Reports that BlueCross BlueShield of Tennessee has completed a project to encrypt all of its at-rest data have been applauded. BlueCross BlueShield of Tennessee is an Independent Licensee of the BlueCross BlueShield Association and provides health plan coverage and insurance products and services to nearly three million people in Tennessee, USA.
BlueCross BlueShield of Tennessee moved to encrypt all of its on-server and archival data following the theft of 57 hard drives in 2009 and now the year-long project has been completed. However, the organisation will have to go much further to ensure that all of its key data is protected, and that half-way measures are like a net with giant holes in it.
Health records represent some of our most personal details, so it’s good to hear that this health insurer has invested more than 5,000 man hours on the project, which has reportedly involved around 885 terabytes of data being encrypted.
Unfortunately if they don’t use Privileged Identity Management software they do not have the controls necessary to safeguard their data. Management may feel good about what they have done but there remain large holes in their safety net.
Healthcare and insurance companies are notoriously lax when it comes to the management of passwords. Some of the Blue Cross companies are good at privileged identity management, but not all of them.
Health records are rarely out of the security headlines, and usually for all the wrong reasons, as witnessed by comments made by David Smith, the UK’s deputy information commissioner at the InfoSecurity Europe show in the spring of last year.
In his keynote speech, Smith revealed that his regulatory office receives around 30 data breaches every month and that the NHS had been responsible for a third of Information Commissioners Office (ICO) reported data breaches in the preceding two and a half years.
The sad fact is that judging from the latest IT news headlines, that situation has not changed, meaning that it is important that organisations which handle health records take the highest levels of care, and consider following BlueCross BlueShield of Tennessee down the data-at-rest encryption path.
The 57 hard drives, which were stolen from a leased facility did not contain medical records, but recordings of phone conversations made by around a million of the healthcare firm’s insured patients were on the drives.
Data encryption of an entire IT system’s database – right down to the digital recordings of customer phone calls – may seem like overkill, but where health information is involved, it’s a logical method of defending against any of the data falling into the wrong hands, for whatever reason.
However, even with the data encryption, having no privileged identity management automation means that all of the encryption is practically useless. By exploiting weak or non-existent privileged identity access controls and technology, an insider, former employee or criminal can easily access the encrypted data by gaining access to program encryption keys.
Encryption is a good first step, but failing to actively control privileged identities completely degrades its value to almost zero.