in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

May 2011 - Posts

  • Email Address: Is It Personally Identifiable Information (PII)? Maybe In Alberta, Canada

    Personally identifiable information, otherwise known as PII, otherwise known as sensitive info.  We know that these must be protected in this day and age, and that data encryption like AlertBoot is one of the better ways to do so.  But what is PII?  Are email addresses PII?  In Canada, it looks like it could be, depending on the situation.

    Information and Privacy Commissioner of Alberta, Canada Concludes "Email is PII"

    The Information and Privacy Commissioner of Alberta, Frank Work, has recently issued a ruling which seems to indicate that, in sufficient amounts, the loss of email addresses can be considered a data breach that requires organizations to report said breach to individuals.

    After considering the massive data breach at Epsilon, Work has concluded that,

    ...although the information at issue (name, email addresses and organization membership (in the Best Buy case) was relatively minor compared to other data breaches which involve the unauthorized access of financial or other sensitive information, the sheer magnitude of the breach and the evidence that the information will likely be used for malicious purposes indicated there was a real risk of significant harm to affected individuals... [oipc.ab.ca, my emphasis]

    Alberta PIPA Definition of "Personal Information"

    You'll notice that I said that Commissioner Work "concluded" that email addresses are PII.  Concluded?  How so?  Well, take a look at PIPA's definition of personal information:

    "Personal information" means information about an identifiable individual. [section 1(1)k of Personal Information Protection Act of Alberta]

    That's pretty broad.  In the US, for example, there are specific rules on what is considered PII in the context of a breach.  For example, many states by law only recognize the loss of SSNs as a data breach if and only if names were also lost in the breach (either the full name or the last name and first name's initial).  I'm not aware of any states that include the loss of email addresses as a breach.

    Anyway, coming back to Alberta's PIPA (and it is Alberta's PIPA.  PIPA differs from province to province), the broad definition means that someone has to interpret the law, and it falls upon the commissioner to do so.

    As Dissent at databreaches.net has noted, the commissioner's conclusion is significant because

    ...even (just) name and email addresses in the context of a large breach of this kind indicates a "real risk of significant harm."

    I'm inclined to agree.  I can't think of any past breaches where the loss of e-mail addresses resulted in an official ruling that it was a data breach (although, in the case of TD Ameritrade, there was a massive settlement to a lawsuit regarding the breach of email addresses belonging to TD's clients.)

    On the other hand, when it come to the question "are email addresses PII?," it remains unanswered because the above ruling is based on the loss of e-mail address and names.  We'll need another case to see whether the loss of e-mail addresses only is a data breach in its own right, although the post in the preceding link has an argument that

    Of course, companies could be a little proactive and work not to find if that's the case by using encryption software to protect their data -- email addresses inclusive.


    Related Articles and Sites:
    http://www.oipc.ab.ca/Content_Files/Files/News/NR_Epsilon_May_2011.pdf

     
  • Portable Hard Drive Encryption: Protecting Medical Data On External Drives

    Bad news coming from our friends in Canada: according to edmontonjournal.com, a portable hard drive was stolen from Dr. R. Burnham and Associates Medical Clinic, triggering a breach of 1,000 patients.  The external hard disk drive was "protected" with password-protection but not with full disk encryption like AlertBoot.
    • Alberta Health Services' Central Alberta Pain and Rehabilitation Institute
    • Portable Hard Drive Encryption: An Extension of Computer Encryption

    Alberta Health Services' Central Alberta Pain and Rehabilitation Institute

    The portable drive was a backup medium containing Alberta Health Services' Central Alberta Pain and Rehabilitation Institute client records.  These included names, dates of birth, addresses, health care numbers, and prescription information.  The breach took place between May 6 and May 8.

    While the AHS went public with the breach details, it has noted that the device actually belonged to the Dr. Burnham clinic.  I'm not as familiar with Canadian patient privacy laws, but if they're anything like what we have in the US, AHS is still responsible even if a third party breached the data.

    The Information and Privacy Commissioner's office has noted that they "have said time and time again that kind of information must be encrypted, that it should be the standard."

    It really should be standard.  Password-protection is bad security, and it cannot be a match for encryption software.  Which is why:

    AHS is now "working proactively" with the clinic to make sure its systems are encrypted and "in line with AHS policies."

    Who knows how many more stolen disks and laptops AHS will have in the future?  Ensuring that past weaknesses are not exploited is a big part of increasing one's security, so AHS should be applauded for what they're doing.  On the other hand, that won't stop people from commenting that it's a little too late, at least for this round of clients.

    Portable Hard Drive Encryption: An Extension of Computer Encryption

    If you're looking to protect the contents of your portable drive, which you use as a backup, you ought to be thinking about encryption software.  But, if you're thinking of protecting the contents of only a portable drive, then you must be coo-coo.  What about your actual computer?  Doesn't it hold the same data?  In most cases, it does.  What makes you think that your portable drive will go missing but your laptop won't?  Heck, desktop computers getting stolen is not unheard of.

    This disconnect makes even less sense when you consider that the full disk encryption used to protect portable drives is also the same encryption used for desktop and laptop computers.  The reason?  The hard drives within all three devices are the same.

    In fact, a managed encryption service like AlertBoot takes advantage of this fact to offer disk encryption for computers and other peripherals in one integrated package: if you plug a portable drive into the USB slot of a computer already encrypted with AlertBoot disk encryption, the portable drive will be encrypted automatically, too!

    By doing this, your data security risk profile is lowered by ensuring that data extracted from a protected computer can only be read on authorized computers only (one of the disadvantages to disk encryption software is that it's the disk that's encrypted.  Hence, any data saved to it is encrypted as well; however, any data copied off of it will in plain text format).

    Long story short: if you're looking to encrypt your laptop or desktop computer, seriously consider encrypting your backup data as well (why wouldn't you?  It's the same data) and vice versa.


    Related Articles and Sites:
    http://www.edmontonjournal.com/technology/Health+records+stolen+from+Lacombe+clinic/4818426/story.html

     
  • Update On "Delta Dental Notifies Clients Of Breach"

    I had commented on the "Delta Dental - The Smile Center" breach story yesterday (the one where a disk with personal data was not protected with data encryption like AlertBoot) that it was hard to tell who the party responsible for the lost data happens to be.  The party responsible as the data owner, that is (I think everyone's in agreement that it was the expert witness who actually caused the breach).

    Well, it turns out that Delta Dental is the owner of the data:

    As part of the lawsuit, Delta Dental was required to provide the disk containing patient data to the Smile Center, their law firm, and their expert witness. It was this disk that was stolen in February from the expert witness's office at the University of Minnesota. [drbicuspid.com, my emphasis]

    Now it makes sense why Delta Dental started notifying clients.  And, the quote I used yesterday makes even more sense:

    Delta Dental said it has taken steps to protect its clients from identity theft; however, when the computer disappeared, the state’s largest dental insurer said The Smile Center never told its patients their medical records had been compromised. [myfoxtwincities.com, my emphasis ]

    Of course, the "its" in "never told its patients" refers to Delta Dental, not The Smile Center.  I was wondering why Delta Dental was sending notification letters on behalf of The Smile Center.  At the same time, now I have to wonder why Delta thought Smile would be notifying Delta's clients.

    Tough Deal for Delta Dental

    HIPAA / HITECH makes it very clear that it's the owner of the data that does all the notifying, and that they're responsible for the breach.  It's assumed that the breached covered-entity will deal with third parties (i.e., the BA, "business associate") separately.  The argument is, the breached entity, in this case Delta, will stop doing business with the BA, or pressure him to up his security, etc.  It's the trickle down theory of security.

    Except, of course, the BA in this case -- the expert witness -- technically worked for The Smile Center.

    Delta Dental turned over the disc under the terms of a protective order entered by the court in the lawsuit.  The Smile Center dental clinics, their law firm, and their expert witness were required by the court order to protect the disc and the data.  At the time of the theft, the disc was in the custody and control of the expert witness for The Smile Center dental clinics at his University of Minnesota office. [deltadentalmn.org, my emphasis]

    And, I guess that will give Delta the ammunition necessary to go after The Smile Center et al.  However, I don't think this gives them the ammo to say, "hey, under HIPAA / HITECH, we're not responsible."  Whose data was it?  Well, Delta handed it over, so it must be Delta's data.  The buck stops with Delta, as far as I understand HIPAA / HITECH.

    (I'm not a lawyer or legal scholar, by the way.  This is not legal advice, blah, blah).

    It's a terrible deal for Delta Dental.  They were forced to turn over the data.  They have absolutely no hold over the expert witness, since he's working for the other side.  And yet they're "stuck with the bill":  They have to notify the affected patients, they have to offer the credit monitoring, they have to take the PR hit.  It's terrible.  I'm pretty it wasn't supposed to work this way.

    On the other hand, they could have give out the information in encrypted form.  Had they used encryption software to protect their clients' data, it wouldn't have turned out the way it did.

    Of course, then again, there is the chance that someone could have stuck the password to the laptop (ah, Post-It Notes, the bane of security professionals).  But, some experts have noted that HIPAA / HITECH has no provisions on what happens under such circumstances, and have claimed that as long as the PHI is encrypted, you're set, passwords be damned.  Whether this argument will actually fly with OCR and HHS is another story entirely.  (The point is to keep PHI protected, not to just install encryption and forget about it).


    Related Articles and Sites:
    http://www.drbicuspid.com/index.aspx?Sec=sup&Sub=pmt&pag=dis&ItemID=307704&wf=47
    http://www.deltadentalmn.org/content/files/Press_Releases/laptopcomputeranddatastolenfromexpertwitness_051711.pdf
    http://www.myfoxtwincities.com/dpp/money/delta-dental-laptop-stolen-id-data-still-missing-may-17-2011

     
  • Full Disk Encryption Software: Delta Dental Notifies Clients Of Breach, Laptop Stolen

    Delta Dental, The Smile Center, and an expert witness are at the center of one of the most convoluted medical data breach stories that I've read in a while.  The article at myfoxtwincities.com leaves me with more questions than answers.  One thing that's not a point of contention: data encryption software was not used to secure patient information.

    When Expert Witness Causes Breach, Who's Responsible?

    According to the myfoxtwincities.com story, a disk that contained names, dates of birth, and Social Security numbers was lost when a laptop got stolen from an office at the University of Minnesota four months ago.  The laptop belonged to an expert witness brought in to testify in a multi-million dollar lawsuit between the two companies.

    Affected patients -- it was not reported how many were affected -- are only being notified now.

    One detail that was revealed: only those who were insured by Delta Dental and visited the St. Paul location of The Smile Center between January 1, 2003 and June 30, 2010 are affected.

    (By the way, hiding the number of people affected is asinine.  Someone's eventually going to have to report the incident to the HHS, which will go public with the details if the number of people affected is over 500.  With over 7 years' worth of data, I'd guess that the cap has been exceeded.  Myfoxtwincities.com says "thousands" could be affected.)

    The story was made public because Delta Dental, Minnesota's largest dental insurer, started mailing clients about the data breach.  However, there is a question on who's responsible.

    Obviously, the expert witness -- a third party -- should be faulted.  Not that he wanted to be at the center of things, but it was his laptop (with disk in the tray) that got stolen.  However, legally speaking, I'm pretty sure it's the owner of the data that's held responsible for the breach.  (It's assumed under the law that the owner of the data will privately, separately deal with the third party.)

    Owner of the Data Responsible: Got It.  Who is it, Again?

    This is where it gets convoluted.

    Under HIPAA / HITECH, it's the owner of the data that is supposed to notify clients of the data breach.  Delta Dental is the one who started alerting affected clients, so the implication is that they are the owners of the data, and hence they'll be held accountable for the third party breach.  But, hold on:

    Delta Dental said it has taken steps to protect its clients from identity theft; however, when the computer disappeared, the state’s largest dental insurer said The Smile Center never told its patients their medical records had been compromised. [myfoxtwincities.com, my emphasis ]

    This implies that it was The Smile Center's data that got compromised, meaning they're the data owners.  If I'm inferring correctly, Delta only got involved when they decided they couldn't wait for Smile to do something about it.

    Or maybe, it means that there was both data from Delta and Smile, but only Delta decided to do something about the issue?  Or maybe, the information was provided to the expert witness by Delta, but for some reason it thinks Smile is in charge of notifying patients?

    I guess the real question is: who gave the expert witness that disk?  And why didn't they have the foresight to use encryption software to protect its contents?

    Notifying Patients in a Timely Fashion

    Dissent at databreaches.net has noted:

    Not only did The Smile Center reportedly not inform their patients of the breach, but it seems that neither Delta Dental nor The Smile Center are taking full responsibility for the breach because the data were in the possession of a third party – an expert witness in the lawsuit....This might be an appropriate incident to issue a fine for not notifying patients in a timely fashion.

    I'd agree, except for one technicality: under the rules, a grace period of 60 calendar days is given for notifying people whose PHI (Protected Health Information) is breached.  However, those 60 days start with the discovery of the breach.

    We know the theft of the laptop, the trigger for the breach, occurred 4 months ago.  But, when was the owner of the data notified of the breach?  If the expert witness hadn't voluntarily commented on the issue, the earliest that the owner of the data should have known about the breach is when the trial was over and asked the expert to return the disk or destroy it.  The lawsuit was settled in April so, under these assumptions, neither company is in breach of the PHI Breach Notification Rule.

    Like I said at the beginning, this is one convoluted incident.  It also shows the limitations of the current rules regarding patient data security and notifications when things get really messy.

    All of this could have been easily avoided by the use of data encryption programs like AlertBoot.  But, no, people think that occurrences like this one, which are pretty common, can't happen to them.


    Related Articles and Sites:
    http://www.myfoxtwincities.com/dpp/money/delta-dental-laptop-stolen-id-data-still-missing-may-17-2011
    http://www.databreaches.net/?p=18330

     
  • Data Encryption: Final HIPAA Privacy Rule Will Not Require Encryption

    According to breaking news from healthdatamanagement.com, the Final Rule on PHI protection "will not include a mandate for encryption of protected health information."  In other words, the use of disk encryption software like AlertBoot won't be required even if your portable computer holds a spreadsheet with Medicare details for millions of people (although, under such circumstances, you really should).

    Good Thing?  Bad Thing?

    I don't know if this is a good or bad decision.  Like many people, I'd like to see organizations using more encryption software, and not because I work for a disk encryption company.  It just seems to me that when it comes to sensitive data, the use of encryption is a pretty good idea.

    Plus, when you take a look at breached entities' actions, you know they think it's a good idea, too:  after going public with a data breach involving patient information, a medical organization will also proclaim in the same breath that they're concerned about patient privacy, patient data security, and that they've recently updated their security practices and policies....including the use of encryption on previously unprotected devices.  Why would they do that if they didn't think encryption worked?

    Stating that it's because of HIPAA/HITECH and safe harbor from the Breach Notification Rule doesn't hold water...encrypting data you have after the breach doesn't grant you safe harbor for the one that just took place.

    (Let me clue you in on an open secret relating to encryption programs: they only work when they're installed prior to a device being stolen.  No, no -- really.  I'm pretty sure this must be esoteric knowledge; otherwise, how can you possibly have so many organizations installing encryption after they've experienced a breach? (Yes, I'm being sarcastic)).

    So, I want to emphatically say "yes" to required encryption.

    On the other hand, the term protected health information (PHI) is very broad.  X-rays of your femur?  PHI.  Pictures of a melanoma growing from the tip of your nose (just the melanoma and not your face)?  PHI.  Colonoscopy video clips -- where it shows every nook and cranny of your colon (which, incidentally, looks pretty much the same for all people)?  PHI.  I mean, does anyone really think that the loss of such data is such a tragic event that it would require cryptographic software that won't allow unauthorized people from accessing the data for the next century or so? 

    In that respect, the pending ruling is good - you have people decide how much security is required given a set of data.

    Vindication

    The above pronouncement (granted, which still needs to be announced officially) is something of a vindication for me.

    In this blog, I have often noted that HIPAA-covered entities would strongly want to choose using encryption over something else (like a cable lock.  Which doesn't always turn out well, as we saw in yesterday's post).  At the same time, I noted that encryption is not required, just strongly encouraged.  In fact, so strongly encouraged that it almost feels like it's required; however, encryption is never labeled as a requirement under HIPAA, only as an "addressable" security measure.

    The above observation just doesn't sit well with some people.  I have been called to task by numerous professionals, letting me know that I'm wrong and that I might want to change my stance because they know that encryption is a requirement.

    It really isn't a requirement.  But it's a seriously good idea.


    Related Articles and Sites:
    http://www.healthdatamanagement.com/news/hipaa-security-ocr-rule-encryption-mandate-42489-1.html

     
  • Laptop Encryption Software: EyeCare Associates Of San Ramon

    When someone asks you about laptop data security, do you point towards a cable lock?  If so, you're putting yourself at risk, as the doctors at EyeCare Associates of the San Ramon Valley recently found out.  If you need to ensure patient data privacy, you must use drive encryption software like AlertBoot.  For one thing, it really does protect your data from outside intrusions.  An added benefit?  Compliance with HIPAA and HITECH's Breach Notification Rule.

    Break-In

    EyeCare Associates of the San Ramon Valley experienced a burglary on May 8, according to sanramon.patch.com.  I took to looking up the location in Google maps, and it turns out that the San Ramon Police Department is a mere 446 feet away (although I admit that at such distances, I always find Google Maps to be a little suspect -- things are not always where they say it is).

    Regardless, the police were very close by but this did not prevent the burglars from getting the courage (for the lack of a better word) to ransack the place.  The thief or thieves stole a laptop with data on 611 patients.  On the whole, it's not a terrible breach of medical information: it held eye photos and names.  There was no other information, so unless there have been advances in the field of biometrics that I'm not aware of, this latest incident shouldn't be of much concern to those affected.

    HIPAA/HITECH

    But, it is of concern to the EyeCare Associates of the San Ramon Valley.  The information that was lost was not encrypted; or at least, I'm assuming that it wasn't due to the fact that the story made the media.  If encryption software had been used, safe harbor is granted from the Breach Notification Rule under HITECH, so no one needs to be notified of the breach.

    (Why leniency when encryption is used?  Because for all intents and purposes it protects data, and at a level that cannot be compared to a cable lock.  For example, do you know of any laws anywhere in the world that will put you in jail for not producing a key for your computer cable lock?  Because there is one for encryption; and they've used it, too.  Encryption programs are that powerful.)

    Because over 500 people were affected by this breach, it will go up on the hhs.gov virtual wall of infamy, where breaches affecting more than 500 people are listed.  EyeCare will have good company: as of this writing, there are 272 other records.  Good company or not, though, it's not the type of reputation that you want to have hanging around.


    Related Articles and Sites:
    http://www.phiprivacy.net/?p=6668
    http://sanramon.patch.com/articles/laptop-stolen-from-eye-doctor
    http://www.eyecaresrv.com/appointments.html

     
More Posts « Previous page - Next page »