×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TN BlueCross Encrypts All Data After 57 Disks Stolen

timothy posted more than 2 years ago | from the best-practices-are-best-practice dept.

Businesses 140

Lucas123 writes "After dozens of hard disk drives were stolen from a leased facility in Chattanooga, potentially exposing the personal data of more than 1 million customers, BlueCross decided to go the safe route: they spent $6 million to encrypt all stored data across their enterprise. The health insurer spent the past year encrypting nearly a petabyte of data on 1,000 Windows, AIX, SQL, VMware and Xen server hard drives; 6,000 workstations and removable media drives; as well as 136,000 tape backup volumes."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

140 comments

I am impressed (2)

WindBourne (631190) | more than 2 years ago | (#36919824)

Most insurance companies these days, are far more concerned with getting bonuses to the executives.

Re:I am impressed (0)

Anonymous Coward | more than 2 years ago | (#36919870)

To bad its all protected with the same password. :P

Re:I am impressed (2)

pla (258480) | more than 2 years ago | (#36919996)

To bad its all protected with the same password.

But no one would ever guess "damnyouratbastardstohellihopearabidbadgerchewsyourballsoff" as the password for such a well loved and respected institution as a medical insurance company... So no worries!

/ that, or "bluecrossispants".

Re:I am impressed (0)

Anonymous Coward | more than 2 years ago | (#36920282)

well at least not until you gave that superduper password away. I'll have to add that to my dictionary thank you very much...

Re:I am impressed (1)

compro01 (777531) | more than 2 years ago | (#36920916)

what exactly is a "bid badger"?

Re:I am impressed (1)

mallyn (136041) | more than 2 years ago | (#36921444)

A bid badger is the person who does the shill bids at an auction; the buddy of the seller for the purpose of driving up the price of that vintage osciloscope that I want so badly

what? (1)

damn_registrars (1103043) | more than 2 years ago | (#36920234)

Most insurance companies these days, are far more concerned with getting bonuses to the executives.

You don't honestly think that the executives will end up with smaller bonuses as a result, do you? We all know that isn't how this game works.

The company will cover these costs by raising premiums and/or reducing payments. It is very likely that the executives will see larger bonuses after this, as a self-congratulatory measure for "proactively correcting the situation".

Re:what? (1)

RenHoek (101570) | more than 2 years ago | (#36920648)

That's part of the fun right?

I mean, as a customer, first you get screwed over by having your medical records out in public. Then the company gets fined and leverages that fine on its customers, thusly getting screwed a second time. Finally, costs are incurred for getting up to standards, and guess who is paying for those costs?

Medical data can't be encrypted (-1, Troll)

For a Free Internet (1594621) | more than 2 years ago | (#36919828)

It can't because it's mostly numbers, and encryuption only works on complex characters like letters. Numbers don't contain enough information for the crypto algorythms to work on.

Re:Medical data can't be encrypted (0)

Anonymous Coward | more than 2 years ago | (#36919846)

You never heard of ASCII, did you?

Re:Medical data can't be encrypted (0)

Anonymous Coward | more than 2 years ago | (#36919878)

You've never worked on a large database, have you?

Re:Medical data can't be encrypted (0)

Chrisq (894406) | more than 2 years ago | (#36919908)

This is complete bullshit. Even if for some reason the company held each number in an individual file rather than documents, spreadheets, databases, etc. you could encrypt the drive. You could also encrypt the individual files if you wanted to.

Re:Medical data can't be encrypted (0)

Anonymous Coward | more than 2 years ago | (#36919970)

Parent is a troll. You haven't seen him around yet?

The resurgence of themed trolls lately has been kind of hard to miss. First Dr.Bob, then this guy and the AC who's been posting about fungal infections causing cancer... used to be just goatse and GNAA postings about Obama. JockTroll's been making more appearances lately, too. And of course APK and MichaelKristopeit still haven't gotten a life.

I do wish BadAnalogyGuy would post more often...

Re:Medical data can't be encrypted (1)

elsurexiste (1758620) | more than 2 years ago | (#36920724)

+1. The only problem is that I usually recognize people because of their sigs, not their user names...

Re:Medical data can't be encrypted (0)

Anonymous Coward | more than 2 years ago | (#36920030)

That's bullhonkey. Numbers can be encrypted. Don't use the same IV params all over the place.

One way people encrypt small chunks of data in a complex way is to use methods like CMS or ECIES. That can be a lot slower though.

Re:Medical data can't be encrypted (1)

TheRaven64 (641858) | more than 2 years ago | (#36920564)

My mind is boggling at the level of ignorance and stupidity in that post. Even a moment of thinking would let you realise that this can't possibly be correct.

Encrypting data alone might be useless (1)

Zakabog (603757) | more than 2 years ago | (#36919860)

This entire effort might be useless if they're not using good encryption. Is there one master passphrase to bypass all of the encryption? Also, they make no mention of how they plan to prevent physical theft of data again just that 'Well this time I put a password on my data, take that thieves!'

Re:Encrypting data alone might be useless (1)

ccguy (1116865) | more than 2 years ago | (#36919914)

It's ROT13. Good luck with those 136,000 tapes we've got.

TNBC chief of security.

Re:Encrypting data alone might be useless (1)

qxcv (2422318) | more than 2 years ago | (#36919998)

"Good luck, I'm behind SEVEN ROT13s!"

Re:Encrypting data alone might be useless (4, Funny)

Samantha Wright (1324923) | more than 2 years ago | (#36920126)

"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl."

Re:Encrypting data alone might be useless (0)

Anonymous Coward | more than 2 years ago | (#36920620)

Thank you thank you thank you. At least, there is one creative person commenting rather than all the "executives will get bigger bonuses!" comments.

Re:Encrypting data alone might be useless (0)

Anonymous Coward | more than 2 years ago | (#36921262)

debug.exe
a
db 8C,C8,8E,D8,8E,C0,B4,08,CD,21,3C,1B,74,34,3C,41
db 72,20,3C,7A,77,1C,3C,5A,76,04,3C,61,72,14,88,C2
db 24,1F,80,E2,E0,04,0D,00,C2,3C,1A,76,07,80,EA,1A
db EB,02,88,C2,B4,02,CD,21,3C,0D,75,CA,B2,0A,CD,21
db EB,C4,B8,00,4C,CD,21

r cx
47
w
q
rot13.com

Re:Encrypting data alone might be useless (0)

Anonymous Coward | more than 2 years ago | (#36920012)

The question is, where is the key stored and how secure is it against theft? I have wondered this with things like seamless software level HDD encryption that uses no passphrase: where is the key stored (it must itself be unencrypted) and whats to stop a determined attacker from just reading out the contents of the disk, finding the key, and then using that to decrypt the rest without the assistance of the software layer that is supposed to protect it?

Re:Encrypting data alone might be useless (1)

Anonymous Coward | more than 2 years ago | (#36920670)

Your missing the point... the reporting requirements are different if the data is encrypted and at the end of the day that is all that really matters.

very lame (1)

Anonymous Coward | more than 2 years ago | (#36919866)

"We searched the country and were unable to find another company that has achieved this level of data encryption," Michael Lawley, vice president of technology shared services for BCBS, said in a statement.

He certainly did not search very hard. Less than 1PB encrytpted, we do more than that every single day. And I doubt we are unique.

Re:very lame (0)

Chrisq (894406) | more than 2 years ago | (#36919916)

"We searched the country and were unable to find another company that has achieved this level of data encryption,"

Could be because they also invested in steganography.

Correct Response (2)

inglorion_on_the_net (1965514) | more than 2 years ago | (#36919882)

It is a pity that the data was stolen before adequate protection was put into place, but it seems to me TN BCBS took the right steps afterwards:

1. They sent out alerts to those affected, both current and former members

2. They now encrypt all their stored data

Of course, this will not prevent all possible leaks, but at least it shows they are taking protection of their customers' data seriously, and have put in serious work to protect that data. I wish more organizations did that. Way to go, BCBS of Tennessee!

Re:Correct Response (0)

Anonymous Coward | more than 2 years ago | (#36920502)

The whole premise is wrong. It's like saying:
Damn, that child fell into the well and drowned!
Let's put a lid on top!
(Because that will save the child!)

Why didn't they think about that before the child fell in??

This has probably been knowledge since the beginning of humanity: If you know a threat, do something to prevent it!
Because afterwards, it's a biiit too late.

PS: Yes, lack of knowledge is an excuse. No, ignorance is not an excuse.

Re:Correct Response (0)

Anonymous Coward | more than 2 years ago | (#36920582)

Because it takes the negative press and the cost of the disclosure to convince the execs holding the purse strings that that $6 million dollars is necessary spend.

You should be impressed (1)

somersault (912633) | more than 2 years ago | (#36919884)

"I know I already shit on the floor, but I'm wearing a diaper now so it's all good!"

Re:You should be impressed (2)

rbrausse (1319883) | more than 2 years ago | (#36919980)

"I know I already shit on the floor, but I'm wearing a diaper now so it's all good!"

where is badanalogyguy?

so you're saying that one mistake (data loss; floor shitting) will render every countermeasure (encryption; diapering) invalid? nah, I don't think so. The insurance company handled the data loss quite competent - they disclosed it early (afaik) and implemented a regime that will make future data losses much harder.

Re:You should be impressed (1)

somersault (912633) | more than 2 years ago | (#36920230)

It wasn't a perfect analogy, but I don't think they should be congratulated for closing the gate after the horse already bolted. They're just doing what they should have been doing all along. Really, they shouldn't let anything even get stolen.

Re:You should be impressed (1)

datapharmer (1099455) | more than 2 years ago | (#36920310)

no, it makes data losses just as easy as they were before. It prevents data theft as the records are now (theoretically) protected. Without proper off-site backups they are still screwed if someone steals their drives again.

Re:You should be impressed (1)

Sulphur (1548251) | more than 2 years ago | (#36920988)

"I know I already shit on the floor, but I'm wearing a diaper now so it's all good!"

where is badanalogyguy?

so you're saying that one mistake (data loss; floor shitting) will render every countermeasure (encryption; diapering) invalid? nah, I don't think so. The insurance company handled the data loss quite competent - they disclosed it early (afaik) and implemented a regime that will make future data losses much harder.

Does the insurance company have insurance for their data?

If the jelly does not cover the peanut butter on the PB&J pizza, then the PB gets hard and difficult to eat.

Re:You should be impressed (1)

CraftyJack (1031736) | more than 2 years ago | (#36920538)

The counterpoint would be Sony:

"Oh, there I go again! And again! Well, I didn't see that comi-And again! Wow, this is quite a string of bad luck!"

It was time (0)

Anonymous Coward | more than 2 years ago | (#36919894)

Better if they had done that earlier.

The Point is... (0)

Anonymous Coward | more than 2 years ago | (#36919896)

No one can remember the password. ;P
HA!

Re:The Point is... (0)

Anonymous Coward | more than 2 years ago | (#36919962)

the password is "password1".

Also, everything's ROT-13'd twice, for improved security.

$6 Million to check a checkbox? (-1)

Anonymous Coward | more than 2 years ago | (#36919900)

Srsly? $6 Million to enable BitLocker?

Re:$6 Million to check a checkbox? (1)

MikeB0Lton (962403) | more than 2 years ago | (#36919926)

Trolls... Good luck implementing BitLocker on entire VMFS datastores. Not everything is based on Windows Vista/7.

Re:$6 Million to check a checkbox? (1)

GameboyRMH (1153867) | more than 2 years ago | (#36919932)

Damn I would have personally gone around and done it on all their computers for $50k. I'd even pay my own airfare.

And then they can pay me again to switch to TrueCrypt when BitLocker falls off the Microsoft upgrade treadmill :-P

Re:$6 Million to check a checkbox? (1)

jimicus (737525) | more than 2 years ago | (#36921212)

And then they can pay me again to switch to TrueCrypt when BitLocker falls off the Microsoft upgrade treadmill :-P

Firstly, as someone else has already said, not everything is based on Windows.

Secondly, I cannot think of a product I should be less inclined to use than TrueCrypt to deal with such a problem. Reason I say this is simple - in every large business you always have the occasional helpdesk call to reset a forgotten password - usually when someone's just come back off holiday. How exactly are you going to deal with the problem when the answer to a helpdesk call for a lost TrueCrypt password is "please send the laptop in for reimaging"?

Re:$6 Million to check a checkbox? (0)

Anonymous Coward | more than 2 years ago | (#36919978)

They are probably using hardware tokens as part of user login, and hardware security modules to protect the keys that protect the data. It's not cheap. Bit locker will provide some protection for windows desktops. But not databases, and non-windows systems.

$6 million? (1)

daktari (1983452) | more than 2 years ago | (#36919906)

I'm by no means a security expert but isn't $6 million a bit excessive for the effort?

TFA says "The company said it spent more than 5,000 man-hours on the encryption effort, which encompassed about 885TB of at-rest data." That equates to around $1200/hr. Perhaps I should become a security expert.

Re:$6 million? (0)

Anonymous Coward | more than 2 years ago | (#36919956)

They probably paid for commercial solutions. You need to factor in licenses and even hardware.

Re:$6 million? (3, Interesting)

belthize (990217) | more than 2 years ago | (#36920046)

I wouldn't take the $6M and 5000 man hours as directly coupled. The actual press release says:

BlueCross invested more than $6 million and 5,000 man-hours in the data encryption effort, which included:

- 885 Terabytes of mass data storage
- 1,000 Windows, AIX, SQL, VMWare and Xen server hard drives
- 6,000 workstation hard drives and removable media drives
- 25,000 voice call recordings per day
- 136,000 volumes of backup tape

The 5000 man hours may only reflect actual labor and not reflect all the hours of planning/scheduling etc. What ever hourly rate for labor double it for overhead, the cost of a person is about twice their salary, at $100/hour that's $1M in labor. Another 500K in planning. I have no clue what software they used but I'm pretty certain it wasn't a single package. Each system may well have required a different package + licenses + contractor time from the vendor. For example they may have had to out source the voice call recordings to who ever provides their phone system. I kind of doubt they slap all the recordings onto a single box and mass encrypt.

They're a very distributed organization so there's going to be a *lot* of duplication of effort, they may have had to do the phone bit at hundreds of sites.

I don't know if it could have been done for $3M or if $6M actually represents a relatively reasonable price compared to a lot of the $XXX Mllion dollar utter failure projects. It strikes me as fairly reasonable considering the scope of the problem and usefulness of the result (assuming it's not a $6M whitewash).

Re:$6 million? (0)

Anonymous Coward | more than 2 years ago | (#36921162)

Hehe, all this can be defeated by getting a night-shift floor cleaning job and $10 keylogger. Also, all blue crosses use outside (as in India and other Asian countries) vendors to process claims. This means their highly-underpaid employees get see all your private information, like SSN (even though it's not on your benefits card any more), where you live, who your children are and what procedures you had in last 10 or so years. They have more than enough info to apply for a credit card or sell this info to someone who can make use of it.
With all that said, I think your state and federal systems are even less secure and they def don't give a shit - some clerk will stare at the screen and say "but it says so right here"

Re:$6 million? (1)

tecker (793737) | more than 2 years ago | (#36920072)

Assuming 100% markup profit margin over baseline (common practice really) were looking at a baseline cost of $3 mil.

Now we need to factor in an encryption scheme that works across Windows, AIX, etc with enterprise support backing it up say $1.2 million to licence for all servers and locations (seem low but hey) and we have $1.8 million to spend.
Now we gotta pay people some prices to do that work so lets say $.5 million (500,000) so about $100 per man hour (bout right) and we have $1.3 to spend.
Now pay the electrical company for all that processing time (depending if they had THEM process it or they did it on their servers) at about $.5 million and we have $.8 million (800k) to explain.
Throw in some training for a few Ks to ensure the techs know how to handle the system lets say 100,000k for that (ouch! hey that is specializations ya know) 700K to go.
Maybe a little software rework (even if it wasnt really necessary) for another 100k and we have 600K to explain.
Opps forgot the "maintenance contract" which is often 10% of the sale price so 600k and lookie there, 6million blown pretty quick.

Thanks for shopping.

Re:$6 million? (0)

Anonymous Coward | more than 2 years ago | (#36920380)

I see you've done contracting before...

Re:$6 million? (0)

Anonymous Coward | more than 2 years ago | (#36920298)

Don't forget the software and training of all the people on how to use it.

Re:$6 million? (1)

elsurexiste (1758620) | more than 2 years ago | (#36920846)

Other people did a breakdown before me of the costs. Lucky thing: it's expensive to start but cheap to keep it, just remind people every 6 months that they should use the software. Oh, and check very often that you can restore your backups: there's nothing funny in working your whole weekend because an encrypted backup has locked itself in.

This is for the threat.. (-1, Flamebait)

Chrisq (894406) | more than 2 years ago | (#36919918)

This is for the threat.. if the healthcare bill passes we'll destroy the keys

"Safe route" (1)

_0xd0ad (1974778) | more than 2 years ago | (#36919942)

So, they're locking the barn door after the horse has bolted...

dozens of hard disk drives were stolen from a leased facility in Chattanooga, potentially exposing the personal data of more than 1 million customers

The data is gone... and now they're encrypting.

Re:"Safe route" (3, Informative)

MysteriousPreacher (702266) | more than 2 years ago | (#36920032)

I don't think the barn door saying means what you think it does. It suggests pointless action taken after the event. The original data was stolen but encryption to hinder future theft of data seems sensible.

Re:"Safe route" (0)

Anonymous Coward | more than 2 years ago | (#36920878)

He has a point though. This kind of encryption and effort should be used BEFORE catastrophic data loss to prevent it not AFTER to show that they are doing something about it. Their effort has meaning but it would be 100 times better if they did it from the start.

Re:"Safe route" (0)

Anonymous Coward | more than 2 years ago | (#36920904)

It works if you assume the barn contains more than one horse (as barns with a horse generally do).

Re:"Safe route" (1)

cavreader (1903280) | more than 2 years ago | (#36920240)

Even with the best commercially available encryption if someone steals the hardware storing the encrypted data they have all the time in the world to try and access it. The disks were in the possession of a 3rd party at the time of the theft so a security audit of their premises and security procedures might be in order to help raise awareness and prevent future incidents.

Re:"Safe route" (1)

isorox (205688) | more than 2 years ago | (#36920286)

So, they're locking the barn door after the horse has bolted...

dozens of hard disk drives were stolen from a leased facility in Chattanooga, potentially exposing the personal data of more than 1 million customers

The data is gone... and now they're encrypting.

They've locked the barn dor after 1 horse bolted. There's hundreds more left in the barn.

Re:"Safe route" (0)

Anonymous Coward | more than 2 years ago | (#36920348)

as above comment - 1 horse may have bolted but they are trying to keep the rest of them in the barn

Re:"Safe route" (1)

sys_mast (452486) | more than 2 years ago | (#36920746)

Your analogy, while not perfect has a valid point. However, remember that they now have a new horse in that barn. (all the customers that have since the data loss) What would you say about the farmer that lost his horse, got a new one, and still leaves the door open?

Perhaps the lesson here should be to all the IT people (does anyone in IT still read slashdot?) take this type of preventive action BEFORE you have data stolen. (yes, i know it's really up to the C-something-O to fund and order such an operation)

Password? Survey says!.. (0)

Anonymous Coward | more than 2 years ago | (#36919964)

bl00x

Cheap, but what about ongoing costs? (1, Interesting)

plsuh (129598) | more than 2 years ago | (#36920002)

$6 million is pocket change to a company that has $5.2 billion in annual revenue. However, the true cost is really higher, as encrypting everything means that things like disk corruption are no longer repairable, lost passwords can't be reset without losing data, and the like. It'd be interesting to see just what the ongoing costs are.

That said, I would like to compliment Tennessee BC/BS for doing the right thing, in spite of it costing money.

--Paul

Re:Cheap, but what about ongoing costs? (2)

blueg3 (192743) | more than 2 years ago | (#36920104)

How is disk corruption less repairable when you encrypt?

The lost-passwords problem is already well-solved for decent systems.

Re:Cheap, but what about ongoing costs? (1)

horza (87255) | more than 2 years ago | (#36921286)

I think he meant less recoverable rather than repairable. Which is true, you can't simply dump the disc and extract the fragments by hand if necessary if encrypted.

Phillip.

Re:Cheap, but what about ongoing costs? (1)

Lieutenant_Dan (583843) | more than 2 years ago | (#36921426)

My personal experience with a couple of mainstream commercial enterprise solutions, is their data recovery tools leave a LOT to be desired and seem to only work for us about a third of the time. Features and management tools get the attention; auditing and recovery are after-thoughts in most products.
In a few instances where we had to engage a data recovery service, they charge quite a bit more when they find out that they're dealing with an encrypted disk (i.e. when we're going after a specifc folder or a bunch of files)

Anyways, it got to the point where one of my clients is now looking at expanding their archiving solution rather than spending the cash (and time!) to attempt to recover data on encrypted media.

Re:Cheap, but what about ongoing costs? (1)

maxume (22995) | more than 2 years ago | (#36920144)

If you use the password to encrypt the key, you can store a copy of the key somewhere else.

So if the password is lost, to reset, you grab the key from the escrow and encrypt it with the new password.

Re:Cheap, but what about ongoing costs? (1)

Himring (646324) | more than 2 years ago | (#36921190)

$6 million is pocket change to a company that has $5.2 billion in annual revenue.

Right, but any money spent on IT is a waste to the stuffed shirts, until something blows up, which, inevitably, gets them off the fence. Telling the COs in a meeting, "our worst possible downtime with the current allotted budget might be as bad as 3 days," makes them all look at each other with satisfaction and approval, seemingly, ok with being down 3 days in theory. Then, after 3 hours of downtime, they are talking about outsourcing all of IT for 10 times the amount of budget they barely allowed that caused the downtime....

Short of it:
Pre-disaster: IT should be cheap if not free.
Post-disaster: IT will get all the money it needs, but a new crew.

Adage (1)

SirDice (1548907) | more than 2 years ago | (#36920010)

In the Netherlands we have a adage that seems fitting, "De put pas dempen als het kalf al verdronken is.". Which roughly translates to "Closing the well after the calf already drowned.".

Re:Adage (-1)

Anonymous Coward | more than 2 years ago | (#36920038)

In Norway we say "Arresting the lunatic after the kids were already shot:"

Re:Adage (0)

Anonymous Coward | more than 2 years ago | (#36920658)

Wow, you guys really are stoned 24/7.

Re:Adage (0)

Anonymous Coward | more than 2 years ago | (#36921176)

Yeah man, screw those other cows, just let them fall into the well too.

Hold on... (1)

Syberz (1170343) | more than 2 years ago | (#36920024)

They have the personal details (health records, bank info, addresses, etc.) of millions of people and they just now decided to encrypt the data? WTF?

leased facility = cloud so this is what you get fr (1)

Joe_Dragon (2206452) | more than 2 years ago | (#36920090)

leased facility = cloud so this is what you get from going to the cloud the data can be in a place that can range from a nice data center to a small room in a office building. Also the people ruining the cloud can just have real low prices and then sell data to the highest bidder.

Re:leased facility = cloud so this is what you get (1)

Anonymous Coward | more than 2 years ago | (#36920180)

Leased facility != cloud. In a leased facility, you can find out the operational conditions and the level of physical security. You can make them part of the lease contract if you care enough. You can't do that in a cloud.

lol (0)

Anonymous Coward | more than 2 years ago | (#36920140)

and i know backdoors into every windows and AIX which i did my first hack in 97 and held a hole for 7 years....haha...thanks for telling ...just me ....

Lets congratulate them for doing the right thing (1)

damn_registrars (1103043) | more than 2 years ago | (#36920204)

... even if it is far too late. And of course, the customers will pay for the cost of the failure, plus the cost of the fix. The company made a bad choice, and the consequences of that bad choice will be born by .. the customers. The executives will still get their usual multimillion dollar "performance" bonuses as if nothing was ever wrong.

usless (1)

Charliemopps (1157495) | more than 2 years ago | (#36920280)

If you've got the drive... you have unlimited attempts to crack it. Someone with a couple of video cards and a few days on their hands and their encryption is pointless.

Re:usless (0)

Anonymous Coward | more than 2 years ago | (#36920862)

lets assume that they are using something reasonably close to BP. Meaning AES256 not in ECB and a randomly generated key, how would you go about breaking this with "a couple of video cards and a few days"?

HIPAA (0)

Anonymous Coward | more than 2 years ago | (#36920368)

The HITECH amendment to HIPAA provides safe harbor from breach notification rules for organizations that encrypt their data. Now, if someone steals all of Blue Cross's hard drives, they don't have to notify the media, the people whose data was stolen, or the state attorney general's office.

57 disks! (0)

Anonymous Coward | more than 2 years ago | (#36920370)

That's almost as many States in this country that Obama visited on the campaign trail!

encryption (0)

Anonymous Coward | more than 2 years ago | (#36920414)

unfortunately, they encrypted all the data with the same password as the BlueCross domain administrative password..... password123

Irrelevant in the long-run, but... (1)

John Napkintosh (140126) | more than 2 years ago | (#36920506)

These drives were likely part of various RAID volumes. Doesn't that mean they're pretty well useless outside their hosts? Is someone really going to go to the level of forensic data recovery to elevate from property theft to identity theft? That stuff isn't cheap, so the ROI is probably going to be really low.

doesn't matter (0)

Anonymous Coward | more than 2 years ago | (#36920732)

we all know the password is "42".

Standard Procedure? (1)

DarthVain (724186) | more than 2 years ago | (#36920738)

Is it just me, or shouldn't this be standard fscking procedure for companies dealing with sensitive information such as medical and financial records?

Re:Standard Procedure? (1)

qwijibo (101731) | more than 2 years ago | (#36921022)

Should be, but generally isn't. Security costs money, and most companies have been in a cost cutting mode for years. Security is one of the first things to go since it's invisible until you're compromised.

Re:Standard Procedure? (1)

DarthVain (724186) | more than 2 years ago | (#36921308)

Generally I think most companies don't need it. Some only need the basics. You got my personal information, or credit cards? Just securely encrypt those sources. Sure some might slip out here and there, but you won't lose your whole database of 300,000 customers or whatever.

I just mean if your a bank, financial institution of some description, or someone that handles my medical information, get on the encryption boat and set sail. Seriously. I mean it is one thing if someone gets my VISA number... its usually protected anyway.

However your right it is a cost thing. And until companies are held responsible in court financially they will not take it seriously. Once some CEO's start getting the boot for allowing a catastrophic lawsuit to take place, change will happen.

Knee Jerk Reaction? (0)

Anonymous Coward | more than 2 years ago | (#36920874)

I first thought this was just a knee jerk reaction, but I guess they're doing the right thing. I can only imagine how the board meeting went....

CEO: What do we do? We've been had!!
IT Guy: There's a solution to all your problems, you must encrypt the disks.
CEO: But my bonus checks! It'll cost millions to do that!
IT Guy: No. You must ENCRYPT EVERYTHING.
CEO: But....
IT Guy: EVERYTHING.
Board of Directors: Fund it. We can't afford anymore lawsuits.

What solution? (1)

Lieutenant_Dan (583843) | more than 2 years ago | (#36921292)

Looked around the stories including their "infographic", not clear what they are using and how they've implemented it.

Do servers have pre-boot enabled? How did they change they operational processes? Are these HW-encrypted drives? What is the failure rate on the process?

Details like this are important. As it stands, they spent the cash and a lot of time, but no indication that they've implemented it properly. I wouldn't feel much safer.
5,000 hours is nothing to be honest for even a mid-size company. That's 2-3 techs working a whole year on it. Big deal. They could be just sitting in front of the monitor watching the progress bar.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...