

    3,404 Iowans Affected

    The breach affects Iowa residents that participated in the Iowa Horse and Dog Breeding Program.  The laptop was stolen from an employee's car during a car break-in yesterday (July 22).  The computer contained names, addresses, phone numbers, and Social Security numbers.

    It was stated that "the computer did have an encryption protection" but the department is encouraging that people sign up for ID fraud alerts and such.

    Why the Breach Announcement?

    Iowa passed a data breach notification law around 2008.  Losing a person's first and last name, along with the SSN, are grounds for sending out notification letters.  Unless encryption software is used, that is.  If encryption was used to protect the information, safe harbor is granted from going public.

    There is, however, a provision in there that requires a breach notification if there is an elevated risk to those involved in the breach.

    Could it mean that the machine was encrypted, but the password for accessing the device was also present?  For example, perhaps taped to the laptop, or maybe jotted down on a notebook (the laptop case was stolen, too...those have space for a notebook).

    Or perhaps, instead of using full laptop encryption solution, the department had only used file encryption?  If so, there could be a risk since it can't be guaranteed that unprotected, sensitive files do not exist on that laptop.

    Or maybe the department is just being overly cautious.

    On the face of it, though, I must remark that this particular breach doesn't seem like one where a breach notification is necessary.  As it stands, it seems like a whole lot of fear mongering.


    Related Articles and Sites:
    http://www.agriculture.state.ia.us/press/2010Press/press07222010b.asp
    http://blogs.desmoinesregister.com/dmr/index.php/2010/07/22/theft-compromises-iowa-ag-department-program/
    http://www.omaha.com/article/20100722/NEWS01/707239899
    http://www.siouxcityjournal.com/news/state-and-regional/iowa/article_e50f9326-95e4-11df-95ed-001cc4c03286.html

     
  • Disk Encryption Software: CO Dept. Of Health Care Policy and Financing Announce Data Breach

    The Colorado Department of Health Care Policy and Financing (HCPF) has a very short entry on a data breach that affects approximately 111,000 people.  Was hard disk encryption used?  Hard to tell.

    Very Short

    As databreaches.net has noted, the data breach notice publicized at the HCPF is very simple.  In fact it is so short that I decided to reproduce the notice below:

    "State officials discovered that there was an unauthorized removal of a computer hard drive housed at the Office of Information Technology (OIT).
     
    The information did NOT include addresses, dates of birth, social security numbers or any other financial information that could be used for identity theft. It included name, state ID number and the name of the client’s program.
     
    Approximately 111,000 clients, or one-fifth of those receiving public health insurance, will receive notification by first-class mail, as required by HIPAA. "

    Won't Stay Short for Too Long, I Reckon

    I'm not worried about HCPF releasing such a short notice because I'm sure there'll be a follow up to this story:

    • It's affected 111,000 people, or as HCPF noted, one-fifth of people receiving public health insurance.  That's huge.  There's bound to be media coverage on this.
    • HCPF quoted the HIPAA requirement, as amended by HITECH.  This means they'll be notifying the HHS, which consequently will be uploading the breach to their "breaches involving more than 500 individuals or more" site (not there as of this blog post), which will also bring nation-wide attention.

    I get the feeling that the curtness of the HCPF's notice is not bureaucratic scheming, which usually works towards keeping the public in the dark, but rather a temporary measure to alert the public while they go about with their incident response.

    Was Disk Encryption Used?

    I doubt it.  I've recently made a couple of mistakes in making these "did they or didn't they" wagers when it comes to encrypted disks and HIPAA.  However, it still remains a fact that,

    • Most organizations don't want to go public with a data breach
    • This is especially true if they aren't legally required to do so
    • And even more especially true if people have no reason to be concerned

    Under the HITECH amendment to HIPAA, people affected by data breaches must be contacted via first-class mail (although alternatives are given depending on the circumstances).  This requirement didn't exist prior to HITECH, as far as I know.

    There is a twist, though: the same amendment, a HIPAA-covered entity doesn't need to send such notifications if the lost or stolen patient information is protected with strong encryption.  The reasoning is simple: encryption provides good data security.

    (While there are those that argue that notifications ought to be made even if encryption is used, most people agree that the sheer amount of notifications being sent would lead to people ignoring the letters, just like some people throw away their junk mail without even glancing at the contents.)

    So, considering the above, it wouldn't be unwarranted to assume that disk data encryption [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; full data encryption] like AlertBoot wasn't used in the now-missing hard drive.

    And if not?  Well, I guess I'll have to eat crow again.  I've never had to do that twice in a month before....


    Related Articles and Sites:
    http://www.databreaches.net/?p=12611
    http://www.colorado.gov/cs/Satellite/HCPF/HCPF/1251575270108

     
More Posts « Previous page - Next page »