in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Security: Michigan Department of Community Health Data Breach Affects 2,595

One of the most unfortunate types of data breach cases I come across are those that involve instances where PHI encryption for laptops was used but still resulted in a HIPAA data breach, like the following one at the Michigan Department of Community Health.

According to the entry at phiprivacy.net, an employee of the Ombudsman’s Office at State Long Term Care experienced a burglary.  The thief took a laptop computer and a flash drive.  The former was protected with encryption software, as many covered entities have done in light of the final Omnibus Rule.

The flash drive, however, was not encrypted.  A total of 2,595 people, living and deceased, were affected by this latest PHI breach.

Personal Data Stolen, Laptop and Drive Not Recovered

The stolen information included people’s names, addresses, dates of birth, SSNs, or Medicaid IDs (although not all were affected).  The burglary occurred around January 30th, with MDCH learning about it on February 3rd.  As of the press release announcing the data breach, April 3, the devices were not recovered.

And, chances are that they won’t be.  For the flash drive, the chances of it being recovered are close to nil.  For the laptop, assuming some other type of laptop security protection software was employed in addition to the encryption -- such as a tracker -- the odds of recovery are higher but can still be pretty low.

For example, the use of Absolute Software trackers could lead to a 75% recovery, if you believe the manufacturer’s claims.  The only caveats here are that (a) we have absolutely no idea how long it takes to recover the device (is a day, a week, a month?), (b) it’s not foolproof.  The use of a Faraday cage-like device or going into a basement may be enough to defeat the technology, and (c) recovery falls outside of the safe harbor requirements under HIPAA.  This last one requires the use of encryption (or data destruction) to go into effect.

Still, the technology is much more impressive than conventional tracker software for your laptop, which generally tends to “track” the last known IP address, seeing how these devices don’t come with a GPS module, and are not as accurate in terms of pinpointing a device’s location.

Full Disk Encryption Has Blind Spots

With HHS (and their OCR branch) heavily promoting the use of HIPAA encryption, it’s kind of hard for the layperson to understand what went wrong here.  Encryption appears to have been used, but one still had a data breach.  Yes, the flash drive was at fault, but...wasn’t the data encrypted when it was transferred from the computer?

In order to make sense of what’s going on here, one needs to understand the basic concepts of the underlying technology.  There are many different types of encryption.  There is full disk encryption, which was probably used to protect the laptop’s contents.  As the name implies, full disk encryption (usually abbreviated to FDE) encrypts the entire content of a hard drive.  To be more specific, it encrypts the hard drive itself; because data is stored in the hard drive, they end up protected, too.

This distinction is very important, as it explains why the flash drive’s contents were not protected.  Since it’s the hard drive that’s encrypted and not the data, when you copy the data over to another storage device, such as a flash drive, that information is not encrypted anymore.

Is there a way to encrypt the data?  Absolutely.  There are technologies that encrypt data, such as file encryption.  Generally, it’s a less optimal way of protecting an entire device’s data.  Thus, they tend to work in tandem: FDE for the laptop, file encryption for any files that are making it off of the laptop.  This way, one of the top weaknesses of FDE is shored up.

Related Articles and Sites:
http://www.phiprivacy.net/michigan-department-of-community-health-notifying-2595-individuals-of-breach/

 

 
<Previous Next>

FTC And Data Breaches: Fandango, Credit Karma Settle Charges

Canada Digital Privacy Act: $100,000 Fine For Not Reporting Data Breaches

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.