Tuesday Sep 07, 2010

Data loss, encryption & security in health care - is your medical data safe?

Over the past few months i've been spending more time with customers in the health care industry. Globally we are seeing an increase in security breaches of patient data, just look at the following examples of data loss in the last month alone...


"Using IRM to encrypt and control access to patient data at the file level means no matter where the file is stored, it is always protected."
These are alarming numbers! As more and more medical and health care organizations are being mandated to move to electronic systems for storing your confidential medical information, these incidents are only going to rise. The modern world is full of new technology designed to make sharing information easier, networks are getting faster, storage devices bigger and threats to your data are increasing at the same rate. A recent study found that attempted attacks on health care organizations increased from an average of 6,500 per health care client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009. As the UK's Liberal Democrat Robert Brown, said: "These are frightening figures. Central government, local councils, NHS boards and the police hold a great deal of information on all of us. Our data is in their hands and we need to know they are taking this responsibility seriously... Liberal Democrats called for an urgent review into data loss in January. I want to know what the government have done since then and why the situation has not improved."

Not improved? I'd like to know why it seems to be getting worse... This increase in activity is taking place in parallel to new laws trying to protect your information. Recent changes to legal acts, such as the Health Insurance Portability and Accountability (HIPAA) act in the US, define that health information must be secured and typically the key word is encryption. As an article on recent HIPAA changes in SC magazine mentions; "In the past, companies offered hard drives that used strong encryption. However, analysis showed that strong encryption was used but only to protect the password and not the data that was stored on the devices. The actual data stored on the hard drive was encrypted with an encryption algorithm developed by the company, which proved to be anything but strong. This illustrates the potential pitfalls of choosing any type of encryption package -- a lack of strong, secure encryption. Obviously, some encryption programs do a better job of protecting data than others, but how can a company choose the right one?" Robert-Brown-Lib-Dem.jpg
"The government is not in control of the situation. They need to get a grip on this right now."
Robert Brown MSP, Spokesperson on Justice

Encryption is a key method to securing information, so much so, that the HIPAA regulations say if your patient information is encrypted, you avoid fines and requirements to publicly notify government of any breach of data. So how do you choose the right way to use encryption? Start by looking at the way data is lost, it falls into a few common areas. Firstly the loss or theft of devices on which the information is stored, DVD's lost in the post, stolen laptops and mislaid USB data devices seem to dominate the news. Then every so often someone accidentally emails patient data to the wrong recipient or posts files online insecurely. Secondly look at the type of format the lost information is stored in;

  • Database exports/backups
  • Unstructured documents such as spreadsheets, PDF's, or emails
So many incidents involve the loss of laptops and storage devices that contain database backups or documents and emails that have either inadequate encryption or none at all.

Are there no decent technologies to address these problems?

Quite the opposite, now more than ever there are many products designed to address these issues by implementing encryption and access controls. Lets look at some of the solutions from Oracle which could significantly improve the security of patient information and massively reduce the risk of health care organizations being fined and publicly embarrassed.



Before I go into any detail, look at the diagram above which highlights patient information typically lives in three places. The database, the application or in a document. To ensure we use encryption and security effectively, we need to put solutions at all three areas. I'm only going to cover specific Oracle encryption technologies in the rest of this article. It is common sense the following should be part of a complete medical data security solution that uses identity & access management solutions, browser to application server network encryption (SSL over HTTPS) and other well known methods of information security.


Encrypting data at rest

Hard disk encryption is often touted as the answer to protecting data at rest. However in practice this addresses only a small area of the problem. When it comes to databases, performance is key. So encrypting the disks on which the medical databases reside can significantly impact system performance. Performance is everything in health care, timely access to patient data can be a matter of life and death. However with the Oracle database, encryption can be used within the database platform itself and here we can really reduce the impact of performance. Transparent Data Encryption (TDE) applied at the table space (the files which store information) has a minimal impact on performance and more importantly does not affect the ability to compress the data. The last thing you want is to start encrypting your database information to find that your previously effective compression is now useless and results in a doubling of the database storage requirements.


But encrypting the data in the database doesn't help when physicians are downloading spreadsheets of patient data from health applications and storing them on USB devices and laptops which are easily lost or stolen. Of course this is where Information Rights Management (IRM) comes into play. Using IRM to encrypt and control access to patient data at the file level means no matter where the file is stored, it is always protected.


Encrypting data in transit

In transit usually means when information is being transferred across a network. Encrypting database backups on DVD's and using IRM to protect files stored on USB keys falls under data at rest requirements. The same set of technologies in the Oracle database that protect information whilst it resides on the disks can also be applied as the database transmits information to the application over the network. Configuring the encryption of information on the network in the Oracle database is easy and requires no change to the application! Protecting patient information couldn't be easier.


Does IRM fit into securing data in transit? Of course, if the file is encrypted with IRM it doesn't matter how it is transferred over the network, it is always encrypted. As an attachment to an email, accidentally hosted on a public website or even stored in the database, IRM protected files are always secured no matter where they live or how they are transferred.


Encrypting data in use

Rarely do we see anyone discuss data in use. What do I mean by "in use"? When you access the health care application and look at a patient record, when you have open a spreadsheet or PDF and are printing it, copy and pasting it into other documents. This is a massive area of data loss and one that very few technologies can address. Mostly we see solutions about protecting information as it moves from the health systems to the users. Ensuring as it resides on storage devices and moves across networks, encryption and access controls provide security. Yet this leaves a gaping hole, how do you ensure people are allowed to use patient data in a secure manner?


Two technologies really help in this regard. Data loss prevention (DLP) technologies are a great way to detect the movement of patient information as it crosses application, network and storage boundaries. I might want to copy my patient records to a USB key or email the information to my home computer. DLP does a great job of detecting this activity, yet it is limited to only blocking and preventing it from taking place. In health care this is a serious problem, stopping people getting access to and using patient information can prevent the physician from delivering care. The last thing you want to stop is a surgeon being able to access critical information when someone's life depends on it.

Again IRM steps in to provide a solution. IRM combined with DLP can both detect and secure the use of patient data. IRM delivers some functionality that significantly improves the ability to protect patient data.

  • IRM documents are never decrypted back to their original form. Unlike document security technologies such as PGP, IRM controls access to the document at all times and the files are never decrypted to disk.
  • The clipboard is under total control, so patient data remains inside the document and cannot be copied into social networks, other documents or applications.
  • Screen shots are prevent with IRM technology, so images of patient data cannot easily be copied or reproduced insecurely.
  • Printing is also controlled, so many incidents of patient data loss have been from physical, paper copies of the information. IRM can prevent documents from being printed and therefore this exposure is prevented.


Wednesday Jan 13, 2010

UK Data Losses to Incur Fines Up to £500,000

The BBC reports that the British Secretary of State for Justice has approved a new rule to empower the Information Commissioner's Office to impose fines up to £500,000 for data breaches.

Fines will be in proportion to the severity of the breach and the resources of the erring organization.

In a press release, Information Commissioner Christopher Graham, said: "Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

Keep alive public awareness of data loss, support datalossdb.org

Public reporting of security issues and incidents are key to addressing security concerns and continuing to advance the methods we all use to protect our most valuable data. Without public scrutiny, we are exposed to lack of awareness which leads to lack of security through lack of knowledge.

Luckily the Open Security Foundation (OSF) do a great job of managing two very important web sites. The Open Source Vunerability Database is managed by the public community and is a great tool for tracking problems in software you may have deployed and making sure vendors are on their toes to fixing issues due to public awareness.

The second website is Data Loss Database which records all publically reported incidents where data is lost either by accident, from a result of a hack, stolen equipment etc. This invaluable database provides awareness so that organisations are able to better understand the ways in which information is at risk and therefore implement technologies to reduce risk of dataloss, such as using information rights managment.

The OSF is currently asking for donations to help these valuable services to continue to run. So open your wallet and drop some money in the direction of the Open Security Foundation... and in doing so contribute to the efforts which keep all of our information secure.

 <script src="http://opensecurityfoundation.org/projects/2.js" type="text/freezescript"> </script>

Monday Mar 30, 2009

MP expenses data up for sale

The latest high-profile data exposure story comes from the mother of all parliaments as part of an ongoing furore about inappropriate expense claims by Members of Parliament.

According to the BBC, details of expenses claims of all 650 or so MPs from all parties are available for a sum of around £300000. There is an expectation that some of the more embarrassing claims will find their way into the papers over the coming weeks - although it is hard to imagine anything more embarrassing than the weekend's revelations about the Home Secretary's claims.

The breach has privacy implications. Parliament itself plans to publish the information some time this Summer as part of a drive towards more openness. However, it cannot do so until about a million receipts have been reviewed for data privacy purposes, and the incident might also represent a breach of the Official Secrets Act. Whoever is trying to sell the data evidently has no qualms about the privacy implications. Electronic copies of the receipts are being offered in redacted and unredacted form.

This story illustrates how seemingly trivial information can have extraordinary value and significant privacy implications. We have customers who seal payslips and other HR information, but it has never occurred to me that expense receipts represent a significant risk.


Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« August 2016