Randy Maib is the senior IT consultant with INTEGRIS Health, an Oklahoma-based chain of 10 hospitals with 10,000 employees. Maib was the ringleader of the prank pulled on the doctors during their coffee break. It was an important lesson to learn, he says. “It really shed some light and got some buy-in to start doing some mobile security measures.”
Getting buy-in from end users is important in any environment, but it is especially critical in the healthcare setting where much personal data is handled. Maib knew that physicians tend to carry multiple pieces of equipment around—cell phones, PDAs, laptops—with sensitive information on them. Therefore, mobile security was at the top of his list of concerns when he helped set up the IT security department in 2001.
Demonstrating the problem was an important first step; finding the right solution was the next challenge. It had to be user-friendly because end users are notoriously reluctant to implement security measures that cause them any inconvenience. It also had to help him to understand the size of the problem.
“The first thing we wanted to find out was exactly how many mobile devices were roaming through our environment, specifically PDAs without any authentication,” he says. Until he knew what was in the field, it would be impossible to know what needed to be protected.
Maib discovered Addison, Texas-based CREDANT Technologies in a trade journal; his interest was piqued when the company’s ad claimed the product could discover mobile devices as well as provide authentication for PDAs.
There are three components to the CREDANT solution. The first, the management piece, is the Mobile Guardian Enterprise Server. This houses the security policies and connects with the company’s directories that allow it to keep track of users as they’re added or deleted from the system.
The second piece is Gatekeeper, a small client that resides on every desktop and laptop in Maib’s network. The third is the Mobile Guardian Shield, a piece of software that sits on each mobile device and does the encrypting using highly secure, industry standard encryption algorithms such as 3DES and Blowfish.
Here’s how it works. Gatekeeper does not actively look for mobile devices; it detects when a mobile device—a doctor’s PDA, for example—connects for synching. It then queries the device, looking for Mobile Guardian Shield. If it doesn’t find it, it can either prevent the PDA from synching, or it can install Mobile Guardian Shield on the device.
Getting Mobile Guardian Shield installed, Maib says, is a simple process for the end user, who first enters his or her network credentials, and then chooses a four-digit PIN, a password, and a question and answer as a backup. During regular use, if users forget the PIN, they can use the password; if they fail that three times, they get the question. If they can’t answer the question correctly, they’re locked out.
CREDANT also offers a “kill” feature which Maib doesn’t use. If a user fails each step of the authentication process, the kill feature can either render the PDA (or whatever other device is being used) unusable until the organization’s helpdesk intervenes, or it can execute a command that deletes everything that’s been encrypted on the machine.
Another optional part of the Mobile Guardian product is CREDANT2Go, which allows users to selectively encrypt files and folders that are stored on a USB thumb drive or iPod. Files encrypted using this program can be decrypted on any computer by any person who has the proper password; there is no need to install any special software.
PDAs and other mobile devices have much smaller drives and less memory than laptops and desktops, so using encryption on them has raised fears of slowdowns that will frustrate end users. Maib says this has not been a problem with the system selected.
The encryption process “is very rapid on both a PDA and a laptop,” he says. “Whenever you login to the machine, it hesitates about a half second.” One reason the process happens so quickly is that Mobile Guardian Shield encrypts only preselected files, and folders where sensitive information is held. This includes all databases on the devices; Maib can easily change the security policy to encrypt other files, including e-mail attachments, calendars, contact lists, or the My Documents folder.
While this setup works, Maib would like to reduce the number of mobile devices that have to be secured. To that end, he is testing Cingular 8125, a Windows-based all-in-one cellphone and PDA that will eventually replace everything else. He’s already got the CREDANT solution working on it, a critical part of the package, since these devices are receiving and storing more sensitive information than ever before; for example, data from a patient’s EKG can be sent to the on-call doctor’s device and saved as a PDF.
Maib is satisfied with the solution he chose to keep mobile devices secure. He says that encrypting data on mobile devices, which are exposed to the greatest risk of loss or theft, makes the most sense to him. And it’s been an affordable solution as well. CREDANT’s solution starts at about $85 per user and drops to the mid-twenties per user for large volumes.
E-mail and FTP
After Sharon Finney, information security administrator at DeKalb Medical Center in Decatur, Georgia, conducted an IT risk assessment 18 months ago, she had two areas of concern related to the Health Insurance Portability and Accountability Act (HIPAA). The first was that outbound e-mail might contain protected healthcare information, and that there was no way to take any action on such e-mails if identified. And second, she was concerned that there was no secure way to transfer the large amount of data that needed to be shared with business partners.
Finney decided to approach the two problems separately. The first step was to find a way to identify whether an e-mail contained any confidential information on a patient or about the hospital, a 627-bed facility with more than 23,000 admissions each year. She tested several applications and ultimately chose Proofpoint, a solution that scans each e-mail for protected health information. Proofpoint didn’t offer an encryption solution but its sales team told Finney that they worked often with encryption vendor PGP Corporation of Palo Alto, California.
She liked the idea of using PGP, she says, for a number of reasons. Many business partners were already using some form of PGP, she says, so there would be less of a need to suddenly demand that everyone switch to a new vendor and buy a new encryption product.
The e-mail encryption product she chose, PGP Universal, provided another benefit that Finney was looking for. “One of our criteria was we didn’t want the recipient [of an encrypted message] to have to purchase or download anything onto their desktop in order to receive secure mail from us,” she says. “PGP accomplished that.”
“We have 3,300 e-mail boxes and 4,100 employees,” Finney explains. That adds up to tens or hundreds of thousands of daily e-mails.
When an employee sends out a message, it is first scanned by Proofpoint for the presence of protected information. If the software finds such information, the e-mail is routed through the PGP server and encrypted; the server then holds the message and sends out an e-mail to the recipients saying that there is a secure message for them.
This e-mail includes a link that takes the recipient directly to the Universal server. He or she authenticates (or, if it’s a first visit, creates a passphrase for future visits), and then picks up the message across a 128-bit encrypted connection. For first-time users, Finney has posted a simple how-to document on the page that users are linked to that explains the process and includes contact information for DeKalb’s helpdesk.
PGP Universal software runs on a dedicated server. It took Finney only three hours to get it up and running—that, she says, is from the time she began to unpackage the product to when she sent her first encrypted message.
Another PGP product helped Finney solve her second problem—how to secure file transfers using FTP (file transfer protocol). That software product, PGP Command Line, was similarly loaded onto a server and was simple to install, DeKalb says. It took only a couple of hours for her to install and configure the software for all the organization’s internal users.
Command Line allows DeKalb employees to easily encrypt large files that need to be transferred to business partners via FTP. The encryption is done transparently to the user, though behind the scenes Command Line is using public and private keypairs to accomplish this task. (Something encrypted with a partner’s widely available public key can only be decrypted with its securely held private key.)
Again, Finney didn’t want to burden partners with buying a high-priced or complicated solution. Many were already using this product; and she helped smaller vendors get and install an inexpensive desktop version of the software that worked much the same as the full-blown version, though it added a few more manual steps.
“As a result, we’re able to work efficiently with our large partners as well as with our smaller vendors and partners that need to exchange data with us without putting undue financial burdens on them and requiring them to purchase a very expensive encryption solution,” Finney says.
While the motivation behind these encryption solutions was HIPAA, Finney says that securing e-mails has provided some unexpected benefits. “It allowed us to expand how we use e-mail in the hospital,” she says. “Now that we’re encrypting, we’re able to communicate more information to patients, physicians, and family members without worrying if it violates HIPAA, and our employees don’t have to worry about it.”
PGP Universal subscriptions start at $129; PGP Command Line costs around $1,100.
Full Disk Encryption
The Black Hat and DefCon conferences are known around the world as the premier gatherings for anyone interested in the cutting edge of IT security. So it’s no surprise that the mind behind the conferences, Black Hat Director Jeff Moss, is himself a security pro with an eye for what’s best on the market.
Setting up annual conferences in the U.S., Europe, and Asia is the work of Moss and his small staff, and despite Black Hat’s recent acquisition by corporate giant CMP Media, Moss remains in charge of his team’s computer security.
Ensuring that the data on every one of his laptops remains safe from prying eyes has always been a top priority for Moss, and he decided years ago on full-disk encryption with token-based authentication, so that any lost or stolen laptop would be utterly unusable, and its data would remain secure.
Moss says there weren’t many commercial choices available to him on the market. He wanted to use the tokens he already had (Rainbow’s iKey solution, which works via a USB port) so he needed a solution that would be compatible. He researched the options and decided on SecureDoc from WinMagic of Mississauga, Ontario, Canada.
SecureDoc software loaded onto each laptop integrates with the iKey in the preboot stage before the operating system loads, Moss says.
As soon as a laptop tries to boot from the hard drive, SecureDoc looks to the iKey token for a certificate that is held there. It then asks the user to provide the password for that token, Moss explains. So the user must have the token and know the password.
For many users, that two-factor authentication would be sufficient, but not for Moss, who also stores certificates for other encryption products he uses (such as PGP for his e-mail). “My concern is, if you just unlock the token, you’re also unlocking all those other things,” he says. So he is prompted for another password that unlocks those encryption certificates, meaning an extra step—but also an extra layer of security.
Once the passwords have been entered, the system boots up normally. When Moss used SecureDoc on an older machine with a slow drive, a delay to the boot was “slightly noticeable,” he says, but with newer machines, there is no delay at all.
Getting SecureDoc installed on the half-dozen of Black Hat’s computers was a fairly straightforward process, Moss says, though he advises careful planning before getting started. That’s because it’s necessary to decide if tokens or biometrics (or both) will be used, how they’ll be managed and assigned, who’s got the master password, and so on.
When tokens are used, there needs to be a master token that can be locked away in a safe place so that an administrator can decrypt a laptop if someone forgets the password.
As both user and administrator, Moss needed to create multiple accounts for himself—Jeff the user and Jeff the administrator. This, he says, was confusing at times; hence the need for proper advance planning before getting started (it will be simpler for organizations that have a separate IT security team).
One reason that Moss decided on full disk encryption was that he was concerned about data tampering. “If you leave your laptop in the office overnight or in a hotel room and you go out to dinner, if your full drive is not encrypted, someone could come along and install a keylogger or tamper with your machine,” he says. Then, even if your e-mail is encrypted, an attacker may nevertheless have full access to your operating system.
With full disk encryption in place, the computer is safe from tampering. And if a laptop is stolen, adds Moss, “it’s nice not to have to worry about your data popping up somewhere.”
For now, Moss’s only concern is that in the version of SecureDoc he uses, there is no recovery floppy disk. He recalls, in the pre-SecureDoc days, a trip to Asia when his machine crashed and wouldn’t boot. The product he was using allowed him to boot from a floppy and decrypt the operating system. The process took overnight, but at least the files became available. (WinMagic says that its latest release has such a feature.)
The enterprise version of SecureDoc is $99 per user, with discounts offered for large installations.
Encryption is no longer a difficult-to-manage headache. Transparent to end users and affordable, the many varieties of encryption products can help to ensure that sensitive data remain secure. By taking these precautions, companies can ensure that even if employees get robbed or get careless, client data and the company’s reputation will remain secure.