Is Disk Encryption Effective When A Trusted Employee Is Involved In The Crime?.

I’ve read today an article where Joseph Harris, a former manager of the San Jose Medical Group, was sentenced to 21 months in prison.  He also has to pay $145,154 in restitution and will be under supervision for three years after his release.  His crime?  Stealing computer equipment from the branch he was working at and selling it on Craigslist.  The FBI got involved because one of the stolen computers had a DVD disk with patient information in it.


The bad news is that 187,000 patients could have been affected by this.  The good news is that Harris made sure that nothing was in the DVD tray before selling his ill-gotten goods: FBI agents later found the disk in Harris’s car, although he initially denied knowledge of it.


In retrospect, it’s not hard to see why the FBI zeroed in on Harris, although I’m sure it must have taken a lot of investigative work to sort out suspects.  There were six burglaries into the San Jose Medical Group offices after Harris had resigned.  Prior to working with the Bay Area medical care company, he had worked at the Silicon Valley Children’s Fund but was fired for conducting personal business on company time—including the selling of computers on Craiglist.  A burglary followed his dismissal and two computers were stolen for the Children’s Fund offices.  Did the FBI detect a pattern?


There is no mention of what Harris’s day-to-day activities were, but let’s assume for the moment that he was a mid-level manager at the healthcare company, and for some reason had access to patient data (or at least, some of it).  His position is that of trust, obviously.  Otherwise, why give him a position that gains him access to sensitive and confidential information, right?  If he’s the one stealing equipment and data, device encryption and data encryption would be useless, since he already has usernames and passwords for accessing the data, right?  Encryption is only a safeguard when something is stolen by an outsider!


Well, not exactly.


With a service like AlertBoot, the status of the user profile—i.e., who gets to access what, and when—is easily managed.  In the case of Harris, since all the burglaries happened after he was no longer employed by each company, disabling his account would have been one of the administrative functions associated with his dismissal or resignation.  After all, his keys to offices, company IDs, and parking pass would have been confiscated with his leaving of company premises, not to mention disabling his phone extension, e-mail account, etc.  If AlertBoot had been installed in the company computers, disabling his access to computers would have been part of the above process.


And the process is straightforward and simple.  One literally finds a name and checks off a box to disable him.  Presto!  His username and password will no longer work—no need to find all the computers he was once given access to, and disabling his access to the machines one-by-one.  Subsequent burglaries would mean that sensitive data would still be secure, even if the computer ends up on Craigslist or Ebay.  And there’s no fear of the information being reconstituted since the contents are encrypted.


If the past five years have shown anything, it’s that data breaches can come from anywhere, internal and external sources.  Care must be taken to implement security measures that will be easy to implement and maintain.

Comments (0)

Let us know what you think