AlertBoot Endpoint Security : whole disk encryption

Sharing Laptops With Encryption: U. Of Mississippi Medical Center Patient Data Breach

sang_lee — Fri, 29 Mar 2013 09:07:00 GMT

The University of Mississippi Medical Center (UMMC) is notifying patients who visited UMMC between 2008 and January 2013 that their health information may have been stored on a laptop computer that's "missing." Apparently, the device was not protected with laptop encryption like AlertBoot, which may have been a result of the laptop being "a shared device, used by UMMC clinicians."

Giving Access to Shared but Encrypted Resources

One of the problems with encryption software is that, depending on the solution, there isn't a way to allow multiple logins to the same computer (or in some cases, there is a way but it's very complicated, rendering it useless. As an aside, AlertBoot does not suffer from this limitation. Indeed, we make it very easy to host multiple IDs and passwords on the same computer).

This hindrance is very problematic in a hospital setting because (a) resources are shared and (b) HIPAA Security Rules generally forbid the sharing of computer passwords and such.

The obvious answer, then, is to pick a solution that allows multiple IDs and passwords for the same computer. However, sometimes people opt for a different kind of solution: not using encryption. Since most computer operating systems come with the ability to support multiple users, one "solution" is to use only password-protection without encryption.

The problem with this approach is that, while you're able to comply with a certain aspect of the HIPAA Security Rules, you're also exposing patients to a risk that could easily be avoided.

Is this what UMMC decided to do? It could very well be so, and it would be within their rights. After all, HIPAA doesn't require the use of encryption. If a covered entity's risk assessment shows that the odds of a data breach are low, and tantamount security measures can be used – UMMC's laptop was in a non-public area, meaning the odds of the device being stolen were low – then encryption is just one of the ways one can use to lower the risk of an ePHI breach.

On the other hand, these other methods are not as useful in the event that something does go awry.

UMMC: Insufficient Contact Information

Generally, a data breach results in the breached medical entity sending out breach notification letters (via first class mail, as specified by HIPAA and HITECH rules). However, the University of Mississippi Medical Center opted to make a public announcement only (the "only" part is implied) because it didn't have a complete notification list:
Federal and state laws require health-care institutions to notify patients potentially affected by such incidents. In this case, due to insufficient contact information for those who may be affected, individual notifications are not possible. [phiprivacy.net]
As I pointed it out before, the implication is that no one is getting a personal breach notification letter. Again, UMMC is within its legal rights to do so; however, honestly, what are the chances that all of the affected parties will be informed of this notice, be it via word of mouth, a segment in the local news, or some other method?

Perhaps that's the wrong question. My guess is that the odds of all affected parties being reached is close to 0%. Rather, the question ought to be: what percentage of the affected parties will be informed? Is it closer to 90% or 40% or 10% or what is it? The former is better than the latter, obviously, but the honest truth is that we have absolutely no way of knowing.

When you consider that the purpose behind breach notifications is to give who are affected a chance to do something about any potential risks, it feels like UMMC is following the letter of the law, but falling very short when it comes to the spirit of things.

Perhaps a better method may have been to send individual notification letters if a patient's current address was on file in addition to making a public announcement.

Related Articles and Sites:
http://www.phiprivacy.net/?p=12070

Deleting Solid State Drives: Cleaning SSDs Almost Impossible, So Use Encryption

sang_lee — Tue, 19 Feb 2013 11:16:00 GMT

According to the National Association of Information Destruction (NAID), solid state drives (SSD) used in ultrabooks, tablets, smartphones, and other devices are proving to be a headache when it comes to end-of-life operations. Namely, the usual methods of deleting digital data – so that hardware may be discarded safely – are proving to be ineffective when it comes to flash-based storage media. This shouldn't be news, however, at least not to NAID.

The solution to the above difficulty is at least 2 years old: place laptop disk encryption at the heart of your data destruction strategy.

SSDs an Unknown Quantity

According to a NAID conference that was held in Sydney, Australia, NAID chief Bob Johnson noted that:
SSDs are an unknown quantity when it comes to being sterilised for disposal at the end of their working lives.

"There is currently work being done at the University of California, San Diego, about the best ways to make sure these solid state drives are clean before they're disposed of," he said. "Unfortunately the information out there at the moment is very squirrelly."
I'm not sure what information Johnson's referring to, but I've known for at least two years that the best way to ensure that information is properly wiped is to encrypt it and lose the encryption key:
The researchers propose an approach called SAFE (Scramble and Finally Erase) that sanitizes the stored key:

The technique, called Scramble and Finally Erase (SAFE), stores encrypted data in the drive and uses a two step process for sanitization. First, it destroys the key. Then, SAFE erases every physical page in the SSD. After this step, veriﬁcation is a simple matter of dismantling the drive and verifying that the flash chips are actually erased.

Encryption is at the heart of this technique, you'll notice, with attention given to the key's destruction.
The above is from a post I wrote in 2011 on why media sanitation requires encryption, and is based on research done by a team at the University of California, San Diego.

If that looks like déjà vu to you, it's because it's the same San Diego team that Johnson is referring to.

Encryption Sometimes CANNOT be the Solution for SSD

And now that I've revealed how encryption software is the only way to secure devices during their EOL, here's a kick to the head: under certain circumstances, encryption is not an option from a policy perspective. For example, under HIPAA.

HIPAA is a set of rules, overseen by the Department of Health and Human Services (HHS), that governs healthcare companies and their business associates. While the use of encryption is strongly encouraged to protect patient data (indeed, the director for the Office for Civil Rights at the HHS was quoted as saying "we love encryption, and those who use encryption love it, too"), there is one area where encryption is not to be used as a tool when it comes to medical data: when a device is being disposed of.

When a computer, external drive, flashdrive, or other data storage device that used to store health data is to be discarded – be it in a landfill or via a donation – the information on it has to be scrubbed. The usual methods include overwriting every sector of the storage device; degaussing it by placing the medium in a magnetic field; or physical destroying it, all of them procedures approved by NIST. Encryption, on the other hand, is not considered to be a reliable method of destroying data because it is designed to "recover" data when the correct key is applied.

This is problematic as organizations start to embrace BYOD, bring your own device. One wonders how the HHS will react as more and more devices that use SSDs – like smartphones and tablets – make their way into hospitals and other businesses that handle protected health information. Degaussing will not work, since SSDs don't store data in a magnetic medium. Overwriting does not work due to SSDs' internal workings. Destroying devices would work but is wasteful when they might still be useful to some.

Plus, I've got to assume that the owners of these devices would be quite against destroying their phones and tablets.

It seems that an exception will have to be made for flash-based devices, or that the use of encryption to "destroy" data will be accepted as a norm.

Canada Computer Disk Encryption: Human Resources and Skills Development Loses Information On 583,000

sang_lee — Mon, 14 Jan 2013 17:49:00 GMT

Numerous Canadian media outposts are reporting on the loss of student loan information by Human Resources and Skills Development Canada. It's being labeled as a "new" data breach by the government but let's be honest, the only thing new about it is the press release. It's part of the same old story, a continuance of an affliction that has been ongoing due to the lack of data security software like AlertBoot laptop encryption SaaS.

583,000 Canadians Affected

According to theglobeandmail.com, the latest fiasco on the part of Human Resources and Skills Development Canada (HRSD) was reported this past Friday. HRSD alerted in a press release this past Friday that a storage device containing data on 583,000 Canada Student Loans Program borrowers from 2000 to 2006 was lost.

Depending on which article you read, the device is described as a "portable hard drive" or a "USB key." Technically, the latter would be included under the former, but generally a USB key is in a category by itself. Regardless, either would have been protected with the use of AlertBoot Mobile Security, which not only encrypts a laptop computer's hard drive, but also automatically encrypts any external data storage devices that connect to a protected drive (and, in order not to hamstring a USB key's utility, it is shareable between AlertBoot-encrypted computers).

Of course, it's not really the medium that's important, but the data contained in that medium: "student names, social insurance numbers, dates of birth, contact information and loan balances of borrowers" were present, according to the theglobeandmail.com, but no banking or medical information. People in Quebec, Nunavut, and the Northwest Territories were not affected because these territories manage their own student loan programs.

Interestingly enough, Quebec is not entirely in the clear: personal contact information of 250 department employees working out of a Gatineau, Quebec office were also affected by the data breach.

A toll-free number has been set-up at 866-885-1866 (416-572-1113 outside of North America) for inquiries by affected individuals.

Of course, if the callers are as mad as these people, perhaps those fielding calls won't be answering inquiries as much as taking an earful of complaints. (To which, I note, the people answering the phones at these two numbers are probably temps, so go easy on them).

"Second" Data Breach

If you follow data security news, you'll know that HRSD is already involved in a separate data breach due to the loss of a USB drive that contained personal information for approximately 5,000 Canadians. Indeed, it was an investigation into this breach that revealed the larger one:
The loss of the hard drive from an office in Gatineau, Que., came to light as the department looked into another breach — a missing USB key containing the personal information of more than 5,000 Canadians.

The privacy commissioner's office has already begun a probe of that incident, which was publicized last month.
Needless to say, the privacy commissioner is extending her investigation into this one as well. As she should, as this is being labeled Canada's largest data breach to date.

But, as I already pointed out, can you honestly call this a second data breach? Wouldn't it just be a symptom of what the public already knew? Namely, that HRSD doesn't have the proper solution to prevent such confidentiality breaches from occurring?

I'm not even sure what to make of the following quote:
"It's definitely unfortunate," said Adam Awad, national chairman of the Canadian Federation of Students, which received a briefing on the loss.

"It highlights how easy it is for information in today's age to be misplaced, to be misappropriated, to be stolen — if that's what the case was."
Yes, it is unfortunate.... It's also fully preventable. And, it's not new. It' not as if Canada has been immune to the problem of information security breaches. Canada's own Office of the Privacy Commissioner has been blowing the horn on this one, year after year.

Not to continue harping the obvious, but a disk encryption solution that allows USB sharing between protected computers would have nipped this in the bud. Not to mention other instances of data breaches outside of an organization's control, such as burglaries (at home and at work).

What this case really goes on to show is not how easy it is to lose data, but how an organization's data security problems are never over as long as the correct policies, training, and technical solutions are not in place.

Managed Full Disk Encryption: City Of Macon Could Have Prevented Loss Of Data The Easy Way

sang_lee — Thu, 10 Jan 2013 17:42:00 GMT

According to The Telegraph at macon.com, the Sheriff's Office is investigating how computers that contained sensitive data ended up on the auction block at govdeals.com. The use of managed full disk encryption like AlertBoot would have prevented this particular data breach quite easily: it would have been a matter of "deleting" the machine from the central console, ensuring that the encryption keys are lost forever.

Government Deal Gone Bad

From the information I can find, the reconstructed scenario is as follows: it is decided that city computers need replacing. The old computers are to be sold, and in order to do so these are turned over to the city's Information Technology Department. The IT Department sanitizes the computers (i.e., deletes any data contained within). The city then puts the inventory for sale at govdeals.com. According to the site,
GovDeals provides services to various government agencies that allow them to sell surplus and confiscated items via the Internet. Each participating agency has its own auction rules and regulations and may be subject to government ordinances.
And what deals! A 1998 Ford Econoline E150 is going for $99 as I write this sentence. The scrap metal value alone is much more than that!

Anywhooo, there is some controversy as to who sold the computers: the police department or Macon's finance department. The finance department notes that they don't sell old computers. The police department notes that they're not in charge of prepping the computers for sale.

And they're right. One's attention should really be directed to the city's IT Department, which one assumes is in charge of vetting whether city computers – be they from the police department, finance department, or any other type of government department – to be sold, retired, disposed, etc. are free and clear of any sensitive data.

Deleting Computerized Content, Preventing a Data Breach

Deleting data on a computer is an arduous process. While the process is automated for the most part, it takes forever because every single byte found on a computer must be written over. That's right. In the world of paper, you can get rid of data by deleting the information (e.g., using an eraser to get rid of pencil markings) or writing over it (e.g., using a marker and covering pencil markings).

In the digital realm, only the latter is available. That's why when you go to the "recycle bin" on a Window's machine and permanently delete something, it doesn't do squat for digital privacy. You'll notice that the process takes seconds, a couple of minutes if you're deleting a large amount of data, whereas writing over the same amount of data takes much, much more time. In fact, with today's hard disk capacities, it's not unusual for the process to take five to six hours per disk.

If encryption software had been used to protect the data on these same disks, the process would have been much shorter and much easier: lose the encryption key. Without this vital key, it is impossible to retrieve the data. And losing it takes mere seconds, even if we're talking about a disk drive with over 100 TB of data. Plus, the presence of encryption means that the computers would have been protected while they were being used, for example, if there had been a burglary at a city department.

Full disk encryption is no panacea. It doesn't even come close to being one. But, it's certainly worth its price.

Encryption Now 5th Most Used Data Protection Technique

sang_lee — Mon, 17 Dec 2012 22:39:00 GMT

According to a new report, encryption is now the fifth most used protection technique, with nearly half of businesses in the world employing it. We at AlertBoot can attest that the use of disk encryption is very popular, but this could be the effect of having a solution that is completely web-based and on-demand, meaning our clients can encrypt as many (or as little) laptops as they require.

Only One-Third of Specialists Use It

The report by B2B International notes that there was a sharp increase in the use of encryption when compared to a similar survey last year. And yet, that sharp rise is less impressive than it seems:

Only one-third of specialists (36%) use full disk encryption (also known as encryption of information arrays) and less than half of those specialists (44%) actually protect critical information. Data encryption on external devices, e.g. USB drives, is used by 32%."[infosecurity-magazine.com]
With figures like these, it's no wonder that businesses, agencies, and organization are experiencing data breaches that are entirely preventable. Can one expect non-technical people to employ encryption software [http://www.alertboot.com/disk_encryption/full_disk_encryption.aspx ; full disk encryption software ] and other data security tools at a significant level (say, more than 75% of users) when those who definitely know better don't use it? Just to clarify things, it's not the encryption of data on exotic equipment we're talking about here: the survey found that only 32% of specialists used data encryption on external devices.

At the same time, data loss incidents increased from 30% to 35% in the same period.

Security and ROI

What could be discouraging the use of encryption? Perhaps the following observation from the report could shed some light.

According to the research, preventing IT security breaches is the top concern for IT professionals (31% of respondents). This is followed by data protection (27%) and, oddly enough, ensuring IT systems are used fully to maximize IT infrastructure ROI (23%).
ROI. Plunking down coin for security cannot provide an ROI (it stands for "return on investment," and let me tell you, security is not an investment; it's an expenditure). However, we get the message loud and clear: security is expensive.

There are ways to cut down on those costs, however. For example, let's say your organization requires the protection of 73 laptops. The device count is high enough that the organization would benefit from central management to coordinate the deployment and installation. Benefits would also include the creation of reports when running an audit as part of a compliance follow-up. On the other hand, such a centrally managed solution would probably require that licenses for enduser encryption be purchased in blocks, with 100 licenses being the minimum.

The organization is essentially paying at 25% premium seeing how they only need 73 licenses. This "premium" could be eliminated by hiring 27 more people, I guess, but that's definitely not the answer to this particular conundrum. The right way to handle this: only get 73 licenses that are necessary.

AlertBoot uses a Software as a Service (Saas) model, so if the above organization only needs 73 licenses, that's what they pay for. Additionally, hidden costs like extra hardware (management servers), extra software (to go with the servers), loss of IT department human resources (someone has to mind all those extra servers), and dealing with password resets and whatnot are eliminated as well.

Encryption can be expensive, but it shouldn't be more expensive than necessary.

Advanced Technology Encryption: NASA Will Encrypt All Laptops

sang_lee — Sat, 17 Nov 2012 02:36:00 GMT

NASA, the US National Aeronautics and Space Administration, is forbidding staff from removing laptop computers until all of them have been protected with laptop encryption. The order follows an announcement that NASA lost another computer on October 31.

NASA: Not Actually Securing Anything?

According to the BBC, NASA has ordered staff not to remove agency-issued laptops from facilities until they are protected with encryption software. The straw that broke the camel's back is an October 31 incident: a laptop computer was stolen from an employee's car in Washington, D.C. The computer contained sensitive, personally identifiable information (PII). The report did not specify what it could be, although PII can range anything from names and addresses to SSNs, credit card numbers, and various forms of financial information.

Password protection was used to secure the content, but as is common knowledge among geeks and technologists, password protection does not feature the same level of security as encryption. The fact that this is lost on rocket scientists would tickle me silly if it were not so sad.

NASA is alerting its employees that they should take care not to be phished. A full review of the lost data could take up to 60 days.

Fine Print

Reading the actual agency-wide message, it's quite clear that NASA is not actually forbidding staff from taking home their agency laptops. If you read the fine print (spaceref.com, my emphasis):

The Administrator and the Chief Information Officer (CIO) have directed that, effective immediately, no NASA-issued laptops containing sensitive information can be removed from a NASA facility unless whole disk encryption software is enabled or the sensitive files are individually encrypted. This applies to laptops containing PII, International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data, procurement and human resources information, and other sensitive but unclassified (SBU) data.

As long as the laptop doesn't contain information such as the above, it should be fine. The problem in this era of terabytes, though, is whether one can be absolutely sure that he or she is not carrying sensitive information.

Such pragmatic concerns are what led certain IT security advocates to deploy full disk encryption software on all laptops, regardless of who's using for which purpose, if there is even a remote chance of sensitive data ending up in them (because an organization handles sensitive data).

NASA appears to be playing a page from that book:

Center CIOs have been directed to complete the whole disk encryption of the maximum possible number of laptops by November 21, 2012. NASA plans to complete the laptop encryption effort by December 21, 2012, after which time no NASA-issued laptops without whole disk encryption software, whether or not they contain sensitive information, shall be removed from NASA facilities.

So, for the time being, the US's premier (and only) space agency will allow unencrypted laptops to be taken in and out of facilities but all of it ends 10 days before the end of the year. Why ten days? Who knows -- maybe they like the fact that the dates are all ones and twos: 12/21/2012. (It's a stupid suggestion because, among other things, there's an errant zero in the mix).

While one congratulates NASA for the above, one has to wonder what took them so long? I mean, they had that situation over a year ago, in March 2011 and another earlier this year.

I guess that saying about good and bad things coming in three must be true.