Encryption as a Encryption as a Preventive Preventive

CountermeasureCountermeasureSean Maher, Information Security CoordinatorSean Maher, Information Security Coordinator

Average total cost of a data breach: 2008 - $202 per record 2007 - $197 per record 2006 - $182 per record

Breaches occurring in the healthcare industry cost $282 on average.

Breaches involving a third-party are $52 higher than internal breaches.

The Cost of a Data BreachThe Cost of a Data Breach

The Causes of a Data BreachThe Causes of a Data Breach

Laptops are the leading cause of data breaches, accounting for 35%.

In 2008, there were 18,650 employees and 16,149 students at UAB.

An estimated 20% of employees have a laptop available to them.

Phase 1: LaptopsPhase 1: Laptops

September 2007 – The campus PGP server was built. Only one installer was available (32-bit Windows XP & Vista).

October 2008 – The Mac PGP client was released.

March 2009 – A presidential letter was released mandating the encryption of portable devices.

Winter 2009 – A boot camp compatible Mac, Ubuntu and Red Hat versions are set for release.

Phase 1: TimelinePhase 1: Timeline

Campus PGP: 2711 2482 Windows PCs 229 Macs

HSIS PGP: 600 SOPH PGP: 350

Phase 1 StatusPhase 1 Status

What’s Next?What’s Next?

Smart Phones Blackberry Palm Windows Mobile

PDAs Portable storage devices

External hard drives USB thumb drives Portable media players

Data Bearing DevicesData Bearing Devices

Smart Phones and PDAs

Nearly half of all cell phones discarded contained personal information, and 20% contained identifiable information.

Few users enable security features such as passwords and device locks.

When a device is lost or stolen, many users do not have the ability to remotely disable or wipe the device.

The Risk of Data Bearing DevicesThe Risk of Data Bearing Devices

Portable Storage Devices

Portable storage has become so common that many people own multiple devices.

The storage capacity of many portable devices has now matched the capacity of internal hard drives.

The act of using a portable device to illicitly download confidential data has been termed “pod slurping”.

The Risk of Data Bearing DevicesThe Risk of Data Bearing Devices

http://www.hipaa.uab.edu/standards.htm

Use of portable devices

Workforce members shall not use personally owned portable devices for work-related purposes unless such use is specifically approved by senior management. If use of a personal portable device is approved by senior management, then the device must comply with all applicable policies and standards and must be made available to UAB/UABHS for routine or special analyses. In addition, the device must be set-up in English.

Portable devices storing email locally within the device (such as PDAs) shall have mechanisms that encrypt the email stored on the device, encryption of the email during transport and the ability to erase the device after a number of failed login attempts.

Portable devices such as PDAs, cell phones and portable storage that support the clearing of memory/storage after a number of failed login attempts shall erase their contents after a minimum of 5 failed login attempts.

Phase 2: Data Bearing DevicesPhase 2: Data Bearing Devices