BCBSA data breach another lesson in policy enforcement

Recent news that the Blue Cross Blue Shield Association (BCBSA) suffered the theft of an employee’s personal laptop that contained personal information on hundreds of thousands of physicians illustrates once again that it is not enough to have the right security policies in place, you have to be able to monitor compliance and enforce them. In this latest incident, the employee copied corporate data onto a personal laptop, in violation of existing security policy. What’s worse is that the data as stored by BCBSA was encrypted, but the employee decrypted the data before copying it. The employee obviously put the BCBSA at risk in a way its policies and database encryption controls were intended to prevent, and with the laptop lost, the American Medical Association is taking action to notify member physicians who may now be at risk of identity theft.

Data stewardship and data handling policies are the first step, and encrypting the data at rest is a good follow-up, but what else can organizations like BCBSA do to avoid this sort of incident? It’s not entirely clear how the data might have been transferred from the corporate computing environment to the personal laptop, but whether it was by thumb drive or even direct connection of the laptop to the BCBSA network, there are multiple technical options available to mitigate this type of risk. One answer might be data loss prevention controls that could be used to keep corporate data from being copied or written locally at all, whether the client computer was Association-owned or not. Encryption mechanisms can be added to provide protection in transit and during use, rather than just at rest. USB device access controls can be used to administer, monitor, and enable or disable USB ports when devices are plugged in to them, so for instance any attempt to use a non-approved thumb drive (perhaps one without device-level encryption) could be blocked. Network access control (NAC) can be used to gain awareness of (and prevent if desired) attempts to connect non-corporate computing devices to the network. Let’s also not forget the importance of security awareness training, which is just as relevant now as it was for the well-publicized case of the VA employee who had a laptop with veterans’ personal data stolen from home after taking the data off-site in violation of VA policy.