From the Canyon Edge -- :-Dustin

Monday, August 13, 2012

Data encryption -- Why? Some numbers...

At last weekend's Texas Linux Fest, at the end of my presentation, Data Security and Privacy in the Cloud, an attendee asked a great question.  I'll paraphrase...
So...  What's the actual threat model?  Why are you insisting that people encrypt their data in the cloud?  Where's the risk?  When might unencrypted data get compromised?  Who is accessing that data?
A couple of weeks ago, an article from ComputerWorld made the front page of Slashdot:

'Wall of Shame' exposes 21M medical record breaches New rules under the Health Information Technology for Economic and Clinical Health Act, By August 7, 2012 06:00 AM ET

Here's a few absolutely astounding numbers from that article, which were pulled from the US Department of Health and Human Services Health Information Privacy website by the author of that article.

Since the data is publicly available, I was able to download and import all of these into a spreadsheet and run some numbers and verify ComputerWorld's article.  I can confirm that the Mr. Mearian's numbers are quite accurate, and just as scary.  Since September 2009:

  • 21+ million people have had their health care records exposed
  • 480 breaches have been reported

The top 6 breaches all affected more than 1 million individuals:

  • 4.9 million records: TRICARE Management Activity, the US Department of Defense's health care program, exposed 4.9 million health care records when backup tapes went missing
  • 1.9 million records: Health Net lost 1.9 million records when backup hard drives went missing
  • 1.7 million records: New York City Health & Hospital's Corporation's North Bronx Health Care Network reported the theft of 1.7 million records
  • 1.22 million records: AvMed Health Plans reported the loss of a laptop with 1.22 million patient records
  • 1.02 million records: Blue Cross Blue Shield of Tennessee exposed 1.02 million records with the loss of an external hard drive
  • 1.05 million records: Nemours Foundation (runs children's hospitals) lost 1.05 million records with missing backup tapes

Such breaches are very costly, too.

  • $4.3 million: Cignet Health of Prince George's County civil lawsuit penalty
  • $1.5 million: Blue Cross Blue Shield of Tennessee penalties
    • have since encrypted all of their hard drives, 885TB of data
  • $1.7 million: Alaska Department of Health penalty
    • due to theft of a thumb drive, stolen from an employee's car

Running a few more reports on the public CSV data,

  • Across 480 reported breaches, these were the top reasons given for the incident:
    • 55%: Theft of devices or physical media
      • 26%: Hacking/Unauthorized access
      • 12%: Lost devices, disks, tapes, drives, media
      • 5%: Improper disposal of devices
      • 3%: Other

    The most disappointing part, to me, is that 72% of those breaches stemming from theft, lost devices, and improper disposal -- a total of 15.6 million individual's health records. This means that the vast majority of these compromises are easily preventable, through the use of comprehensive data encryption. And I'd argue that many of the remaining 28% of the breaches attributed to hacking, unauthorized access, and other disclosures could also be thwarted, slowed, or deterred by coupling encryption with advanced key management, access controls, and regular auditing.

    So here I am, writing the same thing I've been writing in this blog for 4 years now...
    1. Encrypt your data.
    2. Help your colleagues, friends, and families encrypt their data.
    3. Insist that your employers institute thorough security policies around encryption.
    4. Ask hard questions of your health care providers and financial services professionals, about the privacy of the data of yours they have. Hold them accountable.
    There's a wide range of tools available, from free/open source, to paid commercial offerings. On the free/open source side, I'm a proponent, author, and maintainer of both eCryptfs and overlayroot (which uses dmcrypt). These can help protect your home directory and your private data in cloud instances.

    And from the commercial side, my employer, Gazzang, sells an enterprise-class encryption product called zNcrypt, and I've architected Gazzang's cloud-compatible key management system, zTrustee. I have no doubt that the combination of these two technologies -- comprehensive data encryption and a robust key management solution -- could have prevented the compromise of millions of these records.