Archive for the ‘PGP’ Category

Symantec has acquired PGP Corporation and GuardianEdge Technologies

Thursday, April 29th, 2010

Big day today in the software security space. PGP Corporation and GuardianEdge Technologies (both competitors in the whole disk encryption market) have been acquired by Symantec Corporation. The acquisition provides much-needed applications to Symantec's industry-leading security software stack.

 

Symantec has seen competitors such as CheckPoint, Sophos, and McAfee acquire key encryption technology platforms like Pointsec, Utimaco, and Safeboot. They will now have a strong whole disk encryption story, as well as solutions for file and e-mail encryption. 

 

The GuardianEdge Technologies (GE) acquisition will provide Symantec with direct access to GE's large base of government customers. Certainly GE has a client base in the commercial sector as well. There is clearly some overlap between PGP and GE products. Both provide a lot of value to the end users in terms of security features.

 

Healthcare organizations that are looking to comply with the HITECH Act and protect PHI using encryption will be very pleased. Symantec has a significant market share in endpoint security products and those customers that need to deploy encryption will be happy to entrust the Symantec brand to their organization.

Tags: , ,
Posted in PGP | No Comments »

PGP Encryption Smackdown – Supports Mac Snow Leopard, Linux, Boot Camp, SSD drive support

Friday, January 22nd, 2010

PGP Corporation announced an update to its products line. PGP now supports Red Hat & Ubuntu Linux, Mac OSX Snow Leopard, and Boot Camp on Mac OSX computers. In addition, PGP has updated its whole disk encryption technology to include a Hybrid Cryptographic Optimizer (HCO) technology to deliver faster run times for PGP Whole Disk Encryption.


Customers can now use PGP Universal Server to centrally manage encryption for their multi-platform environment. A single web-based user interface can be used to manage encryption end points using Microsoft Windows, Apple Mac, Red Hat Linux, and Ubuntu Linux. PGP is the only encryption vendor that delivers encryption solutions across multiple platforms. Multi-platform support is especially important with the popularity of netbooks, and the forthcoming Apple tablet device, which is reported to be using the Mac OSX operating system.


PGP also added functionality for e-mail encryption in Microsoft Outlook. Using Microsoft Outlook users can now click “sign and encrypt” buttons to automatically encrypt emails.


Experior Data is a PGP SILVER Partner and helps organizations implement data encryption solutions.


More information about these new releases is available on the PGP web site.

Tags: ,
Posted in Encyption, PGP | No Comments »

Disk encryption is not enough for HIPAA HITECH Act Compliance

Tuesday, January 19th, 2010

In the coming months healthcare IT administrators will see many products come to market that claim to solve the compliance issues of safeguarding unsecured protected health information (PHI). A bit of caution and understanding of the issues is required here:


- Whole disk encryption is clearly needed for mobile devices


- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.


- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.


- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.


- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?


So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.


It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.



Tags: , ,
Posted in HIPAA, PGP | 1 Comment »

Security for Meaningful Use: Part 2 – Electronic Access to Protected Health Information (PHI)

Thursday, December 31st, 2009

Standards Set for Providing Secure Access to Patient Records


Sample patient record view from VistA Imaging
Image via Wikipedia

According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.


“Consistent with the HIT Policy Committee’s recommendations, we propose the following additional clarification of this objective. Electronic copies may be provided through a number of secure electronic methods (for example, personal health record (

PHR), patient portal, CD, USB drive).


Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies) within 96 hours of the information being available to the EP. Also, consistent with the HIT Policy Committee recommendations, we propose the following additional clarification of this objective. Electronic access may be provided by a number of secure electronic methods (for example, PHR, patient portal, CD, USB drive). Timely is defined as within 96 hours of the information being available to the EP either through the receipt of final lab results or a patient interaction that updates the EP’s knowledge of the patient’s health. We judge 96 hours to be a reasonable amount of time to ensure that certified EHR technology is up to date. We welcome comment on if a shorter or longer time is advantageous.”

How to Secure Health Records

USB Vacuum Cleaner, a giveaway from an IBM event
Image via Wikipedia

You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.

Related articles by Zemanta
Reblog this post [with Zemanta]









Tags: , , , ,
Posted in Encyption, PGP, Rulings | No Comments »

Verizon CMO: Protection of data at rest not important? Really?

Wednesday, November 25th, 2009

Seems like it’s been a tough week for Verizon to try and prove their point about how encryption is unimportant to securing protected health information (PHI).

..

According to ModernHealthcare.com Peter Tippett, Vice President of Technology and Innovation and Chief Medical Officer, recently said  “Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”

Ostrich
Image by Spartacus007 via Flickr

In addition, Tippett says  current security standards and methods are “too complex, are based on dogma instead of science, are both ineffective and inefficient, and are too static.”

..

But facts and reality prove otherwise. The following RECENT breaches were revealed while Verizon is literally putting its head in the sand and marginalizing encryption  (and all of them could have protected patient information had encryption been installed):

  • 68 Computer hard drives belonging to Blue Cross Blue Shield “walked out” of a datacenter, along with social security numbers and other information belonging to 2 million clients.
  • HealthNet loses an external hard drive with personal financial and medical information belonging to 1.5 million clients.
  • US Army loses hard drive with 60,000 with social security numbers and other personal information.
  • A laptop containing clinical information on 2,000 patients was stolen from the Guam Memorial Hospital.

And all this within 2 weeks! The fact is that data in use, like data at rest, and data in motion needs to be encrypted if it contains protected health information.

..

Related articles by Zemanta
Reblog this post [with Zemanta]

Tags: , ,
Posted in Encyption, HIPAA, PGP, Regulation | No Comments »

Getting started with encryption

Tuesday, August 25th, 2009

Encryption can be intidating. The technology is filled with technical security jargon like encryption keys, hash, key length, etc. In most organizations the least common denominators are often devices  used the most – laptops, tablet PCs, and desktop computers. These devices are used to work with patient data and store information that is the most vulnerable to theft, misuse, and unauthorized access. These devices are often serviced and replaced. How many times have you replaced a broken hard drive? How many computers have you replaced in the last 3 years?

Fortunately, the most vulnerable devices are the easiest secure. If you have serveral computers you would like to secure, or if you have a tablet or laptop that you use when you travel, installing Whole Disk Encryption (WDE) software such as PGP Whole Disk Encryption is an easy way to get started.

..

WDE simply encrypts your entire hard drive. After installing the software you can encrypt your entire hard drive. The software operates in the background while you work and does not affect your computer’s performance. It may take several hours for your hard drive be become encrypted. After completion, you will need to enter a password every time your computer boots. If your computer is stolen the thief will not be able to access your computer because the password will not be known to him/her. More importantly, your hard drive will not be able to be analyzed by forensic or other hard drive reading software. All your data will essentially become “scrambled” to anyone trying to view the contents of your hard drive.

..

It’s important that you understand technologies that WILL NOT protect your information:

..

- File deletion – deleting files on your hard drive does not erase them permanently. When you “delete” a file on your computer you are simply removing the pointer to the data in the hard drive’s directory. Until your data is overwritten by new data the old data remains on the hard drive and is able to be retrieved by even the most rudimentary tools on the Internet.

..

- Password protecting files – Using password protection features in Microsoft Word, Excel, and even Quickbooks does not protect your information. It simply forces you to enter a password before viewing the data. There are many tools that are available that can easily recover these passwords. In addition, passwords don’t encrypt data. They are a method of very basic access control. If you password protect your document it can easily be recovered by data recovery and simple forensics applications.

..

- Screen saver passwords – Although these should be used and activated when you’re away from your powered-on computer, they do not protect your data. A simple restart of the computer will bypass screen saver passwords.

..

- Computer passwords – Computer passwords should be set so that you are prompted to enter a password when you start up your computer. However, these can easily be recovered by many programs found on the Internet. They also don’t encrypt the contents of your hard drive.

..

- BIOS passwords – Most PCs have an option to set BIOS passwords. BIOS is a small program in every computer that runs very briefly when you turn your computer on. BIOS tells the computer the most basic information about your computer such as the amount of memory in your computer, size of hard drive, number of hard drivers, etc. This information is used to load your operating system (Microsoft Windows, Apple MAC OS, etc). A setting in BIOS could be made to require a BIOS password before your computer even loads Windows. Although it may be deterent to the casual unauthorized user, such as a snooping co-worker, BIOS passwords are easily reset by anyone with rudimentary technical skills. Sometimes it may require that the computer be opened and certain buttons are pressed inside the computer. But it can easily be defeated. And BIOS passwords do not encrypt data.

..

FileVault in the System Preferences under Security
Image via Wikipedia

- Apple FileVault, Windows EFS – These are useful options for encrypting data. In both cases (Apple

and Windows) these are only file-level encryption technologies. Apple’s FileVault is superior because it encrypts your entire user profile. Windows EFS is complex to maintain and restore in case you switch computers. However, these technologies encrypt only certain files or directories. If you accidentally move information out of the encrypted directories that information will not be encrypted. These also don’t prevent basic access to the operating system of the computer. For example, if your Mac is stolen and you enable FileVault the thief can still access your computer.

..

Although installing whole disk encryption on a few computers is acceptable, deploying individual encryption applications on many computers is not efficient or recommended.  Installing software like PGP Whole Disk Encryption on many computers without a central management system could present administrative challenges of manually maintaining encryption keys and leaves open the possibility of not being able to access encrypted computers after an employee leaves. Vendors like PGP offer a management console that can take away the administrative burden  of maintaining many computers. Before deploying WDE refer to an expert that can set up your environment so you can properly manage your encrypted computers centrally.


Reblog this post [with Zemanta]


Tags: , , , , ,
Posted in Encyption, PGP | No Comments »