notes from an admin for himself. you can read it if you want.

Entries Comments

Custom Search

Securing HIPAA data on a laptop

4 May, 2009 (18:22) | prediction, security

I’m tired of looking for resources that define how to properly secure Hipaa data on a laptop. HIPAA Title II is vague and seems to indicate that you need to secure patient data with good current industry standards. What are those standards? It reminds me of FERPA. I’m going to define “best effort according industry standards” today for you. Here is what you need to know about what level of protection you are adding to your notebook and if it is “good.”


Operating system password only: BAD

If you depend on the Windows password to protect patient data, you belong in jail or in a place where they levy fines against you daily. You are lazy, ignorant or an evil penny pinching jerk. Enough said. No computers for you!


Honestly not much better than an OS password as far as time needed to exploit, bios passwords are easily defeated by many tools. They are bundled in to many boot cds anyone can download from the internet. I’ll leave these tools without a name because any idiot can use these and I’m not giving the lazy ones a head start.

Hard Disk Password: Getting started

Vendor information tells you that your hard disk’s password is safe even if the data is taken to another computer. This is not so. There are software tools that can brute force or wipe the chip containing the password. You can buy replacement security chips for certain hard drives. Tools to exploit a hard disk password located on the hard drive are a little more rare that say a multimeter. So obscurity is beginning. This is a good starting point, but here are few ways around it to prove how easy it is:

Call YEC. Ask about purchasing a Shinobi unit for $1190. You can use this to kill the password on most drives. Anyone could buy this for their garage, sell a legit password reset service on craigslist and make the cost back in a week. Then just start trading drives on ebay and dig for gold. For $100-$300, YEC will do the crack for you if you call them. A person who knows they have aquired a laptop with sensitive data doesn’t have to own anything or have experience hacking/cracking, they can just mail it in.  One could also remove the platters of the drive and install them in a nonprotected drive for around $500-$1000 using a data recovery service.  A few hundred dollars is more than enough to build a “clean box” to move the platters without a clean room and have a very good chance of imaging the drive without damage. 

Hard Disk passwords can be enhanced by using something like a Shinobi to install a better MD5 protected password. This adds some complexity and shows any court that you are making a heck of an effort to protect data. For $1000 it is really cheap if you use it to protect 100 hard drives, and also use it to wipe your disks before disposal. 

As a proof of concept I just ran a few tools against a sata 160GB drive, brute force took 2.5 hours on a single word, 1 digit password. Easy peasy. 

Whole Disk Encryption: Decent-Good

Implementation is the key here. Whole disk encryption is breakable using information in RAM. Google cold boot attacks. Adding a token like from Pointsec doesn’t gain you anything against ths same type of attack on RAM. This holds true for Truecrypt, Bitlocker, apples encryption, pgp, most of them. To use whole disk encryption to protect HIPAA data you need to:

Disable sleep, hibernate, any low power settting other than ON or OFF.

Set the laptop to shut off if the lid is closed.

Don’t use TPM without a pin or usb key in combination with TPM

If whole disk encryption is combined with a hard disk password, you get a great combination for security. Your users will hate you for having 2 passwords which need to be different in order for the effort to be worthwhile. 

New Hard Disk – On disk encryptionopal standard: Good

Far from perfect, the new standards implemented by storage industry manufacturers and computer vendors are more complex, but fairly safe. The Opal standard is the Trusted Computing Initiative plan to solve laptop/desktop storage security issues.  My personal experience with the Dell/Wave/TPM module is negative so far. The software is buggy and bloated, I’ve had to reset the encryption a few times on a few machines and this has made the experience for the user horrible.  As of 4/15/2009, the Dell/Wave/Embassy suite for an XT tablet is an 198MB download! The fingerprint reader should at least work for a 200MB installer. Not something I will be implementing company wide any time soon. I don’t want ALL the employees to hate me. 

As time goes on this technology will get better, but the clock is ticking until someone releases a crack for it too. I’m not sure why but vendors always seem to be in a state of denial about the number of people activly working against their new “unbreakable” technology. Right now I rank the opal standard as great by means of “security through obscurity.” It is new enough not to have a giant target on it’s head. For now I’d say it is your best bet. As market share increases and more computers use this technology, it will be broken in to and you should have a back up plan in place.


Windowsnerd recommendation: Wholedisk + HDkey


Older computers/small business- Truecrypt + your HD vendors key. Not perfect by any means but it sure is a good effort and it is free  + $manpower. Will someone in a hurry to do a cold boot attack know they need to crack your HD password first? Yes. Will they do it while your laptop still has power? Maybe not. If anyone ever tries to prosecute you for losing HIPAA data on a laptop with both of these in place, I’m sure they will lose. I would not recommend spending thousands of dollars on a whole disk product until you have a company with a whole lot of machines. When installing Truecrypt, use Twofish+serpent+AES. Adds a big A for effort, slows you down 10% or so. If the performance is important, buy faster hard disks. If performance is really important buy SSDs. Security is with regulated data is more important than speed. You can make that part of your employment policy. 

New computers/large business – pointsec/newer disk key. I still like Pointsec over PGP only because of the active directory tools and key management. I recommend Pointsec and a password on every hard drive. If you get new computers, buy a drive advertised to have encryption capabilities and use that as well. Read up on the OPAL standard, manufacturers are just getting started with releasing some good drives compliant with OPAL. 

Oh and dont forget- backups become UBERimportant. When these encrypted drives/operating systems smoke, they go down in big flames. If you can’t get past that first password you can’t use any recovery tools. 


Lesson to be learned over and over:

HIPAA reminds me a lot of FERPA. Universities lose FERPA data all the time.  They know that bad press is the worst that will happen to them. With the number of records being lost every year creeping into the thousands of incidents, they know the bite from the press is becoming painless. Nobody notices, it happens all the time. When your information is lost, xUniversity sends you a letter telling you to file a police report, a freeze on your credit and  leaves the mess to you. I have many of these letters. I know the admins who weren’t given money to protect the FERPA data. They weren’t given the money because the worst that would happen is that xU sends some letters and fires the admin who asked for money to protect the data in the first place.  If there were fines against the institution in the millions of dollars, data would be protected.  Don’t universities have history, ethics or computer science classes? Ah but the accounting and economics classes are more important than ethics and history at todays degree mills. The worker bees at the big Us don’t want to listen to the academics anyhow.

To date I beleive we are still at 2 prosecutions in the US for misuse of HIPAA data. The fact remains that bad press is all that will likely come of losing HIPAA data. See above for ramifications. Did I mention HIPAA is a 1996 thing and the year right now is 2009? 2 prosecutions?

So the lesson I keep learning and repeating – the solution to protect data. The only solution that works is to have government regulations with real teeth. The day we assign jail time, personal fines and prosecute offenders will be the day our data becomes  safer. Right now everyone looks at the least they can do to satisfy the rules. Or how much the fine is vs the cost to implement safegaurds. If the fine is steeper, the demand for good security goes up, and industry produces better security more often. 

If you are a consumer- suck it up and pay to have your credit monitored. Your personal data WILL be stolen and it will not be your fault. If you decide to be insured or monitor your credit, you are taking some good advice from someone who watches admins lose data all the time.



Write a comment