Encryption Revisited

Posted on Mon, Jan 11, 2010 – 10:47 am at mobilehealthwatch.com | mHealthNews.com

One concern about extending healthcare’s digital enterprise to WLANs and their equivalents is the exposure to financial data that mobile devices create. Several European countries have advanced to the point where they are legislatively phasing out paper checks, and others are discussing it, and their backbone best practices include end-to-end encryption (though not always foolproof). American card networks, on the other hand, have a track record of backing off deadlines for the most basic security precautions.

Andy Greenberg of Forbes reports that a review of 2009 statistics shows the number of personal records–data like Social Security numbers, medical records and credit card information tied to an individual–that hackers exposed has skyrocketed to 220 million records so far this year, compared with 35 million in 2008. That represents the largest collection of lost data on record. And the majority of 2009’s data loss stems from a single source: credit card processing firm Heartland Payment Systems.

Greenberg goes on to detail that the text field SQL injection technique to which Heartland fell prey was hardly unique, nor was the subsequent code, and he asserts the Heartland breach "could easily have been prevented by scrambling the sensitive data with encryption software." This is intriguing since Thomas Claburn at InformationWeek reported days before Greenberg that "Steven Elefant, CIO of Heartland Payment Systems, doesn’t believe in software security. ‘There is no such thing as totally secure software anymore, and there probably never will be’…"

Elefant became CIO of Heartland the month of the breach’s reporting and is on task to implement end-to-end encryption, via software and hardware, to cover the "five zones," Claburn recounted: merchant terminal; processor network; central processing unit/host security module; data storage devices; card-issuer systems. Elefant offered that better data communication was the original intent of payment processors–so while total cycle data protection now seems obvious–it was not the primary goal of the systems.

As cloud computing propagates, the attacks against transport layer encryption are only going to grow in number, making data layer encryption that much more necessary–and as the potential of distributed grids have already demonstrated, more challenging.