First published: 31st May 2008
Hong Kong is suffering an epidemic of data leaks, and a serious of incidents in the Health Services are the latest to come to light. People and organisations handling sensitive data have had plenty of warning, starting with the public outcry at the leak from the Independent Police Complaints Commission in 2006. There was a strong reminder in September 2007 when the email passwords of various political parties and figures were revealed, and overwhelming public interest in the leaking of erotic photos stolen from Edison Chen's hard disc in February this year. However, despite these cases, many organisations have still not put strong measures in place to control leaks, only now is the Hospital Authority holding an emergency meeting to work out new guidelines.
The latest leaks reported have mostly involved the loss, or theft, of small memory devices: flash cards and USB drives:
- April 25 Tuen Mun clinic (665 patients)
- April 25 United Christian Hospital (26 patients)
- April 26 Kowloon Hospital reports data loss involving five patients
- April 28 Pamela Youde Nethersole Eastern Hospital reports data loss involving 50 patients
- April 30 Civil Service Bureau reports data loss involving 25 workers
- May 5 Hospital Authority reports data losses:
- three at Pamela Youde Nethersole Eastern Hospital (983 patients)
- two at Kowloon Hospital (43 patients)
- one at Queen Mary Hospital (3,000 patients)
- one at Tuen Mun Hospital (1,885 patients).
- May 6 Privacy Commission reveals data loss from Prince of Wales Hospital. May involve 10,000 patients.
In the Prince of Wales Hospital incident, a technician lost a USB drive, which was attached to her mobile phone, in a taxi. The data included patients' names, ID numbers and pathological tests, however, the technician was "not sure" if the data had been erased or not. There is no suggestion that the data had been securely erased by overwriting multiple times, so much of it could be recovered fairly simply. The description implies that much is wrong with hospital IT systems:
- The device was the technician's personal possession (why else was it attached to her mobile phone?), credit to the technician for using personal resources to get the job done, but why isn't the hospital providing the necessary resources?
- The data might have been erased, implying it was used as temporary storage, probably to transfer the files from one system to another. Why couldn't the transfer have been achieved via a network connection? Of course, networks also have vulnerabilities, but they can be protected by centrally managed solutions, and the exposure is for the limited time of transfer, not for the life of a USB device.
Hospital Authority chief executive Shane Solomon has announced that the authority would upgrade its system in seven to 10 days so that all downloaded information would be automatically encrypted and could only be read by the authority's computers. It is surprising that an IT department that, apparently, was unaware that its failure to provide suitable resources was forcing its users to use personal storage devices is able to roll-out an ambitious encryption scheme in such a short timescale. I wonder whether they have properly studied the impact this will have. Will Doctors find themselves unable to access patient data at critical times? With the keys distributed over so many thousand Authority computers, any serious attacker will still be able to access stolen data.
One idea to reduce the loss of data on mobile storage devices would be to use commercial anti-shoplifting technology. Issue staff with the USB drives they need, but tag them and install detectors at the hospital exits. The beeping when the devices leave the premises should remind staff, and inconvenience petty thieves. This could be used with or without encryption.
Ultimately, the Authority needs Information Security Management that supports the healthcare givers in their important work.
Updated: 09th May 2008
The problem with writing about data leaks in Hong Kong at the moment is how to keep up with the new reports. In the day since writing the above section, HSBC has revealed that it "lost" a server containing personal data, and a member of Immigration Department staff inadvertently shared confidential Department files from his home computer. Additional details also confirmed some of the issues I speculated about.
The the server went missing from the Kwun Tong branch of Hongkong and Shanghai Banking Corporation during a renovation, and the case was reported to the Police as theft on April 26. It contained name, account number and transactions of 159,000 customers , though the bank reported that it was protected by "multiple layers of security which are regularly reviewed". One hopes that those layers include strong encryption (Triple-DES, AES or similar) of the sensitive data on disk. Once the server is in the physical possession of an attacker with reasonable time, measures such as physical locks and barriers, and logical access controls managed by the operating system are easily bypassed. The bits can be read from the physical media, and only encryption stands between the attacker and understanding of the data.
The Immigration Department incident involved a member of new staff who took old confidential files home to familiarise himself with working procedures. He said the classified files were put in folders that were not shared by the Foxy peer-to-peer sharing software. However, many users of the software are unaware that the default settings share the whole hard disk. The issue here appears to be that the staff was not properly briefed about handling confidential files, and a mis-placed trust in the security of the home (internet-connected) computer.
On the previous cases, the Hospital Authority is planning to upgrade computers and networks, to ensure that all its computers are connected to a single network, eliminating the need to transfer files using removable devices. It was confirmed that a worker used a removable device to transfer data from one computer to another within the same department, leading to the data leak when the drive was lost.
To say that these incidents are the tip of the iceberg is understating the problem, and it is not just Government departments and financial institutions. I recently had reason to transfer some files to an advertising media company, the method was ftp, the username was the same as the domain name and company name. It is easy to compile a list of mistakes:
- Unencrypted protocol: ftp
- Use of shared user account - no accountability of actions
- Weak password - while not as bad as, say, '12345', it was not strong
- No delete limitation - potentially, any user could delete files relating to dozens of projects
The data mostly related to old campaigns, so disclosure would not be a concern, but sometimes it would contain details of campaigns pre-launch, and the details might be extremely valuable to their client's competitors. Also among the files was a Resume, definitely a violation of the Personal Data Privacy Ordinance.
There is a widespread lack of a security culture that is putting huge amounts of data at risk of exposure or loss. Anyone reading this newsletter is probably already information security-aware, what can we do about all those with no concept of the problem?