Friday, August 7, 2015
Health IT Cyber Thieves have their own "ENIGMA"` machines
Veterans of World War II will remember the efforts to crack the Japanese encryption used for military communication during WWII.
Enigma was invented by the German engineer Arthur Scherbius at the end of World War I. Early models were used commercially from the early 1920s, and adopted by military and government services of several countries, most notably Nazi Germany before and during World War II. Several different Enigma models were produced, but the German military models are the most commonly recognised.
The mechanical/electrical components of the device were easily duplicated. The secret sauce was in the encryption method.
German military messages enciphered on the Enigma machine were first broken by the Polish Cipher Bureau, beginning in December 1932. This success was a result of efforts by three Polish cryptologists, Marian Rejewski, Jerzy Różycki and Henryk Zygalski, working for Polish military intelligence. Rejewski reverse-engineered the device, using theoretical mathematics and material supplied by French military intelligence. Subsequently the three mathematicians designed mechanical devices for breaking Enigma ciphers, including the cryptologic bomb. From 1938 onwards, additional complexity was repeatedly added to the Enigma machines, making decryption more difficult and requiring further equipment and personnel—more than the Poles could readily produce.
On 25 July 1939, in Warsaw, the Poles initiated French and British military intelligence representatives into their Enigma-decryption techniques and equipment, including Zygalski sheets and the cryptologic bomb, and promised each delegation a Polish-reconstructed Enigma. The demonstration represented a vital basis for the later British continuation and effort. During the war, British cryptologists decrypted a vast number of messages enciphered on Enigma. The intelligence gleaned from this source, codenamed "Ultra" by the British, was a substantial aid to the Allied war effort.
What does this have to do with health information technology and mobile health in particular?
Ask Google, since they are planning regular weekly updates to the android operating system.
Google's comment regarding the 'stagefright' hack,
"This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users...As part of a regularly scheduled security update, . And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat." How to see if your Android Device is vulnerable to the Stagefright hack ?
Google's Android Blog "Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store."
In recent months many breaches have been reported by health insurers. In most instances medical records were not accessed other than an attempt to gather consumer identification and credit information. Identity theft is a major concern.
The moral of the story is that security breaches will be present for a long time. Thieves are inventive.