in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

April 2017 - Posts

  • HIPAA/HITECH Doesn't Require You To Be Perfect, But It Does Expect You To Follow The Rules

    A couple of recent Department of Health and Human Services (HHS) legal settlements emphasize paperwork over security, showing that a healthcare entity's approach to safeguarding data must be holistic: yes, you need to use encryption, and lock doors, and hide screens from potential medical data peeping-toms…but you also need to make sure that you've followed protocols regarding the creation of policies and other actions deemed obligatory by the HHS.
    Not doing so "will cost you."  

    $31,000 For Not Producing a Business Associate Agreement

    According to databreaches.net, the Center for Children’s Digestive Health (CCDH), an Illinois-based pediatric center (their website is, appropriately enough, tummydocs.com), was fined more than $30,000 for being unable to produce a business associate (BA) agreement. The document is supposed to contractually guarantee that the BA will properly guard patient data, among other things.
    Per my reading of the HHS's resolution agreement, not having this document effectively means that the HIPAA covered-entity (CCDH, in this instance) illegally disclosed sensitive patient info to a third party.
    What prompted the HHS to see if the BA agreement existed? The BA in question, FileFax, Inc., was caught discarding hundreds of medical files in a dumpster. Unsurprisingly, this prompted everyone, from the HHS to the Attorney General, to see if FileFax was storing any other sensitive info (an, undoubtedly, whether these were properly secured).  

    $400,000 For Lack of a Risk Assessment

    Similarly to CCDH, the Metro Community Provider Network (MCPN) in Denver, Colorado settled with the HHS over what feels like paperwork; more specifically in this case, for not conducing a risk assessment.

    Apparently, a hacker obtained thousands of PHI (protected health information) in 2012 via phishing, the con where a person sends email pretending to be someone the victim knows and trusts. It looks like the phishing attempt was strongly enabled by the hacker accessing MCPN's employee email accounts.

    The government has gone after MCPN purportedly for the lack of a risk assessment. Again, a risk assessment is not something that one traditionally files under the banner of "data security." And, it is dubious whether a risk assessment would have revealed the vulnerability used by the phisher. But, it's importance is not unjustified. After all, if you don't know where your weaknesses lie, how are you going to defend yourself against them?

    HIPAA / HITECH has always impressed that a security risk assessment and other "non-active security procedures" are an important part of securing a covered-entity's patient data. And, they're backing it up with a message that many can understand.

    One wonders when everyone will get it. (When one reads of cases like this and this, the answer appears to be, "not soon.")

     

    Related Articles and Sites:
    https://www.databreaches.net/no-business-associate-agreement-31k-mistake/
    https://www.databreaches.net/metro-community-provider-network-settles-hhs-breach-charges-for-400000-and-corrective-action-plan/
    https://www.databreaches.net/ri-lifespan-notifying-20000-patients-after-unencrypted-laptop-stolen-from-employees-car/
    https://www.databreaches.net/unencrypted-patient-info-from-2008-left-in-a-van-and-yeah/

     

     
  • Tennessee Updates Law That Required Notification For Encrypted Personal Data Loss

    In 2016, Tennessee created something of a legal furor when it became the first state to require data breach notifications (DBN) even if the lost or stolen data was protected with encryption. Earlier this month, a new law took effect that "clarifies [this] confusion" for companies: they are not required to send DBNs if the data was encrypted – assuming that the encryption was not compromised as well. For example, if the encryption key was also breached.  

    Cognitive Dissonance? Or Merely Not Understanding What Encryption Does?

    When Tennessee's amendment to its breach notification law was passed last year, it came as something of a shock to many. There were many milestones in 2016 – as there are every single year, admittedly – and among them was encryption. Specifically, the strength of encryption: last year was when Apple and the FBI went to court over encryption, due to the latter's demand that Apple compromise the strength of the cryptographic protections on iPhones. The demand was a result of the FBI's inability to get into the San Bernardino shooter's smartphone (as well as others, as it turned out).
    The FBI stopped their lawsuit at the last minute, saying that they had found a way into the phone after all; some claimed that the FBI folded strategically, since it looked like Apple would win and create a precedent-setting case.
    Despite the lack of a solid conclusion, it was a milestone regardless: the media covered the situation with unprecedented detail; more people than ever tuned in and learned about encryption and its impact in modern society's digital works; and, perhaps most importantly, politicians who loudly clamored for Apple to bow down to the FBI's demands started backpedaling after finding out why encryption has to be as strong as it can possibly be.
    The case was a culmination of many encryption-related episodes, such as the global adoption of encrypted internet connections by the top social media sites and communications app-makers making changes to software code so even they can't access a client's private communications.
    So, finding out that Tennessee wouldn't consider encrypted data to be secured came like a bolt out of the blue. Especially when:
    The 2016 amended law, however, still mentioned in another section that encryption was a positive means of protecting data. This created confusion for companies... (bna.com)
    Of course, if one thinks about it, this is not necessarily contradictory. A strongbox is also a positive means of protecting data: think of a dossier placed inside a bank vault. If that dossier is stolen, well, it should be a reportable data breach. If the documents are stolen, by definition the protection is gone.
    And, because of how encryption works, that's where this analogy breaks down: if you will, under encryption, the dossier is the bank vault. Heck, each sheet of paper in the dossier can be the bank vault. In other words, if encrypted data is stolen, the thief still has to find a way to break into this particular vault called "encryption."
    Chances are that 99.999% of the time when data is stolen or lost, encrypted content can be accessed only if the thief also has a key (or a password, which is essentially a proxy for the encryption key). Based on this year's amendment, it looks like Tennessee's governing body was trying to address this inherent "weakness" in encryption when it passed its law last year: if the thief has a key, he has access.  

    Perfectly Valid Concern

    As any security professional – and now, most lay people in the US – will tell you, encryption is one of the best ways to protect data. It's not the only way, and it's not infallible, but it is one of the best. Some may even say it is the best way. But again, it doesn't mean it's not infallible. There are ways to get past encryption:
    • Guess the encryption key or the password to the encrypted content.
    • Steal the encryption key or the password.
    • Physically threaten a person for the encryption key or the password.
    • Carry out said threat on a person (but make sure he's conscious so you can get the key or password once they cry uncle).
    • Plant malware on a computer so that you don't have to do any guessing, stealing, or threatening. Technology at work.
    • Do an analysis of the encryption used to see if there are any inherent weaknesses that can be exploited (not for the average person; can be difficult even for government agencies awash with black ops slush funds). Especially if someone leaks said weaknesses on the internet.

    As you see, there aren't too many ways but, with the exception of that last one, it is relatively easy to get past encryption… assuming you can fulfill certain conditions – conditions that are simple but potentially difficult to carry out. (Or, not difficult at all, which is why, when you're going to fire someone, you should rescind from him access to your company's resources before letting him know he's being let go).

    Yet, it seems that most data breach notification laws were passed without taking into consideration things like the above. If stolen data was already encrypted, it was given safe harbor from DBNs.

    In fact, in certain cases, breached data was given safe harbor from DBNs even if encryption was not used because the law had defined encryption too broadly. So, despite violating the spirit of the law, ROT-13 encryption would have met the conditions for excluding oneself from DBNs. This, despite it not being encryption in any sense of the word.

    Tennessee's foul-up may have caused confusion and consternation for many over the past year, but it should be applauded for what it was: a law that further empowers constituents of that state.

    Related Articles and Sites:
    https://www.bna.com/new-tenn-law-n57982086309/ https://www.databreaches.net/new-tenn-law-no-breach-notice-needed-if-data-encrypted/
    http://www.americanbar.org/publications/youraba/2016/may-2016/state-data-breach-notification-laws-just-got-crazier.html
    http://www.arma.org/r1/news/newswire/2016/05/24/tennessee-enacts-tough-data-breach-law
     
  • Israel Introducing Data Breach Notification Law

    It was reported last week that Israel introduced mandatory data security and breach notification requirements into its law books. The law is expected to go into full effect next year.

    Business of all types – be they global, multinational companies or the barber shop down the street – will be affected by the new regulations. But not equally.

    At mondaq.com, an expert notes that there will be four "security level" categories which appear to be divided either by the number of people who can access the information or by the nature of the business itself. For example, the aforementioned barbershop's data security requirements would be different from data brokers (and even these are subdivided by the number of records that are stored).  

    Encryption Required?

    Of the four security levels, the lowest one (that is, the least onerous one to a business) is the sub-basic level:
    up to 3 persons with access permission –mild requirements, including a database description document, annual review of redundant data, basic physical security, reasonable means to prevent unauthorized access, keep records of data breaches, appropriate measures with portable devices (e.g. encryption) and secured internet communications. (my emphasis)

    The higher security levels build on top of this. And while encryption is given as an example (not as a requirement) pertaining to "appropriate" security measures for portable devices, it's pretty obvious that it doesn't stray too far from being a requirement.

    Indeed, on the internet, it actually is a requirement. The law stipulates that "secured internet communications" must be used, and the only way to secure the to and fro of data flows on the internet is via an encrypted connection. Or, if an encrypted connection is not possible or available, by encrypting data before it's being sent out (e.g., cryptographically securing an attachment before sending it via email).  

    Breach Notifications Where Appropriate

    Data breach notifications to the government will be mandatory, but only if one pertains to the mid- or high-security level. And even then, the former only needs to report "substantial breaches" whereas the latter will need to report every breach they encounter.

    The government may force a business to get in touch with clients who were affected by the data breach, if it is deemed necessary and appropriate.

    Overall, it's a little different from what people are used to in the US when it comes to data privacy and breach notification laws. However, if you're doing a lot of business with Israeli companies, you will have to follow it.

    Which is not a particularly bad proposition since it will possibly allow you to meet EU requirements as well: Per bna.com, the passing of the Israeli law coincides with the European Union's own privacy laws that go into effect in 2018.  

     

    Related Articles and Sites:
    https://www.databreaches.net/companies-now-face-israel-data-security-breach-notice-rules/
    http://www.mondaq.com/x/582376/data+protection/Data+Breach+Notification+Introduced+into+Israeli+Law