in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Medical Data Encryption Software: Tricare/SAIC Backup Tape Theft Affects 4.9 Million

The use of medical data encryption software like AlertBoot keeps data breach notifications away.  Like the one made public by Tricare, the US military's health plan: according to press releases, a total of 4.9 million current and former service members were affected by this latest data breach.

Update (04 OCT 2011): Slashdot has a thread on backup tape encryption and SAIC.  They mention a lot of stuff I've covered and more.
Update (13 OCT 2011): Tricare is trying to position the breach as an FTC issue, and not a HIPAA issue, according to informationweek.com.
Update (03 NOV 2011): The Tricare breach is in the HHS's Wall of Shame...at a totally-dominating #1, with over 5 million affected.

Backup Tape Stolen, Impermissible Action

A SAIC (Science Applications International Corp) spokesman confirmed that a backup tape was stolen from a SAIC employee's car.  The backup tape -- which contained PII/PHI from 1992 through September 7, 2011 -- was being transferred to an off-site storage area in the San Antonio Area.

The PHI/PII included "Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions."  Financial data was not included.

According to media, the breach was reported by SAIC on September 14 and not made public until two weeks later.  The explanation given was that Tricare had to figure out the extent of the data breach, and I more than understand the apparent "delay." (A delay of two weeks is actually quite fast.  HIPAA / HITECH gives up to 60 calendar days to notify affected individuals).

What I don't understand, however, is modernhelathcare.com's note that "according to the San Antonio Police Department report, the tapes were burglarized about 8 a.m. The incident was not reported to police until nearly 4 p.m. the following day."  Anyone care to explain to me why there was a delay there?

Encryption Used (Here and There)

This case is an ideal example of why some people prefer to use disk encryption instead of file encryption when it comes to protecting their computer data (despite the fact that the breached media is a data tape).

Govinfosecurity.com notes that Tricare was making an effort to ensure patient data was protected with encryption software (my emphasis):

"Some personal information was encrypted prior to being backed up on the tapes," the SAIC spokesman says. "However, the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard. The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

The first statement shows us the problem with file encryption.  While file encryption does a great job of protecting a file's contents, there is the logistical problem of actually having to select any and all files that require protection.  Plus, if files are encrypted using different software or using different passwords, the logistical nightmare of keeping track of everything increases geometrically.

A better method to protect files, then, is to use disk encryption -- a solution that encrypts the storage medium itself.  This way, there is no question on whether a file was encrypted or not: with the disk encrypted, you know all files are encrypted as well.

Unfortunately, disk encryption, as the name implies, only works on disks -- external hard drives, internal HDDs, USB memory sticks, etc.  Backup tapes, due to their nature, can't be secured using disk encryption.

That's not to say that backup tape encryption software doesn't exist.  It does; however, there is an obstacle that medical venues need to surmount.

FIPS 140-2 and 128-bit Encryption for HITECH

The federal standard compliance I've emphasized in the above quote probably refers to the fact that encryption used to protect PHI under HIPAA/HITECH has to be FIPS 140-2 validated.  Now, neither HITECH nor HIPAA has any requirement for encryption.  However, the HHS (which is the final authority on HIPAA and HITECH-amended HIPAA issues) has deferred the job of defining "encryption" to the National Institute of Standards and Technology (NIST).

Per NIST's own publications, nothing weaker than 128-bit symmetrical encryption algorithms can be used, and encryption software must be validated to NIST's own FIPS 140-2 standard.  I don't know how many backup tape encryption software vendors can claim they do so, but if Tricare's travails are any indication, it looks like it's not easy to select one (whether it's because they can't find any or because they've found too many...your guess is as good as mine).

I should point out, though, that an encryption suite that doesn't live up to NIST's expectations is better than not using anything at all.  Hardcore security experts might disagree, but my opinion is that, until you can find the right solution, any type of temporary solution is necessary.  Between the odds of a breach being 0.5 (encryption is not up to snuff) and 1 (no encryption at all), I'll take that 0.5.


Related Articles and Sites:
http://www.modernhealthcare.com/article/20110929/NEWS/110929951/tricare-reports-data-breach-affecting-4-9-million-patients#
http://www.armytimes.com/news/2011/09/military-tricare-data-stolen-san-antonio-092911w/
http://www.govinfosecurity.com/articles.php?art_id=4105&opg=1
http://www.healthcareitnews.com/news/tricare-breach-puts-49m-milatry-clinic-hospital-patients-risk
http://www.tricare.mil/mybenefit/Download/Forms/DataBreach_PublicStatement.pdf

 
<Previous Next>

Texas Data Breach Law Amended To Include All US Residents

iPad Theft Leads To Data Breach For Eventbrite

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.