Yes, sometimes it’s as bad as we fear
In the process of researching something else, I stumbled across an audit of a NYS agency with the grim title, “Mobile Devices with Sensitive Information are not Secure.” By the time I got done reading and browsing other audits, I totally forgot what I was looking for in the first place, but here’s what I found:
In August 2011, the Office of the State Comptroller published its audit of the New York State Office of Children and Family Services and found mobile security was seriously deficient. From their report:
We were able to access confidential information, including pictures of injuries related to investigations, progress notes, and files related to court petitions and medical requests, from mobile devices being used by staff at the Local Districts. Furthermore, we found three Local Districts were missing over 100 devices that could contain unencrypted caseworker data.[…]
During our site visits, we found child welfare data resided on unencrypted mobile devices and is not protected against unauthorized use. These include Quick Pads, Alpha Smarts and laptops with and without the Office for Technology image. There is a high risk an unauthorized user can obtain confidential information from these devices. This risk is further increased since some Local District staff connect the laptops to public wireless networks. We found:
Audit Findings and Recommendations:
- Unencrypted child welfare information on 14 laptops, some of which are used outside the Local District offices, at two Local Districts: Montgomery and Westchester counties. This information included investigation pictures, case notes, medical requests, police escort requests, school records and court petitions. Pictures on one laptop dated back to October 2009 and another laptop contained over 100 images. Additionally, we identified other laptops that did not have proper security settings in place. Although these devices were encrypted, some were missing security updates and none of the ones we reviewed had screensavers with password protection. The Information Security Officer should be providing guidance and direction to the Local Districts so that all devices being used have appropriate security controls in place.
- Eighteen of 91 Quick Pads at four Local Districts: Jefferson, Orange, and Westchester counties and New York City Administration for Children’s Services, contained confidential data about case investigations including names, phone numbers, information about drug use, sexual abuse, and financial information. We also recovered deleted data on two Alpha Smarts at another Local District. We were able to see names, addresses, phone numbers, medical information, and other sensitive information. Data on these devices needs to be overwritten to prevent old data from being recovered. Because Quick Pads and Alpha Smarts are not and cannot be encrypted, an unauthorized user only needs physical access to the device to read the data it contains.
- Twelve percent of the laptops with the Office for Technology image are not encrypted; despite the fact the current version of the image includes full disk encryption. Staff in the Office’s Information Security Unit told us some of these might have been issued during the initial pilot in 2006 when encryption was not yet required. However, in a 2006 report communicating the results of the pilot, the Office indicates they anticipated encrypting laptops used in the field.
We surveyed the Local Districts about the guidance they received from the Office in securing mobile devices. Out of the 55 Local Districts that responded, 18 stated they did not receive any guidance from the Office or only received cable locks for their laptops. The Office does not have a mobile device policy to guide the Local Districts nor does the Office require laptops and other mobile devices be encrypted in any of its other security policies. The Information Security Officer told auditors Local District staff do not store data locally. Further, the Information Security Unit believes Local Districts are not required to comply with the Standards, which require third party laptops containing personal, private, or sensitive State information to be encrypted.
You get the drift.
One year later, in September 2012, the state audited the agency again to determine if its recommendations had been implemented. From their report, it seems that the state agency implemented the recommendations. That’s good to see, but the fact that data on mobile devices had been unsecured or missing for years and would have likely remained that way were it not for the audit is … scary. What about auditing other state agencies for mobile security? This agency wasn’t the only state agency where serious security issues were noted in audits. And I’m particularly concerned about the NYC Department of Education, where earlier audits revealed serious deficits that the agency had not corrected.
With the recent hack of the South Carolina Department of Revenue, I would hope NYS agencies have gone into high gear to adequately harden their controls and protect our data. I would hope, but I am not optimistic.