By Scott Olson
JULY 10, 2006
A third of all data leaks are at universities. Academia should be held to
stricter record confidentiality standards
It pains me to say it: I am advocating government intervention and new
regulations. But, as they say, special circumstances apply.
As an alumnus of the University of Texas at Austin, specifically its
McCombs School of Business, I was chagrined to learn that hackers recently
gained access to some of the school's 197,000 recordssome of which
included my Social Security number (SSN) and other personal information,
as well as that of many other alums.
I've signed up with a credit-monitoring bureau and requested that the
three main credit-reporting agencies put a fraud alert on my records. So
the hackers have already made off with quite a lot: my time, my money, and
my already fragile peace of mind.
WAKEUP CALL. It can sometimes take an incident like this to jolt you out
of the theoretical. I've been in the network security industry for nearly
two decades and am familiar with the latest technology, trends, and
what-have-you. But this time, it's hitting home. And certainly not just
for UT alumni: Data thieves are helping themselves to personal data at
schools across the nation, as the recent penetration of three Ohio
University servers holding the SSNs of 137,000 people, attests.
It got me thinking: Colleges and universities should be held to the same
government compliance standards as companies that operate in health care
or financial services.
After all, a third of all data leaks are at universities, according to
CNET Networks (CNET ). That's not surprising, as universities walk a fine
line between ensuring that users, many of whom are using personal laptops
and other devices, have continuous access to network resources, while
keeping those same resources safe from infections and unauthorized access.
All too often, security gets shoved to the back burner in favor of keeping
networks open and users productive. Cybercrooks, recognizing a good thing
when they see it, are making hay while the sun shines.
HACKER HEAVEN. The proliferation and ease of use of wireless technology
certainly haven't helped. I've talked to network administrators at some of
my company's university customers; they report students doing everything
from setting up unsecured wireless networks from dorm rooms to maliciously
distributing worms that create a back door into the data files of infected
systems. And once students are done wreaking their havoc, the chinks
they've created in the network's security provide cybercriminals with yet
another avenue into the network interior.
Clearly, it's time for some guidelines for the protection of sensitive
personal information in this overly dynamic environment. And I think it's
going to take a government mandate. Don't get me wrong. I am in favor of
market-driven initiatives. But the realist in me can't believe that, with
their resources already stretched thin, the constituents of this
splintered and diverse market can impose and enforce their own
Naturally, this brings to mind the government-enforced regulatory alphabet
soupCFR Part 11, GLBA, HIPAA, etc.that, among other things, provides rules
to protect record confidentiality.
SAFEGUARDING SOCIAL SECURITY NUMBERS. Take for instance, HIPAA, the
Health Insurance Portability & Accountability Act, which is designed to
ensure that health-insurance coverage is available for people who lose or
change jobs. This rule, which also establishes standards for the
maintenance of patient records, has had some very positive outcomes.
My health-insurance card, for instance, now bears a member I.D. number
that differs from my SSN (a valid comparison when you consider that many
universities use a student's SSN as a "student I.D. number," which means
that the SSN is repeated on just about every scrap of information about
that student). I'd say that's a change for the better.
But the HIPAA experience has certainly not been all positive. Written in
1996, and made effective in 2003, this well-intentioned act has spawned
its own industry: Books, Web sites, e-mail newsletters, and the like
proliferate, thanks to HIPAA's sheer complexity. Just googling "HIPAA
Consulting" will generate in excess of 22,000 hits. The plethora of HIPAA
consultants, methods, and approaches underscores just how challenging
meeting these requirements can be.
LEARNING FROM HEALTH CARE. Even the HIPAA agreement you sign at the
doctor's office reflects this. Here's a favorite quote of mine, pulled
from a real HIPAA form: "If you do not object to these disclosures or we
can infer from the circumstances that you do not object or we determine,
in the exercise of our professional judgment, that it is in your best
interest for us to make disclosure of information that is directly
relevant to the person's involvement with your care, we may disclose your
protected health information as described."
I'm sure this is not what those at the Health & Human Services Dept. had
in mind when they crafted HIPAA.
So let's learn from HIPAA and its letter-happy brethren. Surely we can
craft regulations for higher education that discourage the use of SSNs
without creating too onerous a burden.
Let's try something simple, that mandates that colleges and universities
have, say, one year to protect personal information by insulating it from
the general network. Stage 2 could allow five years to phase out use of
SSNs as the key identifier for anyone for whom that organization retains
personal information, not just students and faculty.
Stage 3 could call for authentication methods that require a unique
identifier other than SSN to allow interaction such as student
registration, faculty study guide posting, and supplier order access. The
negative reinforcement could take the shape of a publicly available,
government-maintained Web site that identifies those universities and
colleges who fail to take the privacy of their stakeholders as seriously
as they ought.
Of course, nothing in life is quite that simple. But if we start with the
idea that this can be an exercise in common sense, then we should be able
to arrive at a solution that solves more problems than it causes.
Copyright 2000- 2006 by The McGraw-Hill Companies Inc.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.