Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
MORE ON THE BLUE CROSS/BLUE SHIELD DATA BREACH
October 15, 2009
In a recent post, I discussed the massive Blue Cross/Blue Shield data breach, which elicited a thoughtful e-mail from Rob Rost. I was apparently less than clear in my post, because I agree with Rob that policies and technology must work together to secure data – neither alone will suffice. Thanks, Rob, for this thoughtful reply.
I have some comments about your blog post. I agree with everything that you wrote. However, I think that technology in isolation does not secure data. Technology, just as a poorly written policy, is just as susceptible to human frailty.
For example, Blue Cross Blue Shield may have deployed the following technologies to protect the laptop and the data stored on it:
1) The Blue Cross Blue Shield logo laser-engraved on the laptop cover. The goal of this technology is to deter the physical theft.
2) Phone-home software like Absolute (not the vodka company) Computrace. The goal of this technology is to protect the data by increasing the probability of recovering a stolen laptop.
3) Microsoft bit-locker encryption. Of course, the goal of this technology is to protect the data.
The above technologies can be circumvented by a thief if the employee does not follow a written policy (The employee not follow the policy because he/she is not aware of it, it is not practical, or chooses to ignore it). For example, the person can leave the laptop in his or her car while running errands. The person can also choose (if it is allowed by policy and technology) to use an simple (or none at all) password, and subsequently, easy to guess password. This increases the risk for a thief to successfully guess the employee’s password and gain access to the unencrypted data (this is not an easy task, especially if the thief knows nothing about the employee. On other hand, the success rate of the unauthorized is higher if the “cached” credentials and last login are not required by policy to be deleted and removed, respectively).
I agree that there should be a log entry every time this confidential data is accessed or copied. However, as you know, each security technology, like the ones you are correctly proposing, has the potential (if not a guarantee) to make an existing procedure, task, more inconvenient. For example, the security team at Blue Cross Blue Shield may have wanted to deploy Bit-locker with a USB startup key. However, this extra technical requirement may have been deemed too inconvenient or cost prohibitive so it couldn’t be included in any mobile device policy. In addition, it has been my experience that no employee (especially physicians) will accept any unnecessary inconveniences unless there is a policy that approves it; the assumption is that the policy has been signed by the CEO, or other C-suite executive.
I suspect that BCBS is evaluating their policies to make sure they are not too lax in terms of security \ privacy requirements. If so, I am sure they will update the policy to add new requirements (i.e. two factor authentication to and full-disk encryption of laptops with ePHI), and this will translate to new technologies (e.g. IBM Thinkpad T400 with an integrated Fingerprint reader and Sophos Safeguard encryption software).
Bottom line: Protecting data requires a combination of policies, processes, people, and technology (with a dose of common sense). Unfortunately, as you indicated in your blog entry, human frailty is typically the weakest link in this matrix.
Keep up the great work.
Rob Rost, MA, CISSP, GCFA
I/T Security Consultant
P.S. You guessed correctly. I am one of those security folks who is now primarily focused on e-Discovery and forensics.
Listen to the Podcast
