AlertBoot Endpoint Security

Data Encryption Software: Prey Tracking Software Software Turns You Into Predator

sang_lee — Fri, 10 Feb 2012 02:24:00 GMT

I've come across a suntimes.com review of a device tracking "spyware" called "Prey." Based on open-sourced software (and not without its controversy), it's a root-level software that will keep track of devices via the internet, assuming a connection is available. While I can see the benefits of such software, it's incompatible with disk encryption programs like AlertBoot for one simple reason: the thief cannot access your computer.

Good Encryption Prevents Access to Computer

The simple logic behind the incompatibility between encryption and tracking software lies in the fact that encryption software prevents a laptop thief from accessing the device. When the thief boots up the computer, he or she will be prompted for a password.

At this point, the computer is not turned "on" in the normal sense. Sure, power is being supplied to the computer, but under disk encryption software like AlertBoot, something called pre-boot authorization (PBA) -- which will take the user's password and check to make sure it's the right one -- is the only thing running. The computer's operating system lies dormant at this stage, and will only start up when the correct encryption password is provided.

Since the OS hasn't started yet, it means most if not all functions of the computer are dormant as well. This includes internet services, the same that Prey uses to figure out a device's location.

If you decide that you might want to use device tracking software, you have a choice to make: do you want to recover your device or do you want to protect your data? Assuming sensitive data is not stored on the computer, ever, you might want to give tracking software a second look. If you do store sensitive data on a computer, then encryption should take precedence.

After all, there is no guarantee that a computer will be recovered when device tracking software is used. Plus, only encryption provides protection from certain laws and regulations (assuming safe harbor is offered). And, even if you're able to recover your device, there's not guarantee that the thief has already accessed your data already.

This does not mean that Prey is "bad" software (although, I can't claim it's good software either: I've never used it). It just means that you've got to figure out what your priorities are, and act accordingly.

Cost Of A Lost Laptop: Accretive Health Loses Debt Collection License

sang_lee — Wed, 08 Feb 2012 22:38:00 GMT

Accretive Health, which was behind the patient data breach announcement by two hospitals in September 2011 has had their debt collection license temporarily suspended. The company admitted that it had failed to use data encryption on a laptop stolen in July 2011. Using encryption software like AlertBoot was company policy at the time of the breach.

I've covered Accretive Health here, here, and here.

Sued by AG

The Minnesota Attorney General has sued Accretive Health for "violating health privacy laws and state consumer protections," according to startribune.com. State AGs now have the power to pursue HIPAA violations, as we've seen before: for example, the Connecticut AG went after Health Net, as did the Arizona AG, when Health Net was involved in a breach affecting 1.9 million patients (ranked #3 in HIPAA breach history so far).

The MN AG took exception that a debt collector was in possession of PHI, protected health information:

Why should anyone other than a doctor have such basic and personal and intrusive information about a patient?'' [Minnesota Attorney General Lori] Swanson said at a news conference in her State Capitol office.

Her lawsuit, filed Thursday [January 19, 2012] in U.S. District Court, seeks an order requiring Accretive to inform Minnesota patients what information it has, how it has been used and where it has been sent.

"No corporation, especially a debt collector, should secretly slice and dice patients' medical statistics in such a way without ... full disclosure to patients,'' Swanson said. [startribune.com]

Furthermore, the AG charged that Accretive had concealed "from patients the extent of its involvement in their health care." It is alleged that Accretive "at times masked its true identity during collection calls and has not complied with all disclosure and registration requirements."

One thing that puzzles me: so far, neither of the hospitals that were involved in the data breach have been sued by the AG. If the ownership of patient data by debt collectors is outrageous, isn't it just as outrageous that medical organizations gave this information to the debt collector?

License Revoked by Commerce Department

The Minnesota AG's allegations have prompted the Commerce Department to conduct its own investigation. In the meantime, it has also revoked Accretive's collections license for 20 days, possibly longer, filed a cease-and-desist order, ordered the disclosure of debt collectors who've contacted Minnesotans, and ordered the company to turn all written documents used to collect debt in MN.

I had gone into the story thinking that all of the above -- the suit, the revocation of licenses -- stemmed from the fact that Accretive had failed to use laptop encryption, which seemed a bit excessive As it turns out, the issue goes well beyond HIPAA. At least, allegedly. I've known for a long time that the use of computer encryption can prevent a can of worms from opening, but this one takes the cake.

HIPAA/HITECH Data Breach Reports: Incidents Involving 500 Or Less To Be Reported By End Of February

sang_lee — Wed, 08 Feb 2012 11:57:00 GMT

The site jdsupra.com has a short but urgent observation that February is the month when all HIPAA covered-entities must report any incidents which involved 500 or less PHI data breaches. Again, a stark reminder that if you are a covered entity, it pays in the long run to use drive encryption software like AlertBoot.

More than 500 Affected

The "HITECH Interim Final Rule for Breach Notification for Unsecured Protected Health Information" stipulates that HIPAA covered entities must report a data breach to the Department of Health and Human Services without undue delay if it involves 500 or more people.

This requirement is exempted if the PHI data breach was nullified via the use of encryption software. While neither HIPAA nor HITECH codifies it directly, an entry in the Federal Register clarifies the situation (my emphasis):

...if a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered ‘‘unsecured protected health information’’ as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals. On the other hand, if a covered entity has decided to use a method other than encryption or an encryption algorithm that is not specified in this guidance to safeguard protected health information, then although that covered entity may be in compliance with the Security Rule, following a breach of this information, the covered entity would have to provide breach notification to affected individuals. [Federal Register Vol.74, No.162]

But what about incidents where encryption is not used and less than 500 people are affected?

Less than 500 Affected

If a data breach involves less than 500 patients, then it and any other similar instances can be consolidated into one report to be sent to the HHS at the "end of the year." The end of the year is a misnomer because it's really 60 calendar days after the new year has begun. In other words, by the end of February of each year, a covered entity must file a "data breach that affected 500 or less" report.

The report is done electronically from the hhs.gov site. Follow this link.

Data Encryption: Fricosu Case Offers New Problem. Defendant Doesn't Remember Password

sang_lee — Wed, 08 Feb 2012 02:51:00 GMT

I figured this would happen. I haven't mentioned it in my coverage of US v. Fricosu, but once the judgment was handed down that Ramona Fricosu must provide decrypted evidence, I wondered whether she would make the claim that she forgot the password. Such things happen quite often when it comes to data encryption software.

You see, the situation has been on-going since 2010. I don't know about readers of this blog, but in my experience, not typing a password in over one year tends to lead to "password amnesia." This is not the case if you only use one password, like I used to do in my younger days. In fact, I can still tell you what it was, over ten years later (but I won't).

But once you graduate to more secure practices and start using multiple passwords, your memory starts to get a little sketchy. At least, mine does.

In Contempt? Or Being Honest?

I've already blogged that I thought that the judge's decision in the Fricosu case was pretty straightforward. I still do; however, there are aspects to it that troubled me then, and still trouble me now, especially because of the above development.

The thing that always troubled me is: what if a person doesn't remember the password anymore? I've been thinking about this on and off since I found out about the UK's RIPA, the Regulation of Investigatory Powers Act. Under RIPA,

"...a suspect [is given] a time limit to supply encryption keys or make target data intelligible. Failure to comply is an offence under section 53 of the same Part of the Act and carries a sentence of up to two years imprisonment, and up to five years imprisonment in an investigation concerning national security."

To quote myself:

...what if you honestly don't remember the password? If you're in the habit of encrypting a design for the world's best toaster-oven because you're afraid of industrial espionage, and happen to forget the password to unlock it...should you go to jail for it?

That's assuming the government ends up believing your encrypted toaster-oven designs are actually, I don't know, terrorism-related information.

The decision surrounding this latest development will be (my apologies to Ms. Fricosu whose life must be a living hell right now) the really interesting question to answer. The decision to force Fricosu to provide decrypted data was pretty straightforward, I thought.

But this latest twist? The government doesn't have taped conversations revealing that Fricosu remembers the password, as far as I know. They can't prove that she doesn't remember it. Or that she does remember it, for that matter. I'm sure that forcing her to reveal the password, in an attempt to use it as a framework for generating other passwords, is a violation of the Fifth Amendment (the last ruling makes it abundantly clear that it would, and that's why she's not being forced to provide a password but decrypted information).

This is probably the worst post on which to push our managed disk encryption services from AlertBoot. And yet, I can't help but think that if someone out there is placed in the same situation and is being accused erroneously of a crime -- and the contents of the laptop will actually work to clear his name -- he'd probably think it's a godsend that he can have his AlertBoot encryption password reset after a quick confirmation of his identity.

Related Articles and Sites:
http://www.wired.com/threatlevel/2012/02/forgotten-password/

Drive Encryption: Department of Child Services in Hendricks County Laptops Stolen

sang_lee — Wed, 08 Feb 2012 01:41:00 GMT

According to wishtv.com, the Department of Child Services in Hendricks County (Indiana) reported the theft of multiple laptop computers with sensitive information over the weekend. However, they can be congratulated for stopping a full-blown data breach from occurring: laptop encryption software like AlertBoot was used to secure the data in the computers.

Department is a Block Away from Cops

Two TV projection screens and 10 laptops were stolen during the break-in. Even more audacious on the part of the thieves is the fact that Department of Child Services in Hendricks County is a block away from the Avon Police Department.

Due to the nature of the department's activities, it's not a stretch to assume that sensitive information must have been handled on the stolen laptops. However, encryption software was used to secure that information. This nearly guarantees that the laptops won't be accessed by the thief or thieves.

Encryption is Scrambling

WISH-TV Engineering Manager Tom Weber explained the concept of encryption like this: "Encryption is scrambling."

Well...yes. But it's a little more than that. If I may play off the word "scrambling," the use of encryption can be compared to the following:

Take an egg. Crack it and scramble it. Serve on a dish. Now, try to reconstitute the scrambled eggs into the original egg. This is what encryption is like.

The egg is your data. Scrambling is the encryption process. But, unlike the actual egg, you can actually reverse the scrambling process when it comes to data encryption. All you need is the encryption key, which is generally linked up to a password (to make it easier to remember). If a person were to try to force their way into the encrypted data, they'd find is as hard as trying to unscramble a plate of eggs Benedict.

No wonder, then, that those who require the safeguarding of sensitive data use encryption.

Full Disk Encryption: Stolen Univ. Of Miami USB Drive Affects 1200

sang_lee — Tue, 07 Feb 2012 06:34:00 GMT

The theft of a USB flash drive from a University of Miami doctor's vehicle has led to the breach of patient information affecting 1,219. Drive encryption like AlertBoot wasn't used to protect the patient data, apparently. As a result, the University of Miami is approaching patients with news of the event, per HIPAA/ HITECH requirements.

UM Posts FAQ

According to a frequently asked questions (FAQ) posted by UM, the car belonged to a Pathologist from the University of Miami Miller School of Medicine. The rear window was broken and a briefcase containing the USB drive was stolen.

Not that it should matter, but the profession helps to explain why the USB pendrive contained (my emphasis):

limited data elements of certain patients who had specimens reviewed by the department of Pathology between 2005 and 2011. This information included name, medical record number, age, sex, diagnosis and treatment information. No financial information or social security numbers were stored on the stolen drive.

Normally, six years worth of data on anything is a lot of data to be carrying willy nilly. For a pathologist, though, this could merely be chicken feed for a larger project tracking the spread of a particular disease through decades.

Which is all the more reason why this particular device ought to have been protected with encryption software: if the user knew that he or she'd be gallivanting around with years and years of data, all the more reason to have the data container encrypted.

HITECH Requires Notification

The University of Miami notes upfront in its breach notification letter that patients are being notified of the incident due to the US HITECH Act. HITECH contains an update to the decades-old HIPAA, the Breach Notification Rule.

This rule requires that breached medical entities (technically, HIPAA covered-entities) notify patients of any PHI data breach breaches, PHI standing for protected health information. Under the rules, nearly anything that can identify a patient is considered to be PHI, including names and addresses.

If more than 500 are affected, the breached entity (UM in this case) must take the breach public by notifying state media and/or making a posting on their website. The Department of Health and Human Services must also be alerted, who will eventually post the breach on their "Wall of Shame."

Patients must be notified regardless of how many are ultimately affected. They must be sent a letter, although contacting them via other methods is possible under certain conditions. One thing that I've noted, and which I think UM might have failed to comply with, is that patients must be notified within 60 calendar days of the breach's discovery.

Now, I know December and January have 31 days each, and the breach occurred on November 24. This means that, by any measure, UM has violated the Breach Notification Rule, unless (1) the media has gotten hold of this story one week after UM went public with it or (2) the breach discovered until much later than November 24.

My guess is that #2 is what UM was dealing with. Thanksgiving Day fell on that date, ironically enough. I can already picture it: pathologist comes back from the holidays, say, a week after, and finds the car window broken. Goes into panic mode. A day passes and the situation regarding the USB drive dawns on him or her, and gets in touch with the employer.

UM Already Encrypts Laptops

In the FAQ, the University of Miami noted that the establishment already uses encryption software to protect their portable medical computers. In other words, whole disk encryption.

One of the setbacks (the contra in "pros and cons") is that disk encryption protects the disk. People think it protects the data, but it doesn't. It protects the disk by encrypting the disk. And, because the disk is encrypted, any data saved to the disk is also protected.

Yes, it sounds like I'm splitting hairs, but there's a reason behind this pedantic madness. If I point out the above to you, you'll easily grasp and understand that data copied off of an encrypted disk is not protected anymore. Why? Because disk encryption protects the disk, not the data.

It's the reason why many encryption software vendors offer ways to protect what's going on with your computer's USB port. AlertBoot, for example, offers gratis the ability to encrypt USB devices automatically whenever they're plugged into an already-encrypted computer.

I'm certain UM could have used such a program (in hindsight).