in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software Not Used On South Shore Hospital Backup Files?

South Shore Hospital in Weymouth, MA has announced a massive data breach.  Backup files, shipped to be destroyed, have ended up partially missing.  Up to 800,000 people are involved in this breach.  It sounds like data encryption was not used to protect the contents, although I'm wondering whether it was necessary in light of what is revealed.

Medical Information Lost

The backup files were sent on February 26 to a data consultancy that was charged with the destruction of the files.  After repeated contact by the hospital, the consultancy was forced to admit, on June 17, that they had only received a partial shipment of the files.

The files included personally identifiable information for 800,000 people:

including patients who received medical services at South Shore Hospital as well as employees, physicians, volunteers, donors, vendors and other business partners associated with the hospital between Jan. 1, 1996, and Jan. 6, 2010.[thebostonchannel.com]

The information on the backup files included the following:

  • Full names, addresses, and phone numbers
  • SSNs and driver's license numbers
  • Medical record numbers and patient numbers
  • Health plan information, dates of service, and PHI (protected health information, such as diagnoses and treatments)
  • Bank account info and credit card numbers may have been present for a small number of people

South Shore didn't reveal what type of media was used to transport the information (backup tapes, probably) or whether file encryption was used to protect the data.  On the other hand, it was not stated that the latter wasn't used, either, so I can't discount it.

However, it's notable that encryption wasn't mentioned, but the hospital went on to point out that, "an independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files."[databreaches.net]

This could mean that encryption was used (specialized software, technical knowledge, etc.), but if so, why not just state that an encryption program was used?

Why This Breach Won't Translate Into Danger...and How It Could

In the past, for similar cases, I have often pointed out how the assurances of specialized software and technical knowledge were not necessarily reasons for feeling safe--assuming it didn't refer to encryption technology.  There are a number of ways of getting data out of "old files."  For example, in certain instances a hex editor can be used to glean information.  The methods really are myriad.

Here's a story that illustrates how old files are secure, and how they're also not: the recovery of NASA's Lunar Orbiter Tapes.  In a nutshell, these tapes were sitting around for 20 years while someone finally managed to reconstitute a FR-900 Ampex tape drive, which only a few dozen had been made for the military.  Parts had to be scavenged from junkyards and whatnot.

Ultimately, the images were recovered through an extraordinary set of events--or as most people call it, hard work, dedication, and tremendous luck--at a cost of $250,000.

This particular story shows how data in outdated formats can be secure: no hacker is going to spend $250,000 and three months to get himself some SSNs, I can assure you.  On the other hand, a production rate of 36 machines is pretty much unheard of in modern times.  The security (or rather, the lack of accessibility) afforded in the case of the Lunar Orbiter tapes comes from a remarkable dearth of machines that could read the data, and people with the skill sets to fix it.

Whether South Shore Hospital can count on such a shortage of devices and people with the required technical skills...your guess is as good as mine, although I'm one to opine that they can't.

How Encryption Software Would Have Helped

A better form of protection--one that people can count on to safeguard data--is encryption, such as AlertBoot's managed encryption software.  Encryption was created for the express purpose of securing information, and is, at this point, virtually impossible to crack.

As I see it, South Shore had two options when it came to destroying those files:

  1. Get a mobile data destruction company--one that will come to your premises and destroy whatever needs destroying.  Shipping unsecured but sensitive data is always a bad idea.
  2. Encrypt the files before sending them to be destroyed.

In the past I would have offered a third option: encrypt the files and call it a day.  For all practical purposes, there is no reason for concern, assuming passwords are also destroyed.

On the other hand, the practice is discouraged under HIPAA/HITECH.


Related Articles and Sites:
http://www.thebostonchannel.com/mostpopular/24311150/detail.html
http://www.databreaches.net/?p=12550

 
<Previous Next>

Data Encryption Story Follow Up: BCBS of Tennessee Saga Comes To A Close

Data Encryption Law? The UK Will Have Breach Disclosure Law In 4 Years

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.