Security
- Encryption Software For Subcontractors? South Shore Hospital Update 3 hours ago Endpoint Security
A small update to the South Shore Hospital data breach: the company which South Shore contracted to destroy 800,000 computer records had in turn outsourced the job to a third party. So far, it hasn't been clarified what type of data protection, if any, existed--although I'm still hoping to hear that something along the lines of drive encryption like AlertBoot was used.
Third Party Breach, First Party Negligence?
I've already covered the South Shore breach here. In light of the revelation of the subcontracting, I wonder: who's at fault here?
The unnamed subcontractor didn't technically lose the information. The claim is that they received a partial shipment, so technically it's not their fault. How can you blame the receiving party, unless they had sent someone to fetch the...whatever it is that was supposed to be delivered (backup tapes? CDs? Hard drives? Etch-a-Sketches? It still hasn't been revealed.)
Then, you've got the original contractor in the middle who probably sent the records. Did they, too, receive only a partial shipment? Are they to blame? Why didn't they do the job of destroying the records themselves? The usual answer is, of course, because they could get someone else to do it for them for less. Technically, the breach could have been avoided if the contractor hadn't outsourced the work (but, this is in hindsight and applies to this case only).
Should a courier company be blamed, the one that was employed (I'm assuming one was used) by the contractor?
And finally, we have South Shore Hospital. Perhaps it should be blamed for the breach. After all, they were the ones that handed the records to the contractor, presumably without using encryption software to safeguard the information (otherwise, we really wouldn't be hearing about this issue).
The more parties that are involved, the harder data security becomes. So does pinning the blame. Assigning responsibility, however, is easy (although not always fair): In this case, it's South Shore Hospital that's responsible. That's why their name is listed at the "HHS 500 or more records affected" site.
Related Articles and Sites:
http://www.bostonherald.com/business/healthcare/view.bg?articleid=1270526 - Drive Encryption Software: Cooper University Hospital Loses Thumb Drive 1 day ago Endpoint Security
The story from Cooper University Hospital is that a thumb drive filled with sensitive data has gone missing. Data encryption was not used to protect the contents, meaning over 100 people may be at heightened risk of ID theft.
Only Residents and Fellows Affected
The device--which included SSNs, addresses, and phone numbers of university hospital residents and fellows--went missing on July 8th. The police are still investigating whether this is a case of theft.
It should be noted that patient information was not involved.
Thumb Drive was not Secure
As the university hospital readily admitted, the device was not protected with encryption software. Seeing how nobody really knows what happened to the thumb drive, the threat of identity theft is quite real (although probably low).
If either disk encryption or file encryption had been used, the above doctors--and they are doctors; it's just that they still require supervision--could be at peace knowing that their information was protected. Instead, now they'll have to wonder whether one day they'll find themselves victims of a fraudulent credit application or some other contract.
Not exactly what you want surgeons worrying about as they're inserting a catheter down your throat.
Related Articles and Sites:
http://abclocal.go.com/wpvi/story?section=news/local&id=7578794
http://www.databreaches.net/?p=12735
http://www.courierpostonline.com/article/20100728/NEWS01/100728075/Cops-seek-clues-in-missing-personal-data-from-Cooper - A Look at ZBOT 2.0 Information Theft 2 days ago TrendLabs | Malware Blog - by Trend Micro
TSPY_ZBOT.CQJ is one of the new ZeuS/ZBOT 2.0 variants spotted earlier this year. Let?s take a look at one of the methods it uses to steal users? banking credentials. These new ZBOT variants intercept the information users enter into a bank?s Web page by inserting predefined JavaScript code into the said page. At present, this [...]Post from: TrendLabs | Malware Blog - by Trend Micro
A Look at ZBOT 2.0 Information Theft - Medical ID Theft Stat: 5.8% Of Americans Affected 2 days ago Endpoint Security
Mark Twain once noted, and I paraphrase, "there are lies, damned lies, and statistics." There is also the observation that "to lie with statistics is easy. To lie without them is easier." What all this means is that when reporting a statistic, one also has to consider the information that makes up that stat.
Unfortunately, I only have a number, so I'm slightly loath to report this but here it goes....
According to the HIPAA Blog,
Roughly 5.8% of American adults have been victims of medical identity theft, with $20,160 being the average cost per victim.
The author of the blog picked up the figure at a lunch sponsored by Scott & Scott and Chartis.
Drawbacks to the Stat
The latest US population count lies somewhere around 307 million. 5.8% translates to 17.8 million people and a total cost of--wait for it--$359 billion dollars.
That's a mind-boggling amount of money. As a reference point, Microsoft's combined revenues for 2005 to 2009, inclusive, is $254 billion.
Of course, for the medical ID theft, we have no reference point whatsoever: are the stats for last year? Or perhaps a combined total for the last 10 years? If so, what does 5.8% figure really mean?
I wish some kind of supporting data had also been provided...
Would Hard Disk Encryption Make a Dent on That Figure?
Medical facilities have to comply with HIPAA/HITECH, and the use of encryption software is, for the lack of a better word, actively encouraged.
I would assume that the use of encryption would curtail, or at least impact, the theft of medical information. However, there is no way to know. Consider all the ways that medical information can be stolen besides surreptitiously lifting laptops and external drives:
-
Internal attacks (less than ethical doctors, nurses, EMTs, etc)
-
Lost or stolen paper documents, folders, etc.
-
A server hacking incident
With the exception of the last one, where file encryption or database encryption could prevent access to sensitive data, there is no way for encryption to prevent theft. Digital data encryption can't be used on paper documents, and how can encryption stand against someone who has the required passcodes for accessing encrypted data in the first place?
On the other hand, the rate of lost or stolen computers and external data devices (such as USB devices) is high enough that encryption can't be left on the backburner.
Related Articles and Sites:
http://hipaablog.blogspot.com/2010/07/interesting-stat-i-attended-lunch.html
http://financials.morningstar.com/income-statement/is.html?t=MSFT&culture=en-US -
- Data Encryption And The Cost Of Data Breaches: FTC Says Put Your Money Where Your Mouth Is? 2 days ago Endpoint Security
If you're a HIPAA-covered entity, you probably want to use data encryption software to protect any sensitive patient data. Otherwise, when a breach occurs, you'll have to notify a number of people: under current HIPAA regulations, it means the HHS and affected patients.
If a recent proclamation by the FTC is any indication, covered entities will have to watch out what they claim.
"Deceptive and Unfair"
Rite Aid recently settled with the FTC and the HHS on charges that it failed to protect sensitive financial, medical, and health information. It's kind of expected, seeing how they were found dumping job applications and pharmacy labels full of personal information into your average open dumpster. The FTC and the HHS had launched an investigation after seeing on TV that Rite Aid had engaged in lax security.
So far, nothing surprising about all of this. What caught my eye, however, is the following in the FTC press release:
Rite Aid made claims such as, ?Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.? The FTC alleged that the claim was deceptive and that Rite Aid?s security practices were unfair.[My emphasis]
Yikes. That quote by Rite Aid is pretty much standard in all the breach notification letters I've read to date.
You might be wondering what the FTC has to do with all of this. Basically, the FTC is also supposed to get involved, per the HITECH Act, whenever there is a HIPAA breach, until a final rule is enacted.
What if Laptop Encryption was Used?
Not just laptop encryption like AlertBoot, but what if any type of tool or technology meant to protect data was used? It's debatable, and ultimately depends on what the HHS and the FTC want to do, I guess.
We know, for example, that safe harbor--from sending breach notification letters, if a laptop is lost, stolen, missing, etc.--is granted by the HHS when protected health information is guarded with encryption software.
On the other hand, look at the list of Rite Aid's "failures," per the FTC press release:
-
Disposing of personal information,
-
Adequately training employees,
-
Assessing compliance with its disposal policies and procedures, and
-
Employing a reasonable process for discovering and remedying risks to personal information.
I'm willing to bet that failure to adequately comply with the above also impacted the final settlement figures. You'll notice that the use of encryption tools would not impact the above at all.
One thing to be said about the use of encryption is that, if I recall correctly, you don't have to contact anyone about the loss of an encrypted device: not people "affected" by the breach, not the HSS, no one. And, if you don't alert anyone outside the business, there is no reason for the FTC or the HHS to come investigate you.
Which means that, perhaps, the use of encryption could resolve a lot of headaches, more than the technology is intended to.
I'm not too enthused about this conclusion, since proper data security requires a data security frame that includes medical encryption and other information security tools as well as the above four points (and others) detailed by the FTC.
However, if I am a company that needs to comply with HIPAA, I'd be crazy not to accept any advantages extended to me. Data security is already pretty hard as it is.
Related Articles and Sites:
http://www.databreaches.net/?p=12712 -
- Redirectors in Compromised Sites Used in Spammed Messages 3 days ago TrendLabs | Malware Blog - by Trend Micro
Busy day in TrendLabs today, first the full analysis of and news on ZeuS and SALITY, which are exploiting the Windows shortcut vulnerability. Now we?ve identified a ton of compromised websites leading to an ?online pharmacy.? We?re currently seeing a wave of fake pharma spam that do not directly advertise the URL of the fake [...]Post from: TrendLabs | Malware Blog - by Trend Micro
Redirectors in Compromised Sites Used in Spammed Messages - ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon 3 days ago TrendLabs | Malware Blog - by Trend Micro
As reported last week, exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages, now blocked by Trend Micro products, with the subject Microsoft Windows Security Advisory and the following message: The message claims to come from Microsoft [...]Post from: TrendLabs | Malware Blog - by Trend Micro
ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon - Data Encryption Software: Perhaps Solution To SCADA Is USB Port Blocking? 3 days ago Endpoint Security
As I've noted before, the SCADA worm (or, more accurately, the Stuxnet worm/Trojan) has nothing to do with drive encryption software like AlertBoot. But, perhaps a service that's included in AlertBoot could be of help.
Fractured Reporting
I didn't realize it last week, but the worm affecting SCADA is actually parceled up with the Microsoft .lnk shortcut vulnerability, an attack that is spread around via USB drives. The attack kicks in automatically when a shortcut icon is displayed (I want to say "infected shortcut icon" but it sounds wrong for some reason). Disabling autorun and autoplay in Windows can't prevent the infection, according to zdnet.co.uk.
In other words, you pop in an infected USB memory drive, open it up, and you're now infected. In order to prevent this from happening, you can get Sophos's Windows Shortcut Exploit Protection Tool for free. This was designed for people who don't use Sophos's antivirus software but need the protection.
Microsoft currently doesn't have a fix.
Why Does A SCADA System Have USB Ports?
The above was the question a commenter left after reading the zdnet story.
Hm. That's an interesting question.
As another commenter noted, probably because of the keyboard and the mouse: PS/2 ports are generally not found in modern computers, so the same port that is used to read and write to USB thumbdrives are also used for hooking up your input devices.
Of course, perhaps the real question is "why are people popping in their USB flash drives into a critical system?" And maybe the answer is, "because they can."
While encryption can't do much in the above situation, perhaps a security tool in AlertBoot's arsenal could be of help: Port control software.
Port control allows an administrator to specify which devices can communicate via the USB ports. For example, mice and keyboards generally don't pose a risk and are required to make use of critical systems like SCADA, so they're allowed. On the other hand, perhaps that's not the case with other USB-based devices (your iPod, for example, shouldn't really be connecting to a machine that regulates a power plant).
You can see how such an application would be invaluable for managing the security of critical systems. In fact, here's what our company's page on port control has to say:
AlertBoot Port Control prevents unauthorized use of serial, parallel and other ports and controls access to CD-R of DVD-R drives
- USB ports (USB keys, personal music players, external hard drives, PDAs)
- Serial ports (PDAs, old communication devices)
- Parallel ports (Printers, old communication devices)
- FireWire (external hard drives, personal music players, PDAs)
- IrDAŽ (Infrared receivers, handheld portables, cell phones, cameras)
- CD-R/DVD-R (burning data on CDs or DVDs)
Selective access control based on device classes, brand, and ID
Extended features of Port Control allow an organization to adapt the security control policies to accommodate new devices or ports. Organizations can also discriminate between "good" and "bad" devices based on the devices classes, brand, and ID. This allows organizations to continue to use selective USB tokens or keys that are approved for use while excluding the use of other devices on that USB port.
Related Articles and Sites:
http://www.zdnet.co.uk/news/security/2010/07/16/spy-rootkit-goes-after-key-indian-iranian-systems-40089564/ - Disk Encryption Software: HK Hospital's Computers Stolen During Break-In 3 days ago Endpoint Security
Hospital volunteers and patients at Hong Kong's Queen Mary Hospital are at risk because of a computer data breach. Two desktop computers and an external hard disk were stolen, and it looks like drive encryption software was not used.
700 Affected
One of the stolen computers contained the information of 700 cancer patients and dozens of volunteers: Chinese and English names, ID card numbers, phone numbers, and addresses. ID card numbers across the world are regularly traded in the electronic underground market, since they can be used for bypassing on-line verification services.
It's not apparent whether the thieves were after the data or not. Besides the computers and the hard disk, three computer monitors were also stolen. Seeing how this is a literal break-in--door locks were broken and there were other signs of forced entry--it could very well be that thieves just wanted to get their paws on anything of value.
On the other hand, once you have such goods in your hands, it doesn't take much to run cheap software that looks for sensitive data. After all, if a thief steals a car, he'll probably go through the glove compartment and trunk as well, just to see what's in there. I don't see why it would be any different for a computer.
Hard Drive Encryption Software Would Have Helped
This is not the first time a hospital in Hong Kong had to announce the breach of patient data. About a month ago, two other HK hospitals announced a data breach, and I've also covered numerous cases of lost or stolen USB memory sticks and computer thefts in the past.
Perhaps I shouldn't be, but I'm surprised when I hear that computers are not protected with encryption software when it comes to Hong Kong. If a data breach happens in the US, it's kind of understandable because the country is so large: one might not hear about a breach or what it can be done to contain it, etc.
Hong Kong has something on the order of 6 million people and a land area about 5 times of Boston. In other words, it's a pretty small city but densely populated (fourth highest population density in the world, according to Wikipedia). I bet you can't help but overhear--two tables to the right, while you're ordering steamed dumplings--what medical illness a stranger's cousin caught.
My guess is that most medical establishments know of the dangers of not having their machines adequately protected. Which in turn implies that a conscious decision was made not to use data encryption programs in this case.
A shame, if this true. While hard disk encryption cannot prevent all types of data breaches, it is very useful for preventing those related to the physical theft of computers and other digital data storage devices.
Related Articles and Sites:
http://www.thestandard.com.hk/news_detail.asp?we_cat=4&art_id=101008&sid=29035889&con_type=1&d_str=20100727&fc=1
http://www.phiprivacy.net/?p=3147 - Avoiding the Whack-a-Mole Anti-Phishing Tactic 4 days ago TrendLabs | Malware Blog - by Trend Micro
Imagine playing a whack-a-mole game where the mole moves to a different hole in the amount of time it takes one to raise and lower a mallet. Instead of just six holes, however, there are millions. Few would want to play such a game. People would rightfully conclude that random attempts to hit the mole [...]Post from: TrendLabs | Malware Blog - by Trend Micro
Avoiding the Whack-a-Mole Anti-Phishing Tactic
