Disk Encryption Software: Texas HHS Uses It, Still Has Breach.

When is hard disk encryption software not encryption software?  When it “turns out to be not active.”  In AlertBoot, those words don’t really mean anything — due to its on-line management console, the excuse that “we found it wasn’t active” doesn’t hold water.

Over 1,700 Affected

According to phiprivacy.net, the Texas Department of Health and Human Services (HHS) has alerted nearly 1,700 people that a stolen laptop has led to the breach of names, dates of birth, and health information.  Social Security numbers were not included.

The laptop was stolen from the car belonging to a nurse.  Now, before the accusations of incompetence start flying around, it should be noted that there was a reason the nurse had a laptop: “The information was used to help conduct reviews of hospitals and nursing facilities that accept Medicaid.”

Needless to say, the information revolution is not affecting only businesses.  If there is technology out there that will make the government operate more efficiently, it makes sense that they’ll use it.  Of course, it also requires the use of proper data security tools like encryption software.  It turns out that the Texas HHS was not unaware of this: they had used laptop encryption.  And then…

During a review of the incident, agency officials discovered in late August that encryption software was not active on the laptop. The agency then began the process of recreating the information on the stolen computer so it could notify the individuals whose information may have been released without their consent. [phiprivacy.net]

Oops.  It must be annoying (to say the least) to find that you’re actually not as well protected as you think you were.

Encryption Enterprise-Wide is About Management

They say that biology is really about chemistry.  In turn chemistry is about physics, which in turn is about math.  When you delve deep into a certain area, you soon realize that there is something else there.  So is the case with encryption. 

When you’re dealing with hundreds of laptops (or more), the management of these devices rears its head as a significant factor when selecting an encryption solution.

Your search for encryption soon turns into a search for an encryption solution with key management:  Not only does it spare your sanity when deploying encryption, it allows you to quickly and easily pin-point where you’ve failed in protecting a particular endpoint.  For example, take a good, free encryption program like TrueCrypt.  Despite its strength and price (can’t beat free!), companies with, say, more than 50 computers or so would find it a little unwieldy.  To begin with, each computer must be encrypted individually: as far as I know, there’s no way to “push” the encryption installation from a central command post.

Second, the encryption keys have to be tracked and paired correctly.  This is important in case something happens to the disk (e.g., it crashes) and you need to gain access to your encrypted data in some other way than the normal “turn on the computer and type in a password” mode.  Without the correct key, you’ll never be able to recover the information.  With 50 computers or more, you really want to make sure things don’t get mixed up.  A solution that has key-management built-in eliminates many hassles and inefficiencies.

An added benefit to using a centrally-managed encryption solution is that you’re able to track which computers have problems when it comes to properly deploying the software.  In AlertBoot’s could-enabled encryption, key management, status report generation, and encryption status management are intricately tied together to the point that you can’t have the one without the other two.

If the report shows that a computer is not encrypted, it’s not encrypted.  None of that “we thought it was encrypted” business.

Related Articles and Sites:

Comments (0)

Let us know what you think