When Encryption Doesn't Help
powers-do-not-use! 270000NC1K Visits (1287)
GoUpstate.com, a regional news site for the Spartanburg, SC area, posted a story on May 27th, 2011 titled "Spartanburg Regional patients affected by computer breach" which reported that an employee of the Spartanburg Regional Healthcare System had a laptop computer system stolen out of the employee's car. The laptop computer had a file that contained "personal and medical billing information for an unknown number of patients."
This is an all-too-familiar laptop computer theft story, but there's one detail of the story that caught my interest. According to the news report:
"The information on the computer was in a password-protected file and included Social Security numbers as well as names, addresses, dates of birth and medical billing codes, according to the system."The emphasis on "pas
1) We don't know anything about the thief
Given that the Spartanburg Regional Healthcare System has no actual evidence that the file was protected, and given that they don't know that the encryption was sufficient to thwart the attacker, it's no surprise that the folks at the Spartanburg Regional Healthcare System opted to take some positive action to protect the patients. In this case, they opted to pay for identity theft monitoring services for the affected patients. They did not try to make any claims that there was no risk to the patients because the encryption protected the patient data and therefore spending the money on identity theft protection is unnecessary.
To even have a hope of making such claims, it seems to me you'd need to prove that the work needed to break through the encryption would cost more than the potential value of the data being protected. Tough to do considering the subjective nature of valuing patient personal information. How much is a name/SSN worth? You'd also have to have actual evidence that the encryption was in place and working at the time of the theft. For example, you'd want something like an audit report from a recent configuration scan.
But suppose the employee had military grade encryption on the file and suppose the folks at Spartanburg Regional Healthcare System could prove it. Do you think that would have been enough to save them the cost of identity theft monitoring? Maybe, but I doubt it. In a situation like this, the organization has a powerful incentive/need to reaffirm the relationship with the patients, to show them that they really do take the confidentiality of patient records seriously. So the identity theft monitoring service is a natural choice.
I'm not arguing against encryption on the laptop computer. Even the weakest, most basic password protection could help prevent the lost data from being exploited as time goes by. But the encryption is not going to help mitigate the costs incurred in the immediate aftermath of the breach.
The best way to prevent situations like this continues to be a concerted effort to keep the sensitive data off the laptop in the first place. A valid mantra in this case is "Sensitive data on a laptop computer is an indicator of a broken business process." An employee should NEVER have a business need to keep sensitive information on a laptop computer. If he or she does, the business process needs to be fixed.
Given situations like this, it's surprising that we spend far less time talking about how to detect and register the presence of sensitive information on a laptop computer than we spend talking about encryption on laptop computers.