South Shore Hospital in Weymouth, MA has announced a massive data breach. Backup files, shipped to be destroyed, have ended up partially missing. Up to 800,000 people are involved in this breach. It sounds like data encryption was not used to protect the contents, although I'm wondering whether it was necessary in light of what is revealed.
The backup files were sent on February 26 to a data consultancy that was charged with the destruction of the files. After repeated contact by the hospital, the consultancy was forced to admit, on June 17, that they had only received a partial shipment of the files. The files included personally identifiable information for 800,000 people: including patients who received medical services at South Shore Hospital as well as employees, physicians, volunteers, donors, vendors and other business partners associated with the hospital between Jan. 1, 1996, and Jan. 6, 2010.[thebostonchannel.com] The information on the backup files included the following: Full names, addresses, and phone numbers SSNs and driver's license numbers Medical record numbers and patient numbers Health plan information, dates of service, and PHI (protected health information, such as diagnoses and treatments) Bank account info and credit card numbers may have been present for a small number of people South Shore didn't reveal what type of media was used to transport the information (backup tapes, probably) or whether file encryption was used to protect the data. On the other hand, it was not stated that the latter wasn't used, either, so I can't discount it. However, it's notable that encryption wasn't mentioned, but the hospital went on to point out that, "an independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files."[databreaches.net] This could mean that encryption was used (specialized software, technical knowledge, etc.), but if so, why not just state that an encryption program was used?
The backup files were sent on February 26 to a data consultancy that was charged with the destruction of the files. After repeated contact by the hospital, the consultancy was forced to admit, on June 17, that they had only received a partial shipment of the files.
The files included personally identifiable information for 800,000 people:
including patients who received medical services at South Shore Hospital as well as employees, physicians, volunteers, donors, vendors and other business partners associated with the hospital between Jan. 1, 1996, and Jan. 6, 2010.[thebostonchannel.com]
The information on the backup files included the following:
South Shore didn't reveal what type of media was used to transport the information (backup tapes, probably) or whether file encryption was used to protect the data. On the other hand, it was not stated that the latter wasn't used, either, so I can't discount it.
However, it's notable that encryption wasn't mentioned, but the hospital went on to point out that, "an independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files."[databreaches.net]
This could mean that encryption was used (specialized software, technical knowledge, etc.), but if so, why not just state that an encryption program was used?
In the past, for similar cases, I have often pointed out how the assurances of specialized software and technical knowledge were not necessarily reasons for feeling safe--assuming it didn't refer to encryption technology. There are a number of ways of getting data out of "old files." For example, in certain instances a hex editor can be used to glean information. The methods really are myriad. Here's a story that illustrates how old files are secure, and how they're also not: the recovery of NASA's Lunar Orbiter Tapes. In a nutshell, these tapes were sitting around for 20 years while someone finally managed to reconstitute a FR-900 Ampex tape drive, which only a few dozen had been made for the military. Parts had to be scavenged from junkyards and whatnot. Ultimately, the images were recovered through an extraordinary set of events--or as most people call it, hard work, dedication, and tremendous luck--at a cost of $250,000. This particular story shows how data in outdated formats can be secure: no hacker is going to spend $250,000 and three months to get himself some SSNs, I can assure you. On the other hand, a production rate of 36 machines is pretty much unheard of in modern times. The security (or rather, the lack of accessibility) afforded in the case of the Lunar Orbiter tapes comes from a remarkable dearth of machines that could read the data, and people with the skill sets to fix it. Whether South Shore Hospital can count on such a shortage of devices and people with the required technical skills...your guess is as good as mine, although I'm one to opine that they can't.
In the past, for similar cases, I have often pointed out how the assurances of specialized software and technical knowledge were not necessarily reasons for feeling safe--assuming it didn't refer to encryption technology. There are a number of ways of getting data out of "old files." For example, in certain instances a hex editor can be used to glean information. The methods really are myriad.
Here's a story that illustrates how old files are secure, and how they're also not: the recovery of NASA's Lunar Orbiter Tapes. In a nutshell, these tapes were sitting around for 20 years while someone finally managed to reconstitute a FR-900 Ampex tape drive, which only a few dozen had been made for the military. Parts had to be scavenged from junkyards and whatnot.
Ultimately, the images were recovered through an extraordinary set of events--or as most people call it, hard work, dedication, and tremendous luck--at a cost of $250,000.
This particular story shows how data in outdated formats can be secure: no hacker is going to spend $250,000 and three months to get himself some SSNs, I can assure you. On the other hand, a production rate of 36 machines is pretty much unheard of in modern times. The security (or rather, the lack of accessibility) afforded in the case of the Lunar Orbiter tapes comes from a remarkable dearth of machines that could read the data, and people with the skill sets to fix it.
Whether South Shore Hospital can count on such a shortage of devices and people with the required technical skills...your guess is as good as mine, although I'm one to opine that they can't.
A better form of protection--one that people can count on to safeguard data--is encryption, such as AlertBoot's managed encryption software. Encryption was created for the express purpose of securing information, and is, at this point, virtually impossible to crack. As I see it, South Shore had two options when it came to destroying those files: Get a mobile data destruction company--one that will come to your premises and destroy whatever needs destroying. Shipping unsecured but sensitive data is always a bad idea. Encrypt the files before sending them to be destroyed. In the past I would have offered a third option: encrypt the files and call it a day. For all practical purposes, there is no reason for concern, assuming passwords are also destroyed. On the other hand, the practice is discouraged under HIPAA/HITECH.
A better form of protection--one that people can count on to safeguard data--is encryption, such as AlertBoot's managed encryption software. Encryption was created for the express purpose of securing information, and is, at this point, virtually impossible to crack.
As I see it, South Shore had two options when it came to destroying those files:
In the past I would have offered a third option: encrypt the files and call it a day. For all practical purposes, there is no reason for concern, assuming passwords are also destroyed.
On the other hand, the practice is discouraged under HIPAA/HITECH.
Related Articles and Sites:http://www.thebostonchannel.com/mostpopular/24311150/detail.htmlhttp://www.databreaches.net/?p=12550