.st0{fill:#FFFFFF;}

Podcast

3 Ways Encryption Fails – Ep 343 

 February 18, 2022

By  Donna Grindle

Share0
Tweet0
Share0

Encryption can give you a false sense of security. Just because your device or your data is encrypted doesn’t mean it is secure. You have to understand how encryption works in order to understand how it doesn’t work.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

3 Ways Encryption Fails – Ep 343

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

 

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[03:24] So here’s another one from Georgia… sigh… involving the South Georgia Medical Center. The story goes that an employee was terminated on Nov 11. The next day medical center staff was notified, by their security software, that there had been an unauthorized download of data by an employee. Basically, on the way out of the door, the terminated employee downloaded a bunch of data to a USB drive and walked out of the office with it.

Ex-hospital worker arrested in SGMC data breach | Local News | valdostadailytimes.com

As a result, a 43 year old female former SGMC employee has been charged with felony computer theft and felony computer invasion of Privacy. No motive has been established yet, but in the event that a motive for malicious intent is established, this person could be charged on the federal level by the Department of Justice. HIPAA does include criminal penalties for malicious intent.

So, this is why you need a tool like SPHER. Imagine if they didn’t have a security alert that data was downloaded within hours of it happening. How long would it take and how much damage could be done?

3 Ways Encryption Fails

[11:20] The number of times we have to remind people that encryption is not the solution they think it is can be mind boggling. For some reason, a swath of people believe all you need to worry about is encrypting everything and you are secured. That is not true in so many ways.

Here are 3 of the most common “misunderstandings about encryption” that we hear most often:

3 – Encrypting hard drives is not a guarantee to stop an intruder from accessing your data.

If you have a server in a data center with layers of physical security including things like a locked cage around all the servers, a locked cage around the section where your server sits, security cameras monitoring everything inside and outside the building, and so much more, an encrypted hard drive is not your biggest concern. If you are working on a checklist that says you need an encrypted drive on the server but you never actually consider any other information about securing said server, you are not managing risk, you are checking boxes.

An encrypted hard drive helps you in two important ways.

  1. If the drive is stolen or lost.
  2. When you are ready to decommission it.

Once you are using the device that has an encryption drive, though, it is not encrypted. Yes, we have a lot of new tools and other methods that may come into play in the future, but that is not the case right now. Once you are using the system, no amount of encryption on that device will protect you if an intruder is in there with you.

[21:02]

2 – Encrypted communications are not a guarantee to stop an intruder from accessing your data.

This usually comes up in one of two ways:

  1. There is a regular statement that we are fine because we are cloud based.
  2. Not worried because we use TLS or HTTPS or any other kind of protocols.

Unless you really do understand how all those protocols work and what they do, you should never throw them around to discuss how you are fine with security. There are sooo many variables and ways you have not even considered that those concepts will not protect you.

I have seen many cases where internal traffic on a network is not encrypted at all. Printers – please! Other network devices are connected with default user names, passwords and no encryption on the connection at all. Unless you are certain about every kind of connection being made, you can not assume there is encryption in transit. It is definitely leaps and bounds better than it used to be, but by no means is it a no-brainer kind of encryption case.

[23:59]

1 – Encrypted email is not a guarantee to stop an intruder from accessing your emails.

The number one most terrifying way encryption will fail you is to assume your email is encrypted so you don’t have to worry about what is stored in it. Please, please, please – no, that is not the case!

Case in point:

Attorney General James Announces $600,000 Agreement with EyeMed After 2020 Data Breach

Here are some statements from the legal filing, NYAG Findings:

On or about June 24, 2020, unknown attacker(s) (the “attacker”) gained access to an EyeMed email account, used by some EyeMed Clients to provide sensitive consumer data in connection with vision benefits enrollment and coverage, when the attacker entered login credentials via a web browser and mail client.
The intrusion, which lasted approximately a week, granted the attacker access to, and the ability to view, emails and attachments dating back six years prior to the attack. ………… In total, information for approximately 2.1 million individuals was exposed, including approximately 98,632 New Yorkers.
From June 24 through July 1, 2020, the attacker accessed the email account from a number of IP addresses, some of which were outside of the United States.
On July 1, 2020, the attacker sent approximately 2,000 phishing emails from the enrollment email account to EyeMed Clients. The phishing messages purported to be a request for proposal to deceive recipients into providing credentials to the attacker. Later the same day, EyeMed’s IT department observed the transmission of these phishing emails from the email account, and received inquiries from clients about the suspicious emails. EyeMed blocked the attacker’s access to the email account, and EyeMed’s internal IT team began investigating the scope of the incident.
[32:33] The NYAG’s investigation identified several areas where EyeMed’s practices did not meet the requirements of General Business Law § 899-bb (not HIPAA, state law privacy requirements) to protect customer personal information.

  1. No MFA. They used it on their VPN connection, but not on an email account loaded with information like this that is accessible via a browser on the public internet.
  2. Password on an email account – 8 characters and no complexity, as if that would matter. As with MFA they were using more strict requirements elsewhere. To make it even worse, you weren’t locked out unless you tried 6, yes 6, times.

It keeps getting worse from there. No real logging in place, never purging or archiving the email account even though it is loaded with so much data… There is a lot more in there, but one item that was called out was their privacy policy which specifically stated:

The security of your personal information is important to us. We follow generally accepted industry standards to protect the personal information submitted to us, and to guard that information against loss, misuse or alteration. When you enter personal information on our Site, we encrypt transmissions involving such information using secure protocols.

There is zero mention of encryption of the email account. It matters not at all if there was encryption in place. NONE. ZIP. NADA. It would not have changed a single thing for anyone involved in this case.

It is important for every business to understand what their encryption plan is, how it is configured and how it is protecting you. Keep in mind that you need to understand how data is secured when being transmitted and when it is at rest.

Go to top

It is important to note that none of the legal references in this settlement involved HIPAA. Only state laws were involved. All you folks who don’t take HIPAA seriously or relax because HIPAA doesn’t apply to you, now would be the time to rethink that strategy for your organization.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: