Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; "Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.
The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack (which they are admitting is related to the initial RSA breach) makes us question their priorities.
Revenue and brand come first. Customer security is second.
Of course both of these are inter-related: you surely can’t build a robust security brand given security incidents like this and RSA’s brand is forever tarnished with this breach.
Nonetheless, in the short term RSA’s reaction to this incident clearly shows that, while the initial open letter wasn’t downright un-factual, it did (apparently) downplay the risk. This and other elements associated with this incident question their priorities. Let’s have a look at the the first RSA Open Letter #1 published after the initial breach on RSA and their follow-up RSA Open Letter #2, published after the resulting Lockheed Martin breach. Both letters are from Art Coviello, Executive Chairman of RSA.
Is RSA doing everything it can to protect customers?
RSA Open Letter #1: “We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure.”
Really? So RSA provided a critical security component for protecting PII for millions of people as well as the protection of government and defense secrets and they weren’t doing everything they could before this incident!?!?! Profit margins for the RSA unit of EMC according to Bloomberg News and May regulatory filings apparently slipped from 67.6% to 54.1% due to costs associated with the breach. Frankly, even 50+% margins aren’t bad. Could it really be that the RSA unit was kicking out annual profits on the order of hundreds of millions of dollars and they can’t find the budget to do “further hardening” of their IT infrastructures until after this incident? If customers really come first, I think they’d be investing some profits to do everything they can, before an incident like this.
“Advanced Persistent Threat” or oops an employee violated security best practices.
RSA Open Letter #1: “Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).”
Downplaying their culpability sounds like marketing to me. Was the attack sophisticated? Perhaps. However, most attacks involve a chain of events. Every link in the chain must succeed for an attacker to gain access. This is why we preach that organizations take a holistic view of security and address the entire risk profile; break any link (even a minor seemingly benign non-technical vulnerability) in the chain and the data is insecure. In this case, the entire attack started when an RSA employee in a core security division violated elementary security principles (and likely RSA’s own security policy) by downloading and running an attachment. Even many average non-techy citizens would have the wherewithal to avoid this trick. Perhaps RSA should have been investing some profits into security awareness training.
Let’s downplay the impact of the incident.
RSA Open Letter #1: While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
In the first open letter, he qualified the above bolded statement by saying the breach in their systems did not enable a direct attack. Whatever that means, I guess it does not preclude attacks in general, which is clarified in his next open letter, after the successful attack against Lockheed Martin:
RSA Open Letter #2: on Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin.
If customers come first, I think a more straightforward profile of the true risk would be appropriate up front. My experience is that RSA SecurID customers had become complacent of the risk to their systems due to the breach because of what they’d been hearing from RSA. I don’t think RSA did their customers any favors by fostering this complacency with a sugar-coated view of the impact of the breach.
We’ll do everything we can for our customers. (except invest in new tokens)
RSA Open Letter #1: Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident.
Apparently “applying all the necessary resources” did not mean replacing the customer tokens, which would be expensive but effective. Based on that lack of resource commitment RSA seemed to have put its customer data at risk – along with state secrets and the PII of millions of individuals. Of course, as the customers’ knowledge of the risk associated with the RSA breach grew – because of the Lockheed Martin breach as opposed to RSA guidance – RSA has expanded the definition of “all necessary resources.”
RSA Open Letter #2: As a result, we are expanding our security remediation program to reinforce customers’ trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers’ confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
Lets give RSA the benefit of the doubt and presume that A) replacing the SecureID tokens will be a no cost solution for the customers and B) that implementing “risk-based authentication strategies” will not be a revenue generator. Assuming this is the case, then its the right approach, but one that should have been undertaken at the outset.
Revenue vs. Customers.
According to Art Coviello’s words “Our customers remain our first priority” however, according to RSA’s actions its not that clear cut.