in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hard Disk Encryption: Eisenhower Medical Center (Rancho Mirage) Breach Affects 514,330 People

A computer used to check-in patients at the Eisenhower Medical Center in Rancho Mirage was stolen from the open lobby area, resulting in a data breach affecting over 500,000 people.  The computer was not protected with drive encryption like AlertBoot, a calamitous decision.

Based on what I'm reading here, it's hard to believe that this computer was used just for checking-in patients, or that no one thought of using encryption software on it: the records go all the way back to the 1980s.  We're talking at least 20 years, at most 30 years.  You know how many hardware revolutions we've had since?

Limited Impact?

According to mydesert.com, breach notification letters were sent to patients.  In it, patients were informed that the breach occurred on March 11.  The computer that was stolen contained a backup file with information on 514, 330 patients that dated as far back as the 1980s (early 1980s? Late 1980s? ).

Thankfully, the file only included patient names, ages, dates of birth, the last four digits of SSNs, and the hospital medical record number.  Certainly beats having your full SSN exposed.  On the other hand, who knows what could be done with such information?  I've speculated in the past of using an extensive database to "play the odds."

Playing the Odds: The Danger of Limited But Large Database Breaches

This is what I had to say about taking advantage of a large database with supposedly non-sensitive information:

Described in John Allen Paulos's Innumeracy, the stock market scam is a game of probability (some would say certainty).  You cull 10,000 names and addresses from the phone book.  For half of them, you send a letter claiming the stock market is going to go up next week; for the other half that it’s going to go down.  Next week, you target the 5000 names for whom your "prediction" was correct.  Half of them get a second letter saying the market is going to go up; the other half, down.  Rinse and repeat as needed.

At the end of this process, you will get a handful of believers that think you’re the best trader since Warren Buffet and George Soros combined.  You tell them they won’t get the final letter unless you get $10,000 from each one.  With the impressive track record, investors send you money (they don’t know how many are in on this thing), get a second mortgage to invest its proceeds, and wait with bated breath.  You disappear.  Time generally tends to be on the criminal’s side, if you think about it.

Of course, you can't pull off the above example in this case.  We're talking about medical info, not financial data.  On the other hand, a variation of it could be performed.  For example:

  • Instead of money, the criminals ask for SSNs, claiming that they must have made an error when entering it into their database.  They provide the last four digits as proof, leading some (or many) to believe, "hey, they must have made a typo somewhere -- those certainly are the last 4 digits to my SSN!"
  • The criminals draft up a letter on counterfeit hospital letterhead to make it seem official.
  • The address in the return envelope and the convenient "correct my SSN form" (counterfeit as well) shows a PO Box in the Eisenhower Medical Center area.

One could even include a toll-free number to call if people have any questions -- a number that rings the criminals' phones!

What are the chances?  Pretty slim, I'll admit, especially when you consider addresses, phone numbers, e-mail addresses, etc. were not included.  If the thieves are smart, they'd have to somehow take public data and match it up to the name and hope for the best.

But, look at the incentives for criminals: at the end of the scam, they'd have full SSNs, names, and dates of birth.  As far as I know, this is all you need to pull off medical fraud.  And, seeing how you're dealing with over half-a-million people, even a turnaround of 2% means 10,000 records.  That's a bonanza.

My point is this: you can't, as an organization or victim, rest easy just because a stolen database doesn't strictly contain sensitive information.

Disk Encryption or File Encryption Should Have Been Used: PHI

The computer that was stolen from Eisenhower's premises should have been encrypted.  Certainly, the backup file containing over 20 years' worth of patient information would have made it necessary.  But that's not the only reason.  The last time I checked, a patient's name alone is regarded as protected health information, PHI.  (I'm not a lawyer, by the way.  I could be off on this, although I'm pretty sure I'm not.)

The hospital used the computer to check-in patients?  They should have had an interest in using some kind of HIPAA-compliant cryptographic tool to protect the contents of the computer.  After all, traditional tools like locking the computer wouldn't have been available in an open lobby.


Related Articles and Sites:
http://www.mydesert.com/article/20110330/NEWS01/103300308/1016/FBI-state-agents-search-Rancho-Mirage-plastic-surgery-center/Eisenhower-Medical-Center-Computer-patient-info-stolen

 
<Previous Next>

Data Protection: UK National Identity Card Databases Destroyed

Data Encryption Software: Jihadist Doesn't Trust Modern Encryption Because Kaffirs Know About It

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.