“They’re probably going to spit in your food now.” It’s a statement that you’ve probably heard at some point, spoken among adults at restaurants the way we tell kids about the boogeyman in their closet. If you anger your server, there’s a chance they’ll seek revenge in the most disgusting of ways as viewers of Ryan Reynolds in Waiting have seen. It’s not always malicious either, sometimes it’s accidental. Which is why very few restaurants still take your plates away when you want your left overs wrapped up, instead they simply bring the box to the table and let you do the work. It’s not that they are lazy, but rather to avoid any questions of the sanitary conditions under which your food was transferred. A family friend frequently tells the story of when she was working in a kitchen when the owner scraped a plate into the slop bucket and, upon hearing that the food was destined for a doggy bag, simply scooped it out and into the container. The idea is to maintain the chain of custody, a phrase most of us have heard because it comes up on every police procedural at one point or another.
Chain of custody, for those that haven’t turned on their TV in the past twenty years, is a concept that involves the strict ownership and control over the item in question. For example, if a bank is moving cash from a branch office to a head office in a movie, the chain of custody involves the following:
The bank manager places the counted money in tamper-evident bags and records the total amount prepared for shipment.
The bank manager transfers the bags to the armored car drivers who sign for the shipment and load the truck.
Upon arrival at head office, the armored car drivers unload the shipment and transfer it to the receiving clerk.
The receiving clerk breaks the sealed bags and counts the money.
Since this is a movie, during one of these steps the heist is going to occur and somebody outside the chain of custody will manipulate the events.
There are, of course, other places where the chain of custody can, and should, be applied. One of these is in the transit of data. Amazon thought of this with the Snowball and, later, the Snowmobile. It’s important to know that the data you start with is the same data you end with. Any changes or manipulation of that data in transit could be devastating. Those with even limited exposure to the wonderful world of information security will know this as Integrity from the CIA Triad. When we’re talking about chain of custody, that’s all we’re really talking about, maintaining the integrity of the item, in this case, the data.
My wife recently broke her toe and chipped the bone in her foot. She was sent for a walking cast, to a fracture specialist, and for X-rays. While this may seem like a complete tangent from the article, it’s actually the inspiration for it. When my wife had her X-rays done, the clinic sent the images to her doctor but also provided her with a CD containing the images in case her doctor was slow to respond or she wanted to get a second opinion. I, of course, had to explore the contents of the CD. It contained the images in a proprietary format, an application for viewing the images and embedded data, and auto-run data to load that application. When she went to see her doctor, he referenced a report from the X-ray technologist that he received only moments before our arrival at the clinic. Had we arrived an hour earlier, he would have taken the CD and inserted it into the computer to access the files – the same computer that contains patient files for every one that goes to the clinic.
“What’s the big deal? It’s just a CD.” Let’s look at the chain of the chain of custody for this CD.
The X-ray technician took the X-rays, wrote the CD, and provided it to my wife.
My wife brought the CD home and left it on the table.
I picked it up and explored the contents of the CD. Putting it back on the table when I was done.
My wife brought the CD to the doctor.
The doctor inserted the CD into the computer with patient files.
This may seem like a completely harmless chain but, then again, so does the server bringing your food into the kitchen to fill your doggy bag. If this was a rewritable disc, I could have replaced files or modified the contents. Even though it wasn’t, I could have copied the disc and put the copy with malicious contents back on the table for my wife to grab.
One blog post estimates that a doctor spends 30 hours a week seeing patients and can average 4-5 patients per hour. Let’s assume you expect to see a patient three times a year and want to be busy all the time. Assuming 2,000 unique patients per doctor, which this article appears to confirm, and a clinical staff of fourteen seeing patients, that’s 28,000 medical records that could be breached by a single malicious individual modifying a CD. Now does it seem like a big deal?
It’s time that we start to apply basic security best practices to our day to day lives. Anyone dealing with critical information should pay attention to the data they handle, how they are accessing it, and where it originated. Basic information security classes should be mandatory to all professionals that handle sensitive information and the best place to start applying this principle would be with doctors and other health care practitioners.