Shoot in Foot…Rinse…Repeat.

This blog is normally written in ‘first person plural’ (i.e. “we”) to reflect the multiple inputs that influence the entries.  Today, however, you are getting me, Sean Scorvo, M.D., in all my inglorious ‘first person-ness.’  Why the break in tradition you ask?  “Current events.”

When I was practicing in the E.R., I took care of several “bullet vs. foot” injuries (PS: bullets tend to win).  I heard all kinds of excuses, but the unifying theme was stupidity.  As CEO of MiddleGate, I’ve been privy to a new kind of “bullet vs. foot” injury, but the unifying theme hasn’t changed.

Three years ago I had the pleasure of meeting Ed Stull.  A year ago, we brought Ed in as our CTO.  I’ve learned many things from Ed, but cryptography and network security top the list.  I don’t profess to be an expert in the arena, but I’ve learned enough to recognize that what we are doing in the field is not only top notch, but cutting edge.  I’ve also come to recognize that events like Adobe’s recently announced mega-breach (150 million usernames and passwords), and the carelessness exposed in their cryptography/encryption system as a result are the equivalent of the 2AM ambulance call of a GSW (gun shot wound) to the foot (insert ER staff eye-roll here).

Here is where the analogy diverges.  The 2AM GSW to the foot affected only said Darwinian weed-out candidate, and was a self limited event (the “victim” did not have a tendency to pull the trigger twice).  Breach events exposing underlying lack of attention to sound cryptography/encryption, on the other hand, affect millions and are not self limited events.  Once the breach occurs, the poorly encrypted usernames, passwords, financial data, demographic data, etc., etc., are used to infiltrate networks and other systems.  In other words, the damage perpetuates and extends.

This is not “new” news.  That a breach occurred is not surprising…it is to be expected.  That makes the fact that the data contained in the Adobe environment was not adequately secured all the more troubling.  Unfortunately, this is unlikely to be a wakeup call for Chief Security Officers everywhere…if it were, the 2012 LinkedIn breach wherein use of an antiquated HASHING algorithm (SHA-1…a soon to be retired system) without “salting”, or the 2011 Sony Playstation breach wherein credit card numbers were encrypted but personal data was not, would have elicited a data security sea change.  In other words, the Adobe breach may have happened, but with everyone having already learned the lessons of their peers,  the encryption would have been robust enough that nothing could have been gained by the hackers.  Alas, that was not the case.

In the end, I am happy Ed is on our team.  I am happy we are well ahead of this issue. I am happy we will not shoot ourselves (or more importantly, our customers) in the proverbial foot.  I am, however, unhappy in the realization that I naively thought I’d seen my last GSW to the foot back in 2007…I’m just seeing them in a different form now.

Take 15 U.S.C. §1681b…Please

Take 15 U.S.C. §1681b…Please (sorry, I couldn’t resist the Henny Youngman reference there).  It regulates the sale of consumer reports which are essentially aggregated data.  The sale of aggregated data is big business, and Data Aggregators serve a number of valuable functions.  Their data allows us to apply for loans and mortgages, spend our business advertising $ effectively, ensure that our daycares aren’t employing pedophiles, etc. All due respect to Orwellian protestations (as they are valid), Data Aggregators play an important role in our society.

So we read with interest the investigative article detailing the sale of aggregated data to an identity theft ring by company owned by a well known Data Aggregator.  The article chastises said Data Aggregator for having sold data to an un-vetted “vendor”, and regulators for having missed the signs, but we took away a different message:  The regulatory environment controlling the sale of this data is convoluted.  It would be challenging for any business to ensure compliance and consumer safety while executing a viable business model.

15 U.S.C.§1681b details the “permissible purposes of consumer reports” (i.e. when it is allowable to sell aggregated consumer data).  While not a defense of the company involved in this particular situation, we do challenge you to read that U.S. Code, put yourself in the shoes of a Data Aggregator, and come up with a business model that allows you to vet all vendors, data requests, etc. in a cost effective manner with a 100% guarantee that a scam artist hasn’t infiltrated the ranks.

Fortunately, the mothers of the MiddleGate team taught us to never point out a problem without offering a solution.  The MiddleGate model, developed to work in the world of HIPAA, may be a model for the future of the Data Aggregation industry.  We believe this case points out that the future of Data Aggregators may not be in the sale of their data, but in the sale of the patterns their data matches to.  We used the model to navigate the complex world of HIPAA in a cost effective manner, and the same could be done to navigate 15 U.S.C.§1681b knowing that it is unlikely there will be any meaningful regulatory reform in the near future.  We used the model to share the knowledge our data conveyed without sharing underlying patient information.  In short, we used the model to maintain privacy in a world clamoring for information.

 

Security Analytics

We try to avoid simply re-posting articles here.  However, a recent paragraph we read in “How Existing Security Data Can Help ID Potential Attacks” (from Information Week Reports) succinctly described a trend we are seeing and a market we are servicing:

“Don’t think about security analytics as simply another product you need to buy; think about it first as a new approach to intelligent incident response. That new approach is needed because, frankly, what most of us are doing now isn’t working. By the time most security pros process disconnected forensic information, the bad guys already have your data. According to Verizon’s 2013 Data Breach Investigations Report, in over half of reported incidents, it took malicious hackers only a few hours to go from initial compromise to data exfiltration. However, 85% of breaches took organizations weeks or more to discover. Similarly, according to the Ponemon Institute’s Post Breach Boom study, it took an average of 80 days to discover and resolve a malicious breach. Eighty days!

Jules Verne wrote a novel about traveling around the world by balloon in 80 days…became a couple of movies.  Seems quaint now when we consider that our data can travel around the world in 80 seconds (or less), and that 80 days of undiscovered malicious data use allows a phenomenal amount of time for damage to be done.  We found that healthcare Covered Entities are sitting on vast troves of data that they simply cannot utilize (i.e. share to good effect) because of the restrictions placed on them by HIPAA/HITECH.    We solved that piece of the puzzle and decided to act because, quite honestly, the current silo approach to data security isn’t working and in the end, it is everyone’s medical records, privacy, and security that are at risk…and that mean’s everyone at MiddleGate and our extended families as well as our customers.