The integration of software and hardware Delivery
|
It’s about the way the Government goes
about passing and implementing regulations
To understand why regulations have similar guidelines, spend a few days reading the Federal Register. Not only will you be in demand at parties, you will understand why the rules for most of the data breach and privacy laws are identical when it comes to end-of-service security compliance.
The regulatory rules you have to follow are not ultimately written by politicians but by staff at the various agencies (Department of Health and Human Services, Department of Justice). Politicians write laws for show as much as they do to solve a problem and the language is notoriously vague in many cases. It is fair to say that the average congressman doesn’t distinguish between Security Erase and DoD block erase.
That’s because both Federal and state lawmakers delegate their legislative power to administrative agencies for the rule making process. The law says “this is what we want to happen”, while the rules say “but this is how it’s really going to happen.”
The Federal Register is the central reference for proposed legislative rules as laws pass through the stages from proposed language to implementation. You can follow this procedure in the Federal Register as rules are proposed, debated and finalized. You can even weigh in with your opinion. Eventually, the agency assesses the input from interested parties and publishes the final version of the law.
For an esoteric topic such as end-of-service data disposal, the agency staff will rely on previous similar legislation and also pick up the work of other agencies. This is not only expedient, it also protects the bureaucrats who actually make and enforce the rules. So unless there is a strong push from a lawmaker or other interested and powerful party, the NIST guidelines are likely to prevail for the foreseeable future.
AMR notifies 79,000 employees about stolen hard drive
Discussions of end-of-service data retirement practices involve terms such as “sanitization” and sometimes “crushing”. They don’t seem to be nearly as cool as working against cyber attacks and encryption technology. Nevertheless, the damage caused by losing physical storage media that hasn’t been purged of data is just as great.
Witness recent challenges at American Airlines parent AMR, now engaged in the unenviable task of notifying 79,000 current and former employees of a significant data breach. The cause: loss of a hard drive containing private employment records from the years 1960 to 1995. According the company, the some of the records contained financial information, and may have also included health insurance information concerning coverage and treatment.
In addition to the cost of notifying employees, the company is providing a year of free credit monitoring.
Not to belabor the obvious, but the cost of purging the hard drive would have been far far less than the expense that have now been incurred.
Processor Already Paid $60 Million to Visa to
Settle 2008 Data Intrusion
After agreeing to a $60 million settlement with Visa earlier in the year, Heartland Payment Systems has added another $41 million to the pot for MasterCard. These amounts are most likely accounted for in a $139 million line item the company set aside in a recent SEC filing. Heartland originally estimated the cost of the data breach would reach $12 million.
Based in Princeton, NJ-based, the nation’s fifth largest credit card processor was the target of a rather large data breach that resulted in the compromise of approximately $130 million customer records.
Issuers of VISA and MasterCard bank cards will be able to make claims against the settlement funds for losses they incurred as a result of the 2008 data breach. The card issuers generally have to pay to reissue the cards at approximately $20 per card. In addition, they bear the cost of any fraudulent charges made as a result of the breach.
Why a company based in New Jersey goes by the name of “Heartland” is the topic of a separate enquiry..
Affinity May Be Looking at HITECH Act Penalties
|
A hard drive lurks within your networked digital copier or printer
ADDITIONAL LINKS:
- Cypher ultra-portable erasure kit meets NIST and DOD standards.
- HITECH Act now in effect for medical organizations
- NIST special publication 800-88 media sanitization guidelines
|
In November of 2009, Data Destruction Topics reported on the data-breach-waiting-to-happen related to digital copy machine hard drives (OMG: There’s a hard drive in my copy machine!). In that posting, we reported that networked printers are a potential source of data breaches, all but ignored by both owners and security professionals.
Now comes the news that Affinity Health Plan, a New York managed care service, has notified well over 400,000 current and former employees that sensitive medical records have been potentially compromised due to the loss of a digital copier hard drive. The copier had previously been leased by Affinity and was later returned to the leasing company without erasing the drive. The hard drive containing the records was found in a warehouse in New Jersey.
Failure to properly dispose of medical records is a violation of new federal HITECH regulations, as well as New York state privacy regulations. In addition to notification requirements, the violations may also result in fines and other sanctions.
The fact that the hard drive had been returned to the vendor in no way absolves Affinity for failing to comply with private data security records. HITECH explicitly defines the necessity of protecting private data and provides best practices guidelines based on NIST standards; organizations that fail to comply voluntarily with the Privacy Rule may be subject to civil penalties. In addition, certain violations may be subject to criminal prosecution.
The process of erasing sensitive data from hard drives is inexpensive and fast with today’s recent innovations in data erasure technology. Equally important, these products provide the means of generating an audit trail that certifies compliance, precluding the expense of notification, damage to business relationships and criminal charges. |
|
Stolen Computers Have Health Insurer
Feeling Blue and Cross
|
Stolen Computers Trigger a Big Financial Bite and Public Relations Nightmare
ADDITIONAL LINKS:
- Updates on New and Pending Legislation.
- New Enterprise Level Data Erasure methods
- NIST special publication 800-88 media sanitization guidelines
|
Can we just say this up front? The expenditure of a few thousand dollars in October could have saved BlueCross BlueShield of Tennessee $7 million dollars (and counting) over the long term. That’s the amount of money the Chattanooga-based health insurer has spent so far on damage control from the latest high profile private data breach event to hit the medical services industry. It’s likely of fraction of what the final bill will total.
In October 2009, private data belonging to about 500,000 BCBS customers was stolen by unknown criminal parties, along with 57 PC’s on which it was stored. The decommissioned computers were warehoused in a vacant office building awaiting return to the vendor under the terms of the lease agreement. The hard drives contained a wide range of member records, including benefit I.D. numbers, social security numbers and possibly diagnoses or diagnostic codes. According to reports in the Chattanooga Times Free Press, the company has received 8,728 member calls related to the theft so far, and about 20,500 members of BlueCross plans have taken advantage of the company’s offer for free credit monitoring services.
BCBS of Tennessee is now in the process of identifying what data may have been on the drives and notifying customers about the privacy breach. Here’s the kicker: the deployment of an inexpensive, hardware-based HDD purging solution would not only have cleared the data from the drives, it would have also provided an audit trail to verify exactly what was destroyed. All 57 drives could have been erased in less than a day.
Because this type of data destruction technology is cited by NIST in its Media Sanitization Guidelines Special Publication 800-88, Blue Cross would have been in automatic compliance with HITECH regulations. BCBS would have been exempt from penalties and most likely from notification requirements. To comply the Health Information Technology for Economic and Clinical Health Act adopted last year, BCBS must notify attorneys general in 32 states.
The most troubling aspect of this scenario is that the base scenario – storage of decommissioned hard drives and other electronic media without purging end of life data files – is a series of disasters waiting to happen across the country and around the world.
A more complete summary of the HITECH bill’s provisions are available here. |
|
Personal Data Privacy and Security Act of 2009:
First of More Aggressive Federal Oversight
|
Personal Data Privacy and Security Act Specifies More Aggressive Sentences
ADDITIONAL LINKS:
- Updates on New and Pending Legislation.
- Comparison of hard drive erasure methods
- NIST special publication 800-88 media sanitization guidelines
|
Senator Leahy’s new bill ups the ante for acts of data piracy and also failure to report data breaches. Fraud involving digitized or electronic personally identifiable information (including identify theft) can be considered grounds for racketeering charges, which carry far more significant criminal penalties and sentences. The Act directs the U.S. Sentencing Commission to update its guidelines for fraudulent use of private data and for concealment of security breaches. As written, the new law will also establish an Office of Identity Protection under the FTC umbrella, and impose new standard on GSA contracts.
A more complete summary of the bill’s provisions are available here. |
|
The IEEE has issued new data security standards for office printers and copy machines.
|
Is your networked printer a data breach waiting to happen?
|
by Sean O’Leary
While most of the world has been scrambling to fend off data breaches across the IT security spectrum, another problem has been lurking just below the surface. According to an article in DarkReading, an online data security newsletter published by InfoWeek, networked printers are a potential source of data breaches that have been all but ignored by both owners and security professionals. In response, the Institute of Electrical and Electronics Engineers (IEEE) has issued 2600 Profile, a new security standard that covers networked printers and copy machines. Otherwise known as the “IEEE P2600 family of standards for hardcopy devices and system security”, the initiative covers laser printers, copiers and other seemingly innocuous multifunction devices.
The new standards, developed by Xerox, Canon, Epson and other major players in the market segment, specify a number of guidelines for manufacturing and deploying secure printers, including password protection, hard drive encryption and electronic “shredding,” and security logs. It also includes an overwrite function that destroys residual data on the disk, a feature Xerox has begun adding to their most recent models.
Residual data on what disk? Right. It’s easy to forget that copiers and digital printers incorporate computers into their inner workings and are equipped with hard drives the same as any PC or laptop. Not only are copiers and printers repositories of vast amounts of data, they are also components in the networked enterprise environment, and therefore vulnerable to hacking. Decommissioning or selling a printer therefore carries with it the same risk of data theft as a similar scenario for a PC.
According to the experts, no printer related data breaches have been reported. But as is so often the case with this sort of thing…it’s only a matter of time. Meanwhile, the new IEEE standards are in the process of certification and approval. |
|
Three key attributes separate software overwriting (clearing) HDD data sanitization methods from Secure Erase enabled hardware devices.
|
Firmware based Security Erase devices are able to access hidden partitions in order to erase hard drives
|
by Michael Cheslock
There are three major attributes that separate software overwriting (clearing) HDD data sanitization methods from Secure Erase enabled hardware devices. Getting each of these factors right is essential in developing an effective end of life protocol:
The first, and most important, is Security Compliance:
NIST Guidelines for Media Sanitization serve as the benchmark for hard drive sanitization methodologies in the United States. Although we still come across the term DoD 5220 fairly often, it is important to understand it is a document that is regularly abused by software companies.
Despite the chatter, DoD 5220 has not recommended overwriting, or any other hard drive sanitization methodology since the 1994 revision. No version of DoD 5220 since that year makes any mention of hard drive erasure methodologies. The only national guideline is NIST SP 800-88. This document clearly rates Secure Erase in a higher category than overwriting utilities (a “purge” of all data, versus a “clear”). Furthermore, specific devices such as CPR Tools’ Hammer offers a G-List remapped sector data destruction utility called gRase. gRase accesses and erases data in “bad sectors” that most software tools (and many hardware tools) leave behind.
Within this category, the most powerful emerging concerns are certification and defensible audit trails. In the event of litigation, it is essential to ensure that a tamper-resistant log (with checksum to demonstrate any changes to the drive after erasure) is presented to verify that hard drive are sanitized in accordance with current guidelines. For software solutions in general, there is no automated logging capability that tracks which procedures are executed on what drives, who is executing them, and when they are being executed.
The next major factor is efficiency of Execution:
When you consider the basics, it should be obvious that firmware based solutions are inherently more effective precisely because they are executed from the firmware of the drive. Interface, OS, and BIOS barriers are all removed from the process.
Software overwriting tools are designed to write random bits of data to all user accessible sectors of a drive. The software is then loaded onto a machine or server, from which they execute the overwrite procedure. Most of these overwriting tools execute multiple passes. Outdated versions of DoD 5220-22.M recommended triple overwrite, or three consecutive passes, to effectively render hard drive data unrecoverable. But it is now understood, and has been for some time, that multiple passes do not offer added any significant assurance of security. A single pass is adequate for clearing media, but no number of passes will achieve purge.
Many software applications give the user the ability to overwrite a particular partition, or section of a drive, and ignore others, effectively allowing the user to accidentally or on purpose overwrite less than the entire drive. For example, it is very easy to ask such applications to overwrite the “C drive” but not the “D drive”, when, if fact, both partitions exist physically on the same hard disk drive, and both contain sensitive information. User error is common when using software solutions, and it is a risk. On the other hand, high end hardware devices are directly connected, and erase everything on any disk to which they are connected.
Furthermore, firmware executed procedures are impossible to interrupt externally. These, among other factors, are the reasons purging is ultimately recommended above clearing in NIST SP 800-88.
The final major factor is Speed:
Because Secure Erase is executed from the firmware, it is not limited by processor or BUS speeds, or by the drive interface. It can execute a full secure erase on a drive in 1/18th the time it takes to perform a less effective 7 pass overwrite using software. Similarly, a triple overwrite procedure using software will take up to 8 times as long to perform as a more effective Secure Erase process, sometimes longer. In fact, when compared to even a single pass overwrite, it is still often more than twice as fast.
Furthermore, software solutions disable the workstation during the entire procedure, severely hindering productivity.
Related to the speed issue is the surprising amount of electrical energy required to clear a hard drive using a software product. From a green perspective, the hardware devices are clear winners.
But that’s the subject of a different post. |
|
70 Million Military Veteran’s records exposed due to lax end of life practices
|
NARA privacy breach could have been avoided by purging data on defective HDD
ADDITIONAL LINKS:
- Updates on Regulatory topics affecting data security laws.
- HIPAA privacy rule summary
- NIST special publication 800-88 media sanitization guidelines
|
In November 2008, the National Archives and Records Administration (NARA) sent out an unsanitized hard drive for repair by the vendor. The drive, which was a component in a six drive RAID array used in the administration eVetRecs, contained an Oracle database with the health and discharge records of millions of veterans dating back to 1972. When outside contractor GMRI determined the drive to be defective, it was sent to another outside vendor for recycling – with the private information it contained intact.
Now, according to a story in Wired Online, an NARA IT manager is claiming that the agency’s ongoing practice of failing to sanitize hard drives before sending them off site exposes veterans to identity theft. Interviewed for Wired.com online privacy, crime and security page, Hank Bellomy, a NARA IT manager, is charging that the failure to purge data from recycled drives is symptomatic of a larger problem among Government record keeping agencies. His comments to Wired are an indication of the frustration experienced by many other IT managers caught in a web of seemingly conflicting policies:
“I said you can’t turn them back in,” said Bellomy. “The data is Privacy Act — it’s against the law. We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”
NARA is simultaneously claiming that the lost drives are no big deal and changing their policy in response to the criticism. The agency now requires that drives be destroyed in house. The agency’s position is that there is no problem here because they have signed privacy agreements with their contractors. Of course, the hole in the “vendor accountability” argument is made painfully clear by the fact that the missing drive still can’t be located.
This is where it gets complicated, because NARA’s maintenance contract requires that it return defective drives for inspection or else pay a $2,000 replacement fee. As we have discussed any number of times in this space, government agencies in general are experiencing confusion as to what the current standard might be for dealing with protection of end of life cycle private data. In this case, the HDD in question represents a Catch 22 for NARA. In order to determine whether the drive is defective, it must be taken off premises, which is already a compromise of best practices. If they don’t send it out, they spend more taxpayer money on a new drive.
The solution to the quandary is referenced obliquely in the same article: remove the data prior to recycling. The National Institute of Standards and Technology (NIST) now recommends firmware based purging methods that remove data on HDDs beyond the possibility of forensic recovery – without destroying the drive itself. (OMB rules also recommend that government agencies follow these same NIST standards.) The highest level of purging cited in the NIST guidelines is performed by a device called the SCSI Hammer, developed by forensic recovery experts CPR Tools. The device would have solved the NARA dilemma by removing the data from the drive while allowing it to be inspected and subsequently recycled. The SCSI Hammer also generates a legally defensible audit trail that details the drives’ unique serial numbers, the erasure and erasure verification processes used, and even a checksum to demonstrate changes to drive data after erasure. Whether the agency or the outside contractor is responsible for this potentially massive data breach is merely a technicality for the 70 million veterans whose private info is on the lost HDD. If it had been purged of data, there would not be a problem.
Read more about the SCSI Hammer here. |
|
New HITECH regulations include renewed focus on HIPAA compliance
|
Stimulus Bill Includes Increases In Fines for HIPAA Privacy Breaches
ADDITIONAL LINKS:
- Updates on Regulatory topics affecting data security laws.
- HIPAA privacy rule summary
- NIST special publication 800-88 media sanitization guidelines
|
It appears that some elements of the American Recovery and Reinvestment Act are having a positive affect on the economy. However, less prominent components of the massive legislative package may have greater longer-term impact on companies that manage and store private data. One such regulation is the HITECH Act, otherwise known as the Health Information Technology for Economic and Clinical Health Act. This $19.7 Billion act expected to not only expand the definition and enforcement of HIPAA compliance, it will also broaden the spectrum of what companies must comply.
In general, the new Act imposes notification requirements on covered entities, business associates, vendors of personal health records (PHR) and related entities in the event of certain security breaches relating to protected health information (PHI). On a finacial level, civil penalties for HIPAA violations have increased signifiantly, up to $1.5 million a year. In addition, unwarranted disclosure of personal health information (PHI) could result in criminal prosecution and potential jail time. A security breach that results in PHI being compromised must now be disclosed, and each effected individual must be notified. If more than 500 users are impacted, the event must be reported to the Dept of HHS.
Read more about HITECH fines and penalties here. |
|
Outstanding Selection of Specialty Shredding Systems
|
