Shostack + Friends Blog Archive

 

University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes [link to http://www.miamiherald.com/news/breaking_dade/story/499492.html no longer works].

The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.

There’s some analysis of how hard it would be to read the tapes. I’m skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?

The Breach Blog feels differently. In “University of Miami reports stolen tapes affecting patients,” [link to http://breachblog.com/2008/04/25/miami.aspx no longer works] he digs into the likelihood of the data being accessed.

Now, the University claims that the tapes are in a “complex and proprietary format,” which [link to https://um.hodesiq.com/med/job_detail.asp?JobID=1161359&user_id= no longer works] seems [link to http://it.med.miami.edu/x435.xml no longer works] to be “Tivoli Storage Management” [link to http://www-306.ibm.com/software/tivoli/products/storage-mgr/ no longer works] from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I’m curious why that wasn’t in use.

Also, looking around, I found this quote [link to http://www.emaglink.com/prodTSM.htm no longer works] at an IBM partner site:

Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.

Until I hear more, I’m skeptical of the University’s claims. I don’t believe, and I have not believed for a long time, that breach notices are about identity theft. They’re about the performance of a promise to protect information.

(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)

4 comments on "University of Miami: Good for the body, bad for the soul?"

  • Chris says:

    On the TSM point, since these tapes were being sent off-site for DR purposes, how do we know that ‘the database’ wasn’t in the backup set as well?
    We don’t quite know the extent of the numbers game here, since 2 million “records” doesn’t necessarily mean “2 million patients’ data”. It almost certainly means more than 47K, since 5000 unique patients per year for an entire University health system strikes me as on the low side. Indeed, according to the University’s Facts and Figures [http://www.med.miami.edu/communications/facts_and_figures.asp no longer works]:

    The Anne Bates Leach Eye Hospital annually serves 160,000 outpatients of ophthalmology and other specialties,

    This is just for eye stuff.
    Somebody should simply ask the University how many patients’ records were on the tapes. Just to be fair, they should also ask about how many of those patients are known by the University to have died. The number of patients who, as far as the University knows, are living is a reasonable number to try to notify.

  • Blivious says:

    Can’t speak to this incident, but I know of at least one real-world trial where enabling encryption on the nightly tape run extended the time required to write tape *well* beyond the maintenance window. Just sayin’

  • Chris says:

    @bliv:
    Same here.
    A few points, though –
    You don’t need to have a maintenance window to do backups. That might be an easy way to do things, but it isn’t a hard and fast requirement.
    TSM is not a shell script with IBM’s label stuck on it. It must have support for multiple tape silos, etc. operating simultaneously. If they are running out of time, they can very likely increase throughput by doing operations in parallel.
    Most importantly, this has to be a question of priorities. In my view, for data like this, shuttled on tape outside the organization’s perimeter, encryption is as close to mandatory as you can get. If they have an aversion to encryption, there are ways of making that off-site copy that wouldn’t require it. However, remote copying terabytes over leased lines is probably more expensive than adding tape capacity.
    There may be some organizations that handle confidential data on a small scale for which the need to encrypt would present a challenge. However, we require businesses of all sizes to do certain things, even if cutting some corners would be no big deal for some of them, and adhering to the rules is a true hardship in some cases. Health and safety regulations for restaurants come to mind.

  • Chris says:

    @bliv:
    Same here.
    A few points, though –
    You don’t need to have a maintenance window to do backups. That might be an easy way to do things, but it isn’t a hard and fast requirement.
    TSM is not a shell script with IBM’s label stuck on it. It must have support for multiple tape silos, etc. operating simultaneously. If they are running out of time, they can very likely increase throughput by doing operations in parallel.
    Most importantly, this has to be a question of priorities. In my view, for data like this, shuttled on tape outside the organization’s perimeter, encryption is as close to mandatory as you can get. If they have an aversion to encryption, there are ways of making that off-site copy that wouldn’t require it. However, remote copying terabytes over leased lines is probably more expensive than adding tape capacity.
    There may be some organizations that handle confidential data on a small scale for which the need to encrypt would present a challenge. However, we require businesses of all sizes to do certain things, even if cutting some corners would be no big deal for some of them, and adhering to the rules is a true hardship in some cases. Health and safety regulations for restaurants come to mind.

Comments are closed.