It seems that folks can’t seem to keep track of their stuff anymore and with the easy access to data, it makes is even easier to lose the confidential stuff. Ottawa’s Montfort Hospital is the latest place to have confidential patient data go missing. Data breaches are becoming common, with Human Resources and Skills Development Canada losing data on nearly 600,000 student loans earlier this week.
The gut reaction of everyone is that someone, somewhere will find it, put two and two together, steal your identity, clean out your savings account, buy a big-screen TV and then sit on their ass, sending spam email under your name for the rest of time as we know it. With confidential data, the effects are even more chilling. Conceivably, the Montfort data loss could allow someone to publish the names and treatments of everyone on that drive. Would you be embarrassed if it became common knowledge that you were treated for recurring UTI’s and IBS?
The reason confidential data is lost is dirt-simple: USB drives or keys that hold a lot of data are as common as lint in just about every office we’ve ever been in. Putting confidential data on a USB drive is about as easy as leaning back in your office chair. Walking out the door with the data is no harder than taking your car keys out of your coat pocket. This doesn’t mean that people are deliberately stealing data to resell to Kazakhstani identity thieves, it just means they’re being careless, forgetful or dumb, like most humans. Which is probably what happened to the Montfort Hospital data. The drive was lost in a snow bank somewhere when it fell out of a pocket.
The fix is almost too simple, which is why it hasn’t been done and why there are still serious data loss incidents. Since I’m a Microsoft guy, forgive me, but we’ll focus on that pathway, as it is is the one we know best. There are alternatives for other platforms that do the same thing more or less.
It’s called BitLocker to Go and in Windows 7, it can be applied to any USB storage device that can be plugged into a computer. What it does is apply military-grade encryption to the data, so if you lose that drive, as long as you don’t have the password written on the back of it in Sharpie marker, the data is unreadable. Yes, all encryption can eventually be broken; nothing is forever, but BitLocker makes it mathematically unlikely that it can be broken in a reasonable amount of time.
Now, put a big, bold-face asterisk next to that statement. Most of it depends on the strength of your password. Having ‘password’ as your password, is about as dumb as it gets. A complex password, using lower case, upper case, numbers and special characters, as well as spaces, can make things even tougher. Tougher as in 4032 years, tougher, By the year 6045, we don’t care if you find out what my identify was, or if I was ever treated for athlete’s foot.
So how do you come up with a ‘strong’ password to protect your stuff? This site, from Symantec, is a secure password generator. For giggles, I generated one and this is it: sU!Ru@ac. It’s tough enough and almost impossible to guess, as it isn’t my favourite colour, my Mother’s maiden name, or some mishmash of birthdays, anniversaries and collar measurement. Is it easy to remember? Hell no.
Thereby hangs the problem: Humans are lazy. I can’t tell you the number of times I’ve found passwords under keyboards, or written on a pad of paper in an office. Most of us in IT have stories that will turn your hair white of critical passwords readily found in the clear.
There needs to be some process in place, with consequences for those who slide on the process. Users will copy files they ‘need’ to a USB key or drive and just as likely lose them. The only way to stop them is to break their hands, which tends to have Workplace Compensation Board implications in most offices. You tend to not get the best candidates for open positions, if part of the interview is the question “Do you mind having both your hands crippled by our Security Department as a condition of employment?”
BitLocker and BitLocker to Go can be enforced easily with Group Policy Objects. You can make it impossible for users to plug in their own USB drives or keys. One organization provides a specific brand and model of USB keys to their staff, with BitLocker to Go already on it, and makes it impossible for any other kind, brand or model of USB device to be usable, except the company-provided one. This fixes the human problem, at least a bit, by forcing those who insist on copying material off the network onto a USB key, to only use an ‘approved’ key already configured with encryption.
One other organization I’m aware of goes one step further: Before a computer gets to a user, the USB ports are filled with epoxy. You can’t physically plug in a USB drive. It voids the computer warranty, of course, but they’re willing to go that far. Desktop chassis’ are locked with a tamper-evident seal and woe betide the user who breaks that seal, even accidentally. They get an E-Ticket to the Seventh Circle of Draconian Security Hell that starts with the words “Charged with Corporate Espionage” and gets uglier from there.
To circle back. Data loss can be prevented easily enough by addressing the technology and the humans. Make sure there are penalties for moving any confidential data to a USB drive for whatever reason. Make it as hard as possible to actually get the data off the network. Make anything that could be a destination as secure as you can with strong passwords and military-grade encryption then make sure everyone understands why as well as the consequences.
We’re certain hospitals would much rather have a press conference and say “We lost 25,000 patient records, but the file is protected with military-grade encryption. It sucks, but we’re confident the information is as secure as we can make it. And the person who lost it, has had their legs broken by the IT department’s Managing Director.”
Fix the technology and fix the human factors.