Archive for October, 2009

You need more than a blue shield to secure data

October 30th, 2009

Earlier this month we wrote about breaches of medical data in the United Kingdom, but in these past few weeks the US medical community has been stunned by two major security breaches related to Blue Cross Blue Shield.

The Blue Cross and Blue Shield brands are the United State’s oldest and largest family of health benefits companies and are among the most recognized brands in the health insurance industry.  They are the largest health benefits provider in America, serving 100 million people, or approximately one-in-three Americans.

However, a great brand and a long history did not do anything to protect Blue Cross and Blue Shield from these two security breaches.

Information on 850,000 Physicians was stolen

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Association employee.  The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors.  Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.

Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant encrypts all the information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The employee’s personal laptop was stolen after the employee left headquarters with it.

Smokler said corrective action has been taken, but declined to elaborate. This ties directly to our earlier article on security of healthcare data where we noted:

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important.  Unless the fines and implications are severe – this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

It’s for this reason that Blue Cross Blue Shield should publicize the steps taken against this employee.  Other employees in the healthcare industry and beyond need to see that there are repercussions of violating data security procedures.  The powerful American Medical Association which represents most of the 850,000 impacted doctors has 6 asked the BlueCross BlueShield Association to meet regarding the data breach – so this story is far from over.

68 Blue Cross Blue Shield Hard Drives Stolen

In addition to reports of the missing laptop with from the national headquarters Blue Cross Blue Shield of Tennessee has announced the theft of 68 computer hard drives.  Over the weekend of Oct. 2nd, unauthorized persons entered a data closet in a remote location that BlueCross BlueShield of Tennessee leases for training purposes and removed 68 hard drives. The stolen hard drives contained voice recordings of eligibility and coordination-of-benefit calls.

While BCBS has not specifically stated whether the drives were encrypted, they commented that “the retrieval of member data from these drives would require highly-specialized expertise and software.”   The other term that was used was “encoded.”  This tells us that while some of the files might have been secured and the data might be hard to retrieve, the drives were not protected by hard drive encryption.

One has to wonder – how many times will records have to be stolen, before companies in the healthcare industry step up and encrypt.  Sure, we all know the economy is tough and money is tight – but today encryption is quite affordable.

Your data is your data, no matter where it is

October 26th, 2009

laptop-puzzle-pieceWith some of the most stringent reporting requirement regarding data breaches, the tiny state of New Hampshire (population 1.3 million) in the northeastern United States is turning into the place to go to learn about data breaches.   The latest news on how a “laptop left on plane put pension fund participants at risk” is an interesting tale about how security does not stop at your firewall – indeed security is a piece of most every business puzzle.

Party A does not encrypt and loses data owned by Party B

This story is a bit hard to follow but essentially on June 14 an employee of the Verso Paper Corp. left a company laptop behind on an airplane.  One their laptop were two documents that contained the names and Social Security Numbers of some former and current participants in the PACE Industry Union-Management Pension Fund (PIUMPF). According to a letter (pdf) sent to the New Hampshire Attorney General’s Office, it seems that PIUMPF had provided Verso with the data as part of a discussion relating to the possible merger of Verso’s pension plan into PIUMPF.

So say you are the IT manager at PIUMPF and perhaps if you have secured and encrypted all your data – you are sitting safe and pretty.  But your company’s data is shared with Verso and they don’t have nearly as good security – their laptops are not encrypted and as this case highlights – a third party can bring you down from a security perspective.

You can’t just encrypt, You have to educate

Alertsec has written and talked about this many times.  What your partners do matters: from Software-As-A-Service vendors who host your data to the company, to the company that carries your backup tapes to a vault to business partners that gain access to some or all of your data. When it comes to security, the actions of your partners matter.

Any other vendor that will come in contact with your confidential data has to be asked to follow the same stringent security protocols that you use.  However, the decision to share data may occur outside the confines of the IT world.  This is a key reason why it is not just enough to secure and encrypt your organization’s PCs – you have to ensure that your senior leaders understand the security issues of data sharing.

Encryption is the only secure way to protect your information

It might seem pushy to ask questions about a business partner’s security procedures – but the case with Verso Paper  highlights why you have to be proactive and specifically tell business partners what you mean by security. If the unthinkable actually happens and your business partner loses a computer with your laptop, a tool like Alertsec Xpress ensures that the information is protected at all times and cannot be compromised which ensures you complete peace of mind.

Encrypt Before the Law Smacks It On!

October 22nd, 2009

The Information Commissioners Office (ICO) is the UK’s independent authority set up to promote access to official information and to protect personal information.  The ICO has legal powers to ensure that organizations comply with the requirements of the Data Protection Act.  The ICO is an outgrowth of the The Data Protection Act 1998 which has helped to encourage businesses to step up and take action to ensure appropriate protection of data. The ICO, which is responsible for enforcing the Act, has shown great success in getting organizations to cooperate after DPA violations.

Information Commissioners Office Enforcements

Reading through the ICO enforcement page is like reading an advertisement for encryption software.

  • 14 September 2009 – Billing Pharmacy Ltd, theft of an unencrypted computer containing sensitive personal data for around 1,000 customers.
  • 4 September 2009 – Sandwell Metropolitan Borough Council, an unencrypted memory stick was lost by an employee.
  • 21 August 2009 – London Borough of Sutton, theft of two unencrypted laptops.
  • 20 August 2009 – Repair Management Services Ltd (formally MVRA), theft of an unencrypted laptop containing the personal information of approximately 36,800 individuals.
  • 12 August 2009 – UPS Limited, an unencrypted password-protected laptop was stolen containing the payroll data of approximately 9,150 UK based UPS employees.
  • 28 July 2009 – Imperial College Healthcare NHS Trust at St Mary’s Hospital, South Wharf Road, London, theft of six unencrypted laptop computers (two incidents)
  • 28 July 2009 – NHS Lothian, theft of an unencrypted memory stick
  • 28 July 2009 – London Clubs International Limited, theft of an unencrypted laptop containing the data of approximately 26,000 customers.
  • 14 July 2009 – Chelsea & Westminster Hospital NHS Foundation Trust – theft of an unencrypted USB memory stick containing personal data relating to 143 of the Trust’s patients.
  • 14 July 2009 – The Hampshire Partnership NHS Trust, theft of an unencrypted laptop computer, containing the personal data of 349 patients and 258 members of staff.
  • 14 July 2009 – The Royal Free Hampstead NHS Trust, loss of an unencrypted computer disk containing personal data relating to some of the Trust’s patients.
  • 14 July 2009 – Surrey and Sussex Healthcare NHS Trust, theft of two unencrypted laptop computers containing personal data relating to 23 and up to 80 of the Trust’s patients respectively.

Password protected laptops are not secure

Referring to the UPS case noted above, Mick Gorrill, Assistant Information Commissioner with the ICO, said ‘Password protected laptops are not secure. I urge all organisations to restrict the amount of personal information that is taken off secure sites. I am pleased that UPS has encrypted its laptops and smartphones, and I urge other organisations to follow suit.”

Encryption is the most Affordable Security Approach

In all these cases, the breaches are clear examples where had data security measure like laptop encryption software been used; the entire incidents could have been avoided.  There are so many benefits to encryption; it is so affordable; it is so obvious – yet as the ICO enforcements show – we are a long way from universal laptop encryption.

In each of the cases noted here, the organization implement encryption policies as part of the enforcement with the ICO – and I bet each of them wished they had  implemented the same policies on your own, ahead of the law!

Employees – The Weak Link in Encryption

October 18th, 2009

woman-bed-laptopWith the continued growth of mobile computing and of data security laws, every day companies are investing more an more time and dollars into security systems.  Unfortunately, a common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective.  Thus, even after this investment of time and money – a security breach occurs because of the weakest link – the person behind the keyboard.

Employees Can’t Be Relied on to Enforce Security

Most organizations promote polices for the safe use of mobile computing devices and for accessing sensitive files.  However, just thinking about yourself:

  • Have you ever shared a password with another employee
  • Have you ever heard about another employee sharing passwords and not reported that?
  • Have you ever turned off an anti-virus, anti-spyware or encryption program?
  • Have you ever copied confidential data from it’s home (mainframe, shared network drive) to your PC for convenience?

Regardless of policies, the reality is that busy salespeople, unknowing marketers and harried administrative staff will ignore or avoid policy and load sensitive information onto portable computers. With more than 600,000 laptops lost or stolen each year from U.S. airports alone, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.

Value of Remote Administration for Encryption

laptop-outside-womanTraditionally, organizations have used corporate firewalls and other intrusion detection systems to protect corporate networks from potentially compromised endpoints.  However, in today’s laptop-dominated environment, endpoint security strategies place the responsibility for security on the device itself and not on the employees.  This next generation of security strategy is already common in the form of anti-spam filters, desktop level firewalls and anti-virus software programs.

For best protection using encryption , there should be no local administration available for the end-user.  This is one of the benefits of Alertsec Xpress, as it  is designed to support an enforced security implementation where the user will not be able to disable the security without proper authority. Recognizing that organizations cannot rely on end-users to consistently follow IT policy or diligently apply security software, Alertsec Xpress eliminates the requirement for end-user involvement to be effective.

Laptop Safety Tips

October 13th, 2009

While we normally focus on encryption, so many of our articles discuss laptops and many of our readers deal with laptops every day.  So today we thought we would share tips for safety when you leave home with your laptop.  Obviously, encryption is the number one step – but there are other tips:

Laptop and International Travel Tips for Laptops

  • airport-laptopIf your laptop is new, take receipts – you don’t want your local customs charging you when you return, thinking you bought it abroad!
  • Don’t forget to take a voltage adapter on your laptop, as well as preparing a power plug adapter
  • Make a back-up of all your data before you leave the country
  • It is highly unlikely, but possible that a customs officer decides to search your laptop as you bring it into this other country So you should be sure that your hard drive doesn’t have anything that it shouldn’t. This includes pornography as the definition of what is or isn’t porn varies by country.  Also, if you work for a security or defense type firm realize that information that appears normal to you, could be considered espionage by an overzealous customs officer.
  • Also unlikely, but you may be required to decrypt any encrypted files for customs.

School and Library Security Tips for Laptops

  • Permanently mark your laptop with your contact information – this may deter thieves, since it makes resale more difficult.  Also consider pasting the laptop with stickers.
  • Use a generic backpack and not a custom laptop bag – a backpack may not be as obvious to thieves that a laptop is inside.
  • Don’t leave your laptop unattended at your feet in a bag. If you should become distracted or fall asleep your laptop is easy game – consider setting an alarm on your PC if you are tired to avoid this risk.
  • When using public wireless connections, be wary of logging into sites as passwords could be made available to others!

In Flight Security Tips for Laptops

  • airplane-laptopPlan ahead as to which luggage case will house your laptop.  You don’t want to store your laptop in an overhead bin if it’s in a soft case.
  • Close and put away your laptop when meals are served so there’s no risk of a beverage tipping onto it – I have personally seen this happen twice.  One time, my then six year old daughter learned many new and “interesting” words when the laptop owner was shrieking at the stewardess.
  • When you leave your seat, close your laptop and put it away or leave it on the seat, not the tray where it could more easily slip off during turbulence.

While laptops are essentially made for traveling – there are so many things you can do to ensure their safety. From the security of encryption to plain common sense on how you care for your belongings.

Healthy People Maybe, Healthy Laptops No!

October 9th, 2009

doctor-laptop-securityThree health trusts in the UK have had 30 data breaches in the past two years, according to reports.  According to the BBC, Devon Primary Care Trust, Derriford Hospital, and Torbay Primary Care Trust have reported that they’ve had 30 breaches in total.

Yes, you read those numbers correctly – three organizations and thirty breaches.

The lost information included patient data which may have included NHS numbers, names, medical conditions, and other information, depending on the breach. The losses included laptop thefts and the theft or loss of memory sticks with sensitive data.  In no cases were any of the devices protected with hard drive encryption software which could have easily eliminated any instances of a data breach from occurring.

Rest easy, They’ve Learned Their Security Lesson

According to the BBC, “all the health trusts which lost data said they had learned from the cases.”  Of course, one has to ask why it took 30 breaches to then create an environment that looked for solutions!  But the claim is that now all data is stored on secure servers and all staff have been issued with encrypted memory sticks and associated training. Plus each trust now has an official whose job was make sure information is secure.

A Trust spokesman was unable to say exactly when the theft occurred and if patients were told at the time, but in a prepared statement pointed out that at least some of the laptops had password protection.   However, unlike encryption, password protection can be breached in many ways.

Hospital Laptop Safety

medical-computer-securityAs our recent article Data Loss is the Other Guy’s Problem pointed out, hospital are at high risk for data loss.  Yet, they remain slow to adapt and slow to realize that services like Alertsec with hard disk encryption that are so affordable as easy to manage.  I just did a Google search on “hospital data breaches” to quickly find reports like:

These losses tie to the fact that “Health care is a treasure trove of personally identifiable information,” says Don Jackson, a researcher at security consulting company Secure Works Inc. Most health-care organizations collect patient’s names, Social Security numbers and dates of birth. Plus they store payment information such as insurance and credit-card data.  This is the holy grail for a thief in terms of financial opportunity.

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important.  Unless the fines and implications are severe – this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

Losses from high-tech security breaches nearly double in 2009

October 5th, 2009

canadian-data-breachA new Canadian study from the Rotman School of Management reveals a major increase in annual losses related to Information Technology (IT) security breaches. According to this study, which surveyed more than 600 IT security professionals across the country, the costs associated with security breaches include:

  • IT security breaches cost the average Canadian organization an estimated $834,000 in 2009 – a 97 per cent increase from the $423,000 reported by the study last year.
  • Similarly, the average number of reported IT security breaches also increased 276 per cent to 11.3 per organization in 2009 – compared with an average of three in 2008.

While every type of organization incurred an increase in breach costs during 2009, the increases were different across sectors:

  • Government organizations more than tripled their average annual cost of breaches to $1,000,000 in 2009, up from $321,000 in 2008.
  • Private companies more than doubled their cost of breaches to $807,000 up from $294,000 in 2008.
  • Publicly traded companies reported a moderate increase of only six per cent year-over-year.

These alarming numbers bring with them a silver lining, as the increase in the number of reported cases could be attributed in part to higher detection levels due to compliance regulations.  At the same time, it is a shame that IT departments are not adopting data encryption software like they should be.  Even with increased reporting, proper use of tools like Alertsec could have led to a decrease is losses due to security breaches.

The study highlighted the value of IT investments in security as the top-performing respondents (those without breaches) spent at least 10 per cent of their IT expenditures on security, with the average security budget was seven per cent of the total IT spending. The study reports that Canadian organizations are finding it difficult to improve their security posture within the current economic climate – but the cost of ownership for hosted encryption services is a drop in the bucket for the millions that are spent on security.

stolen-laptopWith a 56-per-cent jump in occurrences of laptop or mobile hardware devices being stolen in Canada alone, encrypting files on laptops should be so obvious a solution!  File encryption is not a new technology – it’s an established technology. However, too many organization weigh security and convenience and land on the convenience side – not realizing how simple hosted encryption can be!