Over the course of the last few weeks, one major issue encryption presents to investigators and organizations has come to the forefront of not only security-minded professionals, but the general American public. Why? Encryption, while one of the main tenets of data security, has been the culprit behind several recent incidents…
Of the two most recent events, the most pressing concern is the cyber-attack on a California medical facility through the use of Ransomware. For those who may not be familiar with the term Ransomware, Microsoft defines this as malware that does the following:
- Prevent you from accessing Windows
- Encrypt files so you can’t use them
- Stop certain apps from running (like your web browser)
While all of these are troublesome, the use of encryption in the case of the medical facility is the most troubling. The reason for this is that somehow, these attackers were able to not only gain access to the network systems, but also to execute software that encrypted patient files. Under the tenets of Ransomware, Hollywood Presbyterian Medical Center had to pay $17,000 in bitcoin currency before access to these files were granted back to the facility.
Without these files, medical professionals were forced to utilize legacy methods such as paper files and fax machines to transmit patient data. In addition, the inability to access this data necessitated that they re-conduct patient histories before performing many procedures to ensure the safety of the patients.
In addition to the Hospital attack and in a much more publicly discussed forum, Apple has recently been ordered to provide the FBI with a backdoor into the encryption used on its flagship product, the iPhone. (And the British Government over a very similar law since November 2015 as reported here by TechNewsToday.com.) This has come about due to the FBI recovering the iPhone belonging to Syed Farook, the San Bernardino shooter. While the FBI received authorization to retrieve data from the phone, it is currently protected with encryption requiring a pass code to gain access. Normally, if this code was unknown, investigators would utilize brute force methodology to gain access to the device. However, in regards to the iPhone, due to inherent functionality the brute force effort could take up to five and a half years.
This timeline could be reduced by taking multiple forensic images of the device, but the OS on the iPhone includes an “auto-erase” function that if enabled, would result in the data on the device being wiped after 10 unsuccessful login attempts. So, if the forensic images were taken, each image would be unusable after only a few tries. It is due to this feature that the FBI is seeking the backdoor, to ensure the data contained on the device is not lost.
These scenarios provide two recent examples of why a backdoor into encryption mechanisms are advocated by various Federal, state and local law enforcement organizations. By having the backdoor, there would be an easy way to uncover needed data that attackers have secured from legitimate organizations. Law enforcement would have the ability to collect encrypted digital data once a court order had been issued. However, this underscores privacy concerns and the fact that by creating this backdoor, the encryption itself would be weakened.
Without going into a detailed description of encryption or digital privacy concerns (over 200 groups and Tim Cook’s response cover the concerns), the push back from Apple and others are based on this being a “fundamental right” as stated by Mr. Cook. This right is that users/consumers have the expectation that the data contained on these devices are secure and unattainable if the device is lost or stolen.
“Encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age,” was expressed by David Kaye (United Nations Special Rapporteur for Freedom).
With Apple and Android being the dominant operating systems on smartphones today, this demand by the US DoJ has reverberated through most online and human rights groups in the last few days. In addition to Mr. Cook’s concern is the fact that Apple products in 2015 had the most vulnerabilities identified, so the company is obviously focused on public relations issues that detract from the consumer perspective that iPhones and Macs are the most secure platforms in the industry.
But shouldn’t medical information needed to protect patient’s lives take precedence over security concerns? Few people would argue against that point. Yet, this brings into question the importance yet again of maintaining reliable, recoverable backups of these systems in case these devices become unavailable.
Security in Healthcare is also a hot button topic, but an incident such as this should galvanize medical facilities and vendors to implement better cyber security practices. By conducting risk assessments based on NIST standards, ensuring software patches are up-to-date, and training users from Executives to front desk personnel would help address many of the issues. However, unless there are enforcement activities to ensure these items are addressed, the issues will persist. Also, for companies that have established a Chief Information Security Officer (CISO), they must empower this position to adequately address the vision and needs of information security for their organization.
Unfortunately, these items are not going to go away anytime soon and may in fact increase as we move deeper into the 21st Century. To combat this concern, companies, organizations, and government should realize the Return on Investment of security must be calculated in more than short term budget perspectives. Within healthcare, until the paradigm changes and the realization that security equals safety for patients, there may be more facilities needing to have bitcoin accounts.