A laptop containing data on 2,800 patients at Northwestern Memorial Health Care was stolen this week. According to a report, the laptop was password-protected but not encrypted. Put simply, that means that 2,800 student records are now being read by someone who shouldn’t be reading them.
Let’s assume that the laptop is a Windows 7 machine. The hacker can download a program called ophcrack and burn it to a dvd. He can then adjust his BIOS, the software that runs when the computer first turns on, to boot off that DVD instead of the Windows 7 operating system that is on his hard drive. Once the DVD-based operating system is running, he can run the ophcrack application and use it to crack the password used for accessing the Windows 7 machine. Once he’s learned the username and password from ophcrack, he can shut the machine down and reboot into Windows 7 instead of the DVD. He’ll be able to log in because he now knows the password.
Once he’s logged in, he’ll be able to look through the computer’s hard drive’s contents. He’ll likely see many interesting things, including the spreadsheet or database of patient information. He’ll be overjoyed to find that, according to the report, it’s entirely unencrypted.
I’m not surprised at all. I’ve worked on software development projects where I’ve had access to data and wondered why the data wasn’t encrypted. Controls are far too lax far too often. I am certain your personal health care information and mine is sitting unencrypted on multiple laptops, desktops, tablets, and phones right now.
The ironic and sad truth is that it is easy to encrypt this data; it’s just not as easy as dealing with the data unencrypted. The easiest way to encrypt and decrypt the data on a Windows machine is to use Bitlocker. If the data resides on a database server instead of a personal Windows laptop or desktop, all the database administrator has to do is encrypt the personal identifiable information using the database platform’s built-in encryption functions and hash and salt the passwords, also using the database platform’s built-in tools. For example, if the data is stored on a MySQL database server, any column containing personal data could be encrypted using the aes_encrypt command, decrypted using the aes_decrypt command, and hashed using the sha1 command on the field’s value combined with a random character string called a salt. All of this is easy. None of this is painful. But none of this is as easy as just leaving the data sitting there in plain sight. So, due diligence isn’t always done.
Data hacks occur every day. Alarm and righteous indignation accompany every single report. The sad thing is that so much of it is preventable. Privacy is a myth today simply because the people who hold our data don’t treat it like they should. Northwestern’s claim that the computer was password-protected is just a very lame attempt at posterior obfuscation.
I don’t have data on this, but I’m worried that the majority of companies who handle our data are similarly inept. Their laziness makes all of us open books.