Digital Photo SecurityWhat You Need to Know

International Association of Forensic NursingMarch 14, 2011Keith Fricke, CISSP, MBA

IAFN March 14, 2011

Agenda

• Bio

• Digital SANE Photos in a Regulatory & Legal Landscape

• Basic Measures in Securing Digital Photos

• Electronic Crime and It’s Impact on Healthcare Photos

• Summary / Q&A

• Closing Statement

IAFN March 14, 2011

Keith Fricke CISSP, MBA

• Keith Fricke has 25 years’ experience in Information Technology with focus in Information Security the last 11 years

• Information Security Officer at Catholic Health Partners

• Adjunct Professor, MIS Dept. Ursuline College

• Member of Information System Security Association (ISSA)

• Board Member of Cleveland’s InfraGard Chapter

IAFN March 14, 2011

Disclaimers

• I am not an attorney and am not providing legal advice

• I am representing my views as an Information Security Professional and not those of my employer

• I am not promoting any products in any demos in this presentation

REGULATORY & LEGAL LANDSCAPE

IAFN March 14, 2011

IAFN March 14, 2011

Regulatory Landscape

• HIPAA Security Rule– 45 CFR 164.308(a)(1) – Security Management Process– 45 CFR 164.308(a)(6) – Security Incident Procedures– 45 CFR 164.310(d)(1) – Media and Device Control– 45 CFR 164.312(a) – Access Control– 45 CFR 164.312(b) – Audit Controls– 45 CFR 164.312(e)(1) – Transmission Security

IAFN March 14, 2011

Regulatory Landscape

• HITECH Act– 45 CFR 164.404, .406, and .408 - Data Breach Notification– Encrypting Data at Rest is the “get out of jail free card”

• HIPAA Privacy Rule & Anticipated Changes– Minimum Necessary & Need to Know– Accounting of Disclosures

–Ties back to HIPAA Security Audit Controls

• Meaningful Use

IAFN March 14, 2011

Regulatory Landscape

• Meaningful Use– 45 CFR 170.302(r) – Audit Logging

–Stage 1 Only Requires EHR vendor to have audit functionality

–Stage 1 EHR customers not required to implement auditing–But remember the HIPAA Security Rule? –Stage 1 requires a risk assessment

– Logging reduces some risks

IAFN March 14, 2011

Regulatory Landscape

• Linking All This to SANE photos– Maintaining Privacy Rule’s Need-to-Know in an EHR

– Can your EHR restrict access to SANE photos?– If not, keep them separate & scan a paper stating SANE photos

exist– Audit Logging

– If photos are kept separate & handled by few, logging access is not as necessary

– HIPAA Security Rule– Security Management governs protecting SANE photos

– Encrypting Photos– Storage Media Disposal– Incident Response– Sending photos to third parties

IAFN March 14, 2011

Legal Landscape

• Some Regulations Have Legal Ramifications– HITECH Act has Civil Penalties– New Power of States’ Attorney General

• Data Breach Legislation

• Federal Rules of Civil Procedure & e-Discovery

• Chain of Custody of Cameras & Photos

BASIC MEASURES TO SECURE SANE PHOTOS

IAFN March 14, 2011

IAFN March 14, 2011

Triad of Information Security

• Confidentiality– Encryption– Data Destruction

• Integrity– Hashing

• Availability– Backing Up / Restoring– Testing

ENCRYPTION

IAFN March 14, 2011

IAFN March 14, 2011

Encryption

• Definition: Scrambling information to make it unintelligible without knowing the encryption key– The “key” is usually a passphrase

• Data Encrypted in Motion– Think of online banking– Data is scrambled only during transmissions

IAFN March 14, 2011

Encryption• Data at Rest

– Scrambling data as it exists in a file or a database– Permits secure transfer of data over an unsecure

transmission (i.e. email or to an unencrypted web site)– Is encryption the same as a password? NO

–House Analogy

–AES (Advanced Encryption Standard) is current government standard–128 or 256 are strength ratings

–3DES is older but still used (don’t use plain DES)–Software Encryption vs. Hardware Encryption

SANE Photos l March 13, 2011 l 16

IAFN March 14, 2011

IAFN March 14, 2011

Important

• Verify Ability to Decrypt File– Make Sure Files Can Be Decrypted – Verify the intended encryption password is correct– Do this before deleting original files– If encryption password is wrong, data cannot be retrieved

An Important Sidebar – Creating Good Passphrases

• A passphrase used to encrypt data can be thought of as being like a password

• A one character password has 52 possibilities (A-Z a-z)

• Using numbers 0-9 increases possibilities to 62

• Using non alpha-numeric characters increases possibilities to 95

IAFN March 14, 2011

Password Combinations

• 95 characters–1=95–2=9025–3=857,375–4=81,450,625–5=7,737,809,375–6=735,091,890,625–7=69,833,729,609,375–8=6,634,204,312,890,625

• 52 characters–1=52–2=2704–3=140,608–4=7,311,616–5=380,204,032–6=19,770,609,664–7=1,028,071,702,528–8=53,459,728,531,456

PasswordsAssume a 1GHz PC can try 2.8 million/sec

• 95 characters–1=33 millionths–2=3 thousandths–3=.3 seconds–4=29 seconds–5=46 minutes–6=73 hours–7=288 days–8=75 years

• 52 characters–1=18 millionths–2=9 thousandths–3=5 hundredths–4=2.61 seconds–5=2.25 minutes–6=117 minutes–7=4.24 days–8=220 days

DATA DESTRUCTION

IAFN March 14, 2011

Physical Destruction

• Destroy Media on which data are stored– CDs can be broken up or microwave for 3-5 seconds– Smash USB Thumb drives, Memory Cards– Use strong magnetic field on diskettes & tape backups– Smash hard drives– Can contract with disposal companies

IAFN March 14, 2011

Electronic Destruction• “Normal” Delete does not really delete the file

• Data is recoverable after deleting from Recycle Bin

IAFN March 14, 2011

IAFN March 14, 2011

Forensic Data Deletion

• Overwrites Data Rendering it Unrecoverable

IAFN March 14, 2011

Copier Security

• Buy a copier with data encryption. This may be an extra charge, but it is well worth it.

• Retain and destroy all hard drives from digital copiers when they are retired.

• Have the copier company wipe the data, but insist that they give you a certificate of destruction.

• Never use an office or public copier for copying personal information. Get your own personal copier for home use. These small all-in-one printer/fax/copiers don't have a hard drive.

IAFN March 14, 2011

Source: blog.chiefsecurityofficers.com

http://www.youtube.com/watch?v=iC38D5am7go

HASHING

IAFN March 14, 2011

IAFN March 14, 2011

Hashing

–Think of it as the DNA of a File–Mathematical Process

–Creates Unique String of Numbers–“Digital Fingerprint”

–Based on the File Run Through It–You Change the File, You Change the Hash

–An Example

IAFN March 14, 2011

df1f2b3be98fda6ae7b8a404e99e66a08055fa914efde810b65a5c8906a47c57

The hash for this file is the long string of letters and numbers

below. It uniquely identifies this file. Only this combination of

letters, numbers, and punctuation produces this hash

value

IAFN March 14, 2011

Changing the file by merely replacing the period with an

exclamation point changes the hash completely

New Hash: 7101f6ef0dfd29e9530b8ccee54f20374c7a7a882f10b3809f87efb5c2a07042Old Hash: df1f2b3be98fda6ae7b8a404e99e66a08055fa914efde810b65a5c8906a47c57

The same concept applies to digital photos. Slightly modifying

a photo changes its hash. By showing that a photo’s hash has

not changed instills high confidence the photo has not

changed

IAFN March 14, 2011

Note: All hashes are the same in this example because the photo used was copied 5 times and renamed.

In a real situation, each photo would be different therefore each hash would be different

Example of File Hashing Software

The Importance of Hashing SANE Photos

• Helps prove integrity of digital photos in court

IAFN March 14, 2011

DATA BACKUP & RESTORE

IAFN March 14, 2011

Backing Up Photos

• Work with your IT & InfoSec Departments– Will help identify the proper media and location for

storage– As with all data backups, store copies offsite– Use commercial vendors (not the trunk of your car)– Remember that backup tapes and CDs have a shelf life

– Conflicting information: Unused shelf life typically 5 to 10 years but some vendors claim CDs/DVDs last 50 to 100 years

– Longevity depends on environmental conditions and handling– Nothing lasts for forever

IAFN March 14, 2011

ELECTRONIC CRIME

IAFN March 14, 2011

The Reason for Laws, Regulations, and Security

• Electronic crime is pervasive

• Shift from hacker notoriety to organized business

IAFN March 14, 2011

The Good Ole Days

Today

Why Steal My Registration?

• Car radio $$ vs. Identity $$$$$$$

• Buy, Sell, or Trade

• Fix me Doc

Tell Me About the “HOW”

• Abusing Authorized Access

• Unauthorized Access–Wireless Technology–Social Engineering–Malware & Phishing

Wireless Technology

• Sends data over radio frequencies

• Like TV and AM/FM radio

• A Commodity

Invading on Wireless

• Security off by default

• People post findings and tools on the Internet to invade upon wireless communications

Invading on Wireless

• Eavesdropping from a distance

• Do-it-yourself plans on the Internet

Social Engineering

Demo

Social Engineering• Using the techniques of persuasion and/or

deception to gain access to information systems

• S.E Applied

Social Engineering

• The Help Desk call

• Malware –Viruses–Trojans–Add email

• Phishing

Putting SANE in Context

• Russian Business Network–Who they are–What they do–Why it is hard to stop them

• Trafficking Your Files

• File Sharing Sites–LimeWire, Kazaa–TENYOB

IAFN March 14, 2011

Summary• Electronic Crime is a Lucrative, Well-Organized

Business

• The Internet Provides the Means and the Knowledge

• Laws Exist Helping Protect Information and Individuals

• Encryption, Hashing, Data Destruction and Data Backups Enable Privacy, Security and Integrity

• Know the forces that affect your photos, ask questions and expect your IT Departments to help

IAFN March 14, 2011

IAFN March 14, 2011

Closing Thoughts• Awareness vs. FUD

• Scratching the Surface of eCrime

Contact Information:

kefricke@health-partners.org

330-884-6680