At last weekend's Texas Linux Fest, at the end of my presentation, Data Security and Privacy in the Cloud, an attendee asked a great question. I'll paraphrase...
So... What's the actual threat model? Why are you insisting that people encrypt their data in the cloud? Where's the risk? When might unencrypted data get compromised? Who is accessing that data?A couple of weeks ago, an article from ComputerWorld made the front page of Slashdot:
'Wall of Shame' exposes 21M medical record breaches New rules under the Health Information Technology for Economic and Clinical Health Act, By Lucas Mearian, August 7, 2012 06:00 AM ETHere's a few absolutely astounding numbers from that article, which were pulled from the US Department of Health and Human Services Health Information Privacy website by the author of that article.
Since the data is publicly available, I was able to download and import all of these into a spreadsheet and run some numbers and verify ComputerWorld's article. I can confirm that the Mr. Mearian's numbers are quite accurate, and just as scary. Since September 2009:
- 21+ million people have had their health care records exposed
- 480 breaches have been reported
- 4.9 million records: TRICARE Management Activity, the US Department of Defense's health care program, exposed 4.9 million health care records when backup tapes went missing
- 1.9 million records: Health Net lost 1.9 million records when backup hard drives went missing
- 1.7 million records: New York City Health & Hospital's Corporation's North Bronx Health Care Network reported the theft of 1.7 million records
- 1.22 million records: AvMed Health Plans reported the loss of a laptop with 1.22 million patient records
- 1.02 million records: Blue Cross Blue Shield of Tennessee exposed 1.02 million records with the loss of an external hard drive
- 1.05 million records: Nemours Foundation (runs children's hospitals) lost 1.05 million records with missing backup tapes
- $4.3 million: Cignet Health of Prince George's County civil lawsuit penalty
- $1.5 million: Blue Cross Blue Shield of Tennessee penalties
- have since encrypted all of their hard drives, 885TB of data
- $1.7 million: Alaska Department of Health penalty
- due to theft of a thumb drive, stolen from an employee's car
Running a few more reports on the public CSV data,
- Across 480 reported breaches, these were the top reasons given for the incident:
- 55%: Theft of devices or physical media
- 26%: Hacking/Unauthorized access
- 12%: Lost devices, disks, tapes, drives, media
- 5%: Improper disposal of devices
- 3%: Other
- Encrypt your data.
- Help your colleagues, friends, and families encrypt their data.
- Insist that your employers institute thorough security policies around encryption.
- Ask hard questions of your health care providers and financial services professionals, about the privacy of the data of yours they have. Hold them accountable.