Often the biggest threat to your practice and patient data is not an outside hacker or a snooping employee -- it's somebody's forgetfulness.
As technology becomes smaller and more portable, it becomes easier to lose. Surveys from a data protection solutions company in 2009 found that in a six-month period, 12,500 mobile devices were left in taxis, and 4,500 USB memory sticks were left in pockets of pants sent to dry cleaners.
Most people -- including those in the security business -- are not protecting the data on their mobile devices. So if the device is lost, the data could be accessed.
"I'm always surprised at the cowboy attitude," said Harry Rhodes, director of practice leadership for the American Health Information Management Assn. "You've got these people who think, 'What are the odds of that happening to me?' And then when it's happening to you, it's too late to do anything."
Just having your phone drop out of your pocket could launch a time-consuming and expensive nightmare of reconstructing data and adhering to fixes mandated under the Health Insurance Portability and Accountability Act.
One-third of health professionals store patient data on laptops, smartphones and USB memory sticks.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.
So how you do protect yourself from an accidental loss of a device containing sensitive data? Experts recommend two strategies. One is to find a way to handle or store your mobile technology so you can't lose it easily. The other is to make sure the device has security and encryption features that make it next to impossible to access by anyone who happens to find it.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, said he has seen a recent increase of health information breaches because of the use of mobile devices. Privacy Rights, a San Diego-based consumer advocacy group focused on educating the public on how technology impacts privacy, is developing a database of all known data breaches in the United States to analyze how each breach occurred, Stephens said.
Credant Technologies, a Dallas-based data protection solutions company, noted in a 2008 survey that although more than a third of health care professionals store patient data on laptops, smartphones and USB memory sticks, most do not adequately secure the data.
Sean Glynn, vice president of product marketing at Credant, said the company surveyed smartphone users at a commuter train stop in 2009. When asked if the data on their phones were encrypted, few said yes. When the same survey was conducted among data security professionals at a trade show, the results were nearly identical.
Credant also performed the studies about mobile devices left in taxis and at dry cleaners. Those covered all devices, not just those owned by health care professionals.
Only 39% of health care organizations encrypt data on mobile devices.
People "might well protect their traditional desktop or laptop PC, but they are always buying these [portable] devices and bringing them in as their own personal devices," Glynn said.
Encrypting the data can eliminate the HIPAA obligation to notify patients of a lost device, under a provision that allows an exception if the data cannot be accessed. But in most cases, encryption is not being done.
The Healthcare Information and Management Systems Society, in a survey released in November 2009, found that despite the strengthening of HIPAA regulations, health care organizations have made relatively few changes to their security policies and procedures. For example, only 39% reported using mobile device encryption.
Rhodes likened people's attitudes towards data security to those of home security systems -- no one thinks it's necessary until something happens.
The Veterans Health Administration, for instance, now requires encryption of all mobile devices and has banned the use of thumb drives after the theft of one from an employee's home in 2006. Rhodes has seen other organizations block USB ports on desktop computers with a plug-in device or a super glue product, preventing data from being exported onto a thumb or flash drive.
He said there also are software packages that can be downloaded onto PDAs or smartphones that allow the users, in the event the device is lost or stolen, to call a phone number that automatically will erase everything from the device. There also are downloadable GPS systems that can help locate a lost device.
Smartphone and thumb-drive users also should use password protection on the devices, experts said. Use of a password to enter the system is just an additional line of defense that should be coupled with encryption -- the most effective means of protection available, they said.
Rhodes said mobile devices often are lost when people are traveling, so simply being more vigilant and aware in places like an airport can help prevent many cases of data loss. For instance, sometimes people set down a laptop bag while flagging a taxi. A thief can run by, grab the bag, then throw it into a waiting car that speeds off. "Always keep the bags on your shoulder," he said.
Laptops also can disappear from security belts at airports, he said, not necessarily from theft but because many computer cases look alike. Experts suggest attaching a business card to the outside of the case.
Another line of defense is to limit the amount of data on a mobile device.
For example, Stephens of Privacy Rights Clearinghouse said he has seen cases of employees who carry an entire company database around with them. One momentary lapse of good judgment, he said, could become an expensive teaching moment.
http://www.ama-assn.org/amednews/2010/02/22/bil20222.htm
Wednesday, September 1, 2010
Smudge Attacks
A recent paper from the University of Pennsylvania examined the issue of "smudge attacks" - a decidedly low tech security weakness with touchscreen cellphones - particularly Android phones.
Android phones feature a pattern lock screen, where instead of a PIN or password, a user traces a preset pattern to unlock their phone. However, the researchers were able to bypass the lock screen by simply taking photos of the phone (with the screen off) under a light, and then adjusting the photo in an image editing program to show finger smudges which revealed the pattern to unlock the lock screen.
The researchers found that even when a phone was wiped using clothing after entering the lock pattern, almost all of the smudge pattern remained.
This has implications for non-Android phone users as well. Consider the iPhone - if smudges are left in areas where there is frequent area, there are likely to be smudges over the numbers used to when entering an iPhone's PIN. And given that the iPhone PIN length is known (it's always four numbers), it wouldn't take very long to guess the correct number combination once when you know the numbers involved.
Gaining access to phones, particularly corporate and government phones, is a security weakness. An unauthorized user could look up the owner's contacts - which could reveal information about a company's clients, for example. An unlocked phone could also be used in social engineering attacks. An attacker could use the phone to send a text message to a colleague of the owner claiming to have forgotten a passcode or something.
Solutions to the issue could be as simple as entering tracing an incorrect pattern each time after unlocking the phone to create other smudge patterns to confuse or obfuscate the unlock pattern. Frequently changing password patterns could also reduce the issue. And finally, choosing more secure lock patterns can also reduce the likelihood of smudge attacks. For example, an open ended pattern, such as an L shape, would only have two possible combinations - upper left corner down to lower right corner or vice versa. But a pattern with intersecting lines and closed shapes (such as squares) can make it much more difficult to tell the start and end points of the pattern, as well as the direction of the pattern.
Over the summer, a friend and I took a lot of trips in his car. He owns a Motorola Droid, which we used as a GPS as well. Frequently, I had to unlock the phone's screen for him, and I was able to successful guess his password using smudge marks simply by holding the phone up so the sun reflected off the screen - and revealed the smudge marks in the unlock pattern. So a smudge attack doesn't even require the photography equipment used by the researchers in the above paper.
In The Future, Not Even A Name Change Will Protect Your Past
In an article written about 2 weeks ago Google CEO Eric Schmidt was quoted saying, "I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time." The article is citing an interview the Wall Street Journal had with Schmidt, which eventually led to Schmidt declaring that "every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends' social media sites."
Is this truly the future of search on the internet? The article, written by Jason Kincaid for TechCrunch, says even changing our names would be pointless, citing the possibility that an entire industry would emerge just to help companies or our prospective employers of the future find out our original names. But then anyone could access that service.
Possibly rendering this extra industry innert is the fact that Google can now recognize an individual with only fourteen photos. And this is present day. My question is, how will our practices regarding personal (or embarrassing...) information that we put on the internet come back to haunt us? This information isn't private, and it won't be able to be made private in the future.
We won't even be able to hide from our past by changing our names, according to this article, given the permanence of social media information. So what happens when you slip up and there's a picture with you in your car with the license plates visible? When there's a picture of you at the gas station holding your debit card? Or when a friend posts "Happy birthday!" on your wall even when you don't have that information available to the public (its just a good friend that happens to know your birthday). It's a little scary to think about the fact that piece by piece we are constructing shrines for ourselves... these memorials of who we were that offer too much information, possibly, about who we are to people we don't want knowing about us.
Essentially, given the permanence of social media, we should be careful we aren't giving up personal information in those embarrassing pictures or letting those dated "happy birthday" posts remain up on our walls...
Is this truly the future of search on the internet? The article, written by Jason Kincaid for TechCrunch, says even changing our names would be pointless, citing the possibility that an entire industry would emerge just to help companies or our prospective employers of the future find out our original names. But then anyone could access that service.
Possibly rendering this extra industry innert is the fact that Google can now recognize an individual with only fourteen photos. And this is present day. My question is, how will our practices regarding personal (or embarrassing...) information that we put on the internet come back to haunt us? This information isn't private, and it won't be able to be made private in the future.
We won't even be able to hide from our past by changing our names, according to this article, given the permanence of social media information. So what happens when you slip up and there's a picture with you in your car with the license plates visible? When there's a picture of you at the gas station holding your debit card? Or when a friend posts "Happy birthday!" on your wall even when you don't have that information available to the public (its just a good friend that happens to know your birthday). It's a little scary to think about the fact that piece by piece we are constructing shrines for ourselves... these memorials of who we were that offer too much information, possibly, about who we are to people we don't want knowing about us.
Essentially, given the permanence of social media, we should be careful we aren't giving up personal information in those embarrassing pictures or letting those dated "happy birthday" posts remain up on our walls...
USB Drive responsible for '08 Military Network Breach
Since 2008, the United States military has banned the use of USB drives. It has caused great speculation as to why, but at the time the military prohibited these devices, the Pentagon said the decision to ban USB drives was related to concerns of a malware program called Agent.btz. However, on August 25, 2010, U.S. Deputy defense Secretary William Lynn, confirmed that a data breach in the U.S. defense network in 2008 was in fact the real reason the military prohibits the use of USB drives.
Lynn explained that a USB drive carrying a malicious code was inserted into a laptop computer at a United States military base in the Middle East by a foreign intelligence agency in 2008. The malware was uploaded and began spreading to classified and unclassified material. According to Lynn, as the program continued to spread silently through the network, it set up a “digital breachhead”. This means that the data obtained by the program could be transferred to foreign intelligence agencies’ servers. While Lynn refused to answer questions surrounding any stolen data, he described the network infiltration as the “most significant breach of U.S. military computers ever”.
Besides responding to the event by banning the use of USB drives, the Pentagon also took action by creating a mission designed to prevent such instances of occurring in U.S. Military networks again; “Operation Buckshot Yankee”. The operation attempts to "purge" infected systems of malware in order to create more security.
Due to the Military’s large amount of extremely confidential information, I believe the necessary measures were taken in order to create a more secure network. If the problem stemmed from the use of a USB drive, then bolstering the network security must begin there. Consequentially, the military happened to take those measures by banning USB devices. Lynn explained that the big issue wasn’t the security breach, but the chance that information was at risk of being leaked. Besides prohibiting USB drives, I believe it was necessary to launch a campaign similar to “Operation Buckshot Yankee” that continually checks for security threats within a computer network to protect important documents.
http://www.computerworld.com/s/article/9181939/Infected_USB_drive_blamed_for_08_military_cyber_breach?taxonomyId=82
Rubrics
As I mentioned in class yesterday, I will be using rubrics to grade both your written assignments and your case study presentations. In order to help you understand how I will arrive at your grades, I wanted to share these with you in advance:
Security Breach of Apple's iPad
All eyes were on Apple last April during the much anticipated release of their new tablet computer, the iPad. This device, which has capabilities for email, movies, music, internet, photos, online books, maps, and much more, enjoyed great initial success, with 300,000 sold in just the first day. Unfortunately, excitement for the iPad dimmed just a few months later when it was discovered on
This glitch was found by a group called Goatse Security, who discovered that through a certain script on the AT&T website, they could enter the number that identifies someone’s iPad on the AT&T network and in turn receive the person’s email address. The members of this group could be classified as grey hat hackers because although they purposely tried to get information that they were not authorized to have, they seemed to be doing it for the right reasons. They notified AT&T so that the problem could be fixed and released their finding to the public, so that users would be aware that their information was compromised. Unfortunately, while Goatse Security felt that they were doing a service to the public, AT&T didn’t see it quite the same way, calling them “unauthorized computer ‘hackers’ that maliciously exploited” the website.
Part of the reason why this weakness in the AT&T website is such a big deal is because of the people it involved. Since the cost of the standard iPad is $499, it is not a product that the majority of middle class people own. It is not surprising that many of the iPad owners whose information was compromised are famous and well known. Some of the most recognizable names on the list are Chief of Staff Rahm Emanuel and ABC New’s Diane Sawyer. This glitch is also important because it involves two big name companies: AT&T and Apple. While the fault seems to lie with AT&T since the problem was with their website, Apple also has responsibility because they need to be sure to protect the information that they collect from users of their product.
AT&T has since repaired this glitch in their website, but the full extent of the damage of this breach is unknown. It is impossible to tell how many users’ data was compromised and if it was accessed by anyone other than Goatse Security. If possible, I think the best way to handle this other than fixing the website is to assign new identification numbers to the users. AT&T has stated that users “can continue to use [their] AT&T 3G service on [their] iPad with confidence.”
I think the main cause of this incident was an oversight by AT&T and maybe a sense of complacency about security on Apple’s part. I think that AT&T needs to better monitor their websites for potential security threats, but Apple also needs to follow through and make sure that anyone to whom they give customer information is properly protecting it. It will be interesting to see how the relationship between these two companies is affected by this security breach. Ideally they will join together to prevent such a breach of security from happening again and gain back the trust of their customers.
http://www.usatoday.com/money/industries/technology/2010-04-04-apple-ipad-sales_N.htm
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
http://bits.blogs.nytimes.com/2010/06/13/att-explains-ipad-security-breach/
Protecting your Daily In-Home Activity Information from a Wireless Snooping Attack
Because of a side channel attack known as the FATS (Fingerprint and Timing-Based Snooping) attack a snooper could detect, with undeniable accuracy, the private actions occurring in a home, residential environment, or assisted living community. All a snooper would need are the timestamp and the wireless fingerprint from a wireless sensor. This information is available even on a sensor that is encrypted. The multi-tier nature of this attack can lead to predictions about the number of people in a home and, ultimately, the length of time cooking or showering. Luckily, there are ways to protect against this gross invasion of privacy.
In Tier 0 of the attack the snooper only has access to the timestamps, and as a result only general activities such as occupancy or sleeping can be detected. Tier I is the stage in which the adversary has access to the fingerprints and can get more specific in their detection. By using sensors from various rooms, the snoop can find out how many occupants the home has. Starting in Tier III the adversary can begin to detect how many times each resident visits the bathroom or the kitchen. It can even be focused to recognize differences in actions like cooking different types of food, showering or grooming. By testing the technology on houses of various layouts and numbers of occupants, the researches can be confident in the accuracy of the tests. While the accuracy of the predictions for multiple occupant homes declines, it is still well above the statistics of random guessing. By believing that encryption was all that was necessary to protect the privacy of homes, systems have been left open to attacks of this sort. Luckily, there are ways to protect systems from a FATS attack.
There are various guidelines that can help to enhance privacy in wireless sensor systems such as these. First, signal attenuators can be placed in rooms to mask the activity in these rooms. Next, random delay in transmissions, especially in places like the bathroom where there are short visits, can mask these actions. In rooms where durations of stay are longer, however, periodic transmission of signals can keep activities more secret. The fourth way of protecting is fingerprint masking. This is a system that should be used in areas where the other guidelines are implausible or unacceptable because of the types of sensors. The final guideline is spurious or fake transmissions. These should be combined with real transmissions in sensors that can afford the high-energy cost from the transmissions. In reality, however, the best protection would be a combination of these guidelines.
There is no way to say what a person should do if they are victim of such an attack. While the loss of privacy from such a snooper would be uncomfortable and even costly for a company, there is no way to truly recover information that might have been lost in such a situation. I believe that the way to proceed after a FATS attack would be to employ the guidelines for protection from above and hope that such an attack does not happen in the future.
Subscribe to:
Comments (Atom)
Posts
