Local Encryption ... Why Not?
-
@Jason said:
@BRRABill said:
But again ... what are the odds a server is just going to reboot in the middle of the day. It doesn't happen on any of my servers. Is this something you see a lot?
This would suck in a data center environment. Remote reboots .. Having to hop into the Out of band management to get it booted up. No Thanks.
This is why physical security is important. Have audit trails for server room access.
Also not even sure how you do this with a large scale SAN setup like ours. It's just not practical.
you do it on a per server basis and it sucks.
-
@BRRABill said:
@Jason said:
This would suck in a data center environment. Remote reboots .. Having to hop into the Out of band management to get it booted up. No Thanks.
This is why physical security is important. Have audit trails for server room access.
I've admitted that data center scenarios encryption is not such a big deal as the risk of theft is much less.
I'm talking more about the company that has a server locked in a server room, behind locked lobby doors, behind lock building doors. But you never know, right?
Low incidence of theft, true.
But I'm argiung if the pain of encryption is low enough, it;s worth it as an added security feature.
Here is the problem.... if the company has a DC then it probably doesn't need encryption. If the company doesn't have a DC, then it likely has issues like not being able to figure out who to call for support, not having good IT processes and will have issues with servers restarting at unexpected times. The place where encryption is a problem is also where it is most needed.
-
@BRRABill said:
@Jason said:
More complexity doesn't nessecerily mean more security.
My argument here is that is doesn't really add that much more complexity for the potential added security it brings.
And our argument and all studies that I've heard of agree and I know of no dissenting information... is that complexity adds no potential security, it in fact dramatically lowers security. Complexity is actually the enemy of security. Complex passwords are complex for humans, not computers. Computers can't tell that they are complex. But complexity means that they have to be shorter and/or recorded and follow patterns for humans to be able to use them. The more complexity you add, the more security you remove.
-
@BRRABill said:
@Dashrender said:
it boils down to risk - do you have a higher risk of theft or higher risk of data corruption, inability to boot?
Have you seen a lot of data corruption or inability to boot with hardware FDE or Bitlocker?
Yes, so much so that in environments that use them they are limited to only the most incredibly critical parts of the workloads and mostly they are avoided completely because they introduce so much risk. Not corruption, not sure that I've ever seen that first hand. But inability to boot is literally every time the machine reboots. Sure we would always get it resolved, but some manager always had to be paged out.
And trust me, even with seven figure people having to put in the password and having to do it on a fairly common basis it was always a risk because only a few people knew the password and they would forget the process regularly. These are big time IT and financial people, not doctors. Imagine how much worse it is for doctors!
-
@Dashrender said:
nope, but then again I have never used them.
Have you, in that case, seen data loss through servers being stolen?
-
@scottalanmiller said:
@Dashrender said:
nope, but then again I have never used them.
Have you, in that case, seen data loss through servers being stolen?
Nope, and I don't know of any first hand experiences either.
Most burglars will have plenty on their plate stealing all of the desktops/laptops that are just lying around. It's easy to sell off laptops and desktops.. servers not so much.
Plus if your servers are behind other locked doors, it's unlikely they will continue spending time breaking into more doors again with all of the desktops/laptops around.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
nope, but then again I have never used them.
Have you, in that case, seen data loss through servers being stolen?
Nope, and I don't know of any first hand experiences either.
Most burglars will have plenty on their plate stealing all of the desktops/laptops that are just lying around. It's easy to sell off laptops and desktops.. servers not so much.
Plus if your servers are behind other locked doors, it's unlikely they will continue spending time breaking into more doors again with all of the desktops/laptops around.
So don't store data on the laptops directly. If they get stolen no big deal. That's seems to get ride of most of the risk.
-
That's really the thing, when possible. I recently worked for a company that had hundreds of Macbooks (Pro and Air everywhere) and they had people breaking into their offices to steal them. It got really bad. But no one ever threatened the servers or the data, it was all about getting the hardware.
I've never heard of anyone going after full servers. Not in the financial world, not in the political world. Moving to cloud computing effectively eliminates that risk, too, especially public cloud where there is nothing physical to steal ever.
One of the things that is important to remember with medical data, is that no one wants it. There is no large market for stolen medical data. Don't get me wrong, if you can get it with low effort (remote automated hacking attempt) then yes, that data can be sold. But unlike politically or financially motivated thefts you don't have to worry about organized criminal organizations breaking down walls and moving your stuff out with trucks.
-
Remember "Scott's First Rule of Security": The key is to make data more expensive to steal than the data is valuable.
With medical data, especially something like a doctor's office rather than a research facility or big pharma, that is a low threshold and just decently securing a server will cover that.
-
The fact that HIPAA exists is kind of a counter argument to that. Fraud is one of the major reasons for the all of the concern. But I do think you're right, we have little concern that someone will break into clinic offices to steal servers to gain access to that data so they can perform fraud. They have easier ways to fraud the system today.
-
@Dashrender said:
The fact that HIPAA exists is kind of a counter argument to that. Fraud is one of the major reasons for the all of the concern. But I do think you're right, we have little concern that someone will break into clinic offices to steal servers to gain access to that data so they can perform fraud. They have easier ways to fraud the system today.
I don't agree. HIPAA covers casual exposure primarily and is designed around that. I've seen hospitals violate HIPAA because they want to grab data out of their databases to extort money from family members. Kinds of things that encryption won't protect against and big theft isn't the issue. It's getting "simple" access to "things not needed for your job."
-
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
-
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.
Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.
-
@scottalanmiller said:
Um, all the time. You are talking about small businesses like doctors offices. How many have generators or even good UPS? How many accidentally reset gear? This is very common. I've seen it a few times this week already. Maybe you are dealing with much bigger companies that we normally see. Anyone under a few hundred users this is a very common problem.
The ones that I deal with do not have these problems.
The servers do not reboot. (They are all on a UPSes with nice run times.) If they did (for example I had an issue recently with a printer driver rebooting the server in the middle of the day) I got a call immediately. Or I would get an alert the machine was done and call them.
The people I deal with call me, and me exclusively.
Granted, this is not on the scale that some of you deal with, so I can't speak to these other things you talk of.
-
@BRRABill said:
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.
Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.
Encrypting data doesn't prevent authorized people from accessing or using data in an unauthorized manor.
-
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
It's actually insanely easy to build. Views by role is a standard security measure in any modern product. Even Spiceworks does this.
-
@BRRABill said:
@Dashrender said:
It's amazing.. that whole limited access thing is something I've seen no health system actually implement.
The comment here is that every staff member who has anything to do with the medical side in one way shape or form (that includes me, the IT guy) needs to have full access to all patient information in order to do our jobs.
Frankly, I'm not sure how you build an easy to use system that limits what nurses and medical assistants can get access to, let along actual providers. Remember that near real time granted access would be a requirement in many cases.
In some health systems I've seen them try to limit who has access by requiring things like a patients SSN as proof they are somehow connected with the patient - but that just doesn't seem right to me.
I agree the healthcare system, from small office to large conglomerate is ignoring a lot of this.
Which is exactly why health systems like the one in my article make it simpler by just encrypting the hard drive. Lose a machine, not an issue.
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
-
@Jason said:
Encrypting data doesn't prevent authorized people from accessing or using data in an unauthorized manor.
I just looked up the breach report.
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
It's interesting to note that a majority of the early cases were all from theft. Now they are interspersed with "unauthorized access" which if I had to bet, was due to more healthcare systems encrypting their endpoints. As we discussed, they do not look at an encrypted lost endpoint as a breach.
Are there potential holes in endpoint encryption? Sure. There are holes in anything.
Since we were discussing it, here is an article that states the OCR does not consider the loss of an encrypted endpoint a breach.
http://www.icemiller.com/MediaLibraries/icemiller.com/IceMiller/PDFs/publications/Healthcare-Protect-Confidentiality-Guide.pdf?ext=.pdf -
@scottalanmiller said:
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
They don't need to address the issues.
People can keep working as they are used to, with the tools they need, and are protected by the encryption.
Why reinvent the entire wheel, best practice or not?
-
@BRRABill said:
@scottalanmiller said:
But it doesn't address the issues. I've never seen or heard of a HIPAA issue that this would have protected against except in cases of reckless storage of data on end points - often likely because someone was trying to put data into a precarious position.
They don't need to address the issues.
People can keep working as they are used to, with the tools they need, and are protected by the encryption.
Why reinvent the entire wheel, best practice or not?
Because that is the easiest way to steal data. It's the simplest to protect against also. The current way is about giving an image of security without actual security.
