Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Health Insurance Company Encryption Initiative A Step Forward For The Industry

Lieberman Software : 25 August, 2011  (Technical Article)
Lieberman Software comments on the addoption of widespread encryption technology at a US health insurance giant, believing that this is a positive step for the healthcare industry in the protection of patient data
Health Insurance Company Encryption Initiative A Step Forward For The Industry
Reports that BlueCross BlueShield of Tennessee has completed a project to encrypt all of its at-rest data have been applauded by Lieberman Software. BlueCross BlueShield of Tennessee is an Independent Licensee of the BlueCross BlueShield Association and provides health plan coverage and insurance products and services to nearly three million people in Tennessee, USA.

According to Philip Lieberman, President and CEO of Lieberman Software, the privileged identity management and security management specialist, BlueCross BlueShield of Tennessee moved to encrypt all of its on-server and archival data following the theft of 57 hard drives in 2009 and now the year-long project has been completed. However, he says that the organisation will have to go much further to ensure that all of its key data is protected, and that half-way measures are like a net with giant holes in it.

“Health records represent some of our most personal details, so it's good to hear that this health insurer has invested more than 5,000 man hours on the project, which has reportedly involved around 885 terabytes of data being encrypted,” he said.

“Unfortunately if they don’t use Privileged Identity Management software they do not have the controls necessary to safeguard their data. Management may feel good about what they have done but there remain large holes in their safety net. Healthcare and insurance companies are notoriously lax when it comes to the management of passwords.  Some of the Blue Cross companies are good at privileged identity management, but not all of them.”

The Lieberman Software president went on to say that health records are rarely out of the security headlines, and usually for all the wrong reasons, as witnessed by comments made by David Smith, the UK's deputy information commissioner at the InfoSecurity Europe show in the spring of last year.

In his keynote speech, Smith revealed that his regulatory office receives around 30 data breaches every month and that the NHS had been responsible for a third of Information Commissioners Office (ICO) reported data breaches in the preceding two and a half years.

The sad fact, says Lieberman, is that judging from the latest IT news headlines, that situation has not changed, meaning that it is important that organisations which handle health records take the highest levels of care, and consider following BlueCross BlueShield of Tennessee down the data-at-rest encryption path.

The 57 hard drives, which were stolen from a leased facility, Lieberman explained, did not contain medical records, but recordings of phone conversations made by around a million of the healthcare firm's insured patients were on the drives.

“Data encryption of an entire IT system's database – right down to the digital recordings of customer phone calls – may seem like overkill, but where health information is involved, it's a logical method of defending against any of the data falling into the wrong hands, for whatever reason,” he said. “However, even with the data encryption, having no privileged identity management automation means that all of the encryption is practically useless.  By exploiting weak or non-existent privileged identity access controls and technology, an insider, former employee or criminal can easily access the encrypted data by gaining access to program encryption keys.   Encryption is a good first step, but failing to actively control privileged identities completely degrades its value to almost zero.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo