Category Archives: Security Breaches & Data Loss Incidents

The Shocking Facts About Data Loss Protection You Didn’t Know

Data loss is, quite simply, a reality for businesses operating in the 21st century. It is often thought about as caused by external threats such as cyber attacks. But data loss is also caused by internal threats and is often more dangerous as it can affect companies of any size. We’ve rounded up some shocking facts about data loss protection you need to know about:

Over 50% of critical corporate data sits on unprotected PCs

Remote work has only really started to come into its own in the last five years and it is increasing at a truly rapid pace. Unfortunately, businesses do not seem to be ensuring that their DLP and cyber security plans keep up with the way their industries are changing. Personal computers, particularly laptops, but also home desktops possess the same levels of risk when it comes to internal loss of data. 

Small businesses that experience drastic data loss go out of business within a year

Probably the most shocking statistic for SME and SMB owners. The harsh reality is that, if a sufficient DLP strategy is not put in place, you may lose data via internal sources. Sometimes it’s malicious, sometimes it comes from simply a careless click.

Think about your company’s most sensitive data and what its release would mean in terms of a worst case scenario. Would you be financially liable to the individuals concerned? Would it ruin your company’s reputation? Are you likely to be seriously affected if a competitor sees your intellectual property? If the answer to any of these is yes, you should be seriously considering updating your DLP strategy, or implementing one if you don’t have it already. 

75% of all mobile apps fail a basic security test

Regardless of whether you supply employees with a company mobile or if you have a Bring Your Own Device policy, your employees will install apps on their phone.  This is both an internal and an external threat. The employee installs an app on their phone that does not have sufficient security – an internal threat. The levels of encryption that you have put in place can now be breached – an external threat. A good DLP strategy will see that you have buy-in with your employees to ensure that they know the risk of what they are downloading and outline necessary steps and criteria to follow.

Cyber crime damage costs to hit $6 trillion annually by 2021

And cyber crime is reportedly the fastest growing crime in the United States. While this refers to all cyber crime, not just internal data loss, it still sits as an astounding figure. Data Loss Protection strategies work hand in hand with additional cyber security measures. Many of the precautions you take to protect against internal threats will also protect against external threats but it is essential that you address both so that your company does not contribute to this statistic.

Data loss protection is all about managing risk. You can’t eliminate it completely but its important to stay on top of where the trends and technology are moving to ensure that you have your company and its sensitive data covered. These facts will hopefully make you see the huge global impact of data loss and the effect that a well-communicated DLP strategy can have.

Data Loss Statistics That Might Shock You Out of Complacency

data-securityWe hear about data loss statistics in the news media from time to time when large breaches occur, often in big multi-national companies or government departments. It’s rare for the news media to report the smaller data breaches as they are less exciting, yet this is where much of America’s data loss is occurring. Internal breaches where employees either accidentally lose data, or do so with malicious intent, happen on a daily basis. These statistics are to help give you an idea of how engrained and widespread the problem is for companies of all sizes:

43% of data breaches are internal
This is an alarming statistic and an often overlooked one. A common misconception is that loss of data occurs mainly from malicious cyber-attackers. While external breaches still count for over half of all data breaches, and are certainly on the rise, internal data breaches are also increasing and account for almost half of all data breaches.

If we were to break that number down even further, half of these breaches were done by accident, and half were intentional on behalf of the employees.

So, what does this mean for employers?
The problem is two-fold so it must be approached in the same way. Firstly, a process-driven approach can significantly lessen the number of breaches that occur by accident. A good data loss protection strategy that is effectively communicated to employees will help to protect companies, regardless of their size.

Secondly, it’s important for employees to consider if there are any environmental factors that may cause an employee to release data intentionally. If there is a high incentive for them to release specific information, such as financial reward or other gain, look at how well that data is protected and whether it is able to be accessed only by employees who need to.

Also look at your company culture and assess whether there is any emotional incentive. Disgruntled employees who perceive, rightly or wrongly, that they have not been well looked after, are often overlooked for the high risk that they present to companies. Sometimes, there’s absolutely nothing an employer can do to stop their employee feeling a certain way, hence the importance of a good data loss protection strategy. However, in many cases, these employees would present no risk at all if companies had sufficient processes and schemes in place that made the employee feel valued.

60-70% of all data breaches can warrant public disclosure
This statistic is the most harmful to the reputation of your company. It comes from an Intel study done in 2015 and is even more relevant now as internal data breaches are on the rise. Broken down, the study found that, specifically, 70% of incidents in smaller commercial organisations, SMEs or SMBs, warranted either public disclosure or had a negative financial impact.

So often, the focus around data breach is on infiltration, or attack from the outside and how to prevent it. However, as studies have shown, many breaches actually come from the inside of small to medium businesses. It’s important for employers and small business owners to take notice of these statistics and consider how they could affect their own companies. Our advice is to be mindful of the data that is in your company’s possession and look at ways to prevent it from being released internally through good company culture and an effective data loss protection strategy.

Five Steps to Better Data Loss Prevention

Data Loss Prevention (DLP) protects companies against the loss of sensitive data. In the world of data, everything has increased. IT and cloud based software and apps, cyberattacks and increased mobile usage of employees are just some of the ways that confidential data can escape from a company. A relevant and working DLP strategy is key to preventing this from happening, or managing it in the most effective way possible, so we’ve put together five steps to better protect data.

Protect data in all locations

We mentioned mobility because it is one of the areas that even a great DLP strategy can completely fall over on. While a company might have fantastic Data Loss Prevention within its corporate LAN, this no longer serves as a contained endpoint for data loss. With mobile and cloud-based software usage at its current rates, data needs to be protected wherever it is. Additionally, look at finding an offsite server to backup your company’s data in case of an emergency breach through a natural disaster, crash or cyberattack. Having your data held in more than one physical location serves as an additional protection mechanism.

Prioritize the important stuff

DLP’s main role is the protection of sensitive data. There has to be a balance in companies between allowing file sharing to go relatively unhindered in order to boost productivity, and creating systems that prevent those files from being lost. This is generally done by choosing which of those files would be most detrimental to lose, for instance, intellectual property or financial records. This gives you somewhere to start and means that a DLP system won’t lower productivity for files whose public release would not be at all catastrophic.

Get to know your data

Monitor and track the regular movement of your data. This is particularly useful for picking up when there are internal threats in general, but mainly it makes it clearly visible where your sensitive data is going, and what threats it might face along the way. Doing this ensures that you are across what is happening with your data, and therefore will be able to ensure that the DLP strategy you apply will work for your company.

Ongoing help

Realize that a plan to prevent data loss is not a one-off investment of money, time and resource. Data loss involves, people, IT, and the web, all of which are constantly changing. Your DLP plan needs to constantly change and mature also. Engage with security solutions specialists to amend and rework all parts of the strategy, and then look internally to ensure that staff are receiving the guidance that they need – and that the strategy actually works for them and the way the work.

Incremental change

Much like the strategy itself, which constantly needs to rework and change, so too will your employees as they will be integral to ensuring the strategy’s success. Running a pilot that protects only the most sensitive data is a way to safeguard yourself against purchasing an incredibly comprehensive DLP strategy that doesn’t operate quite in the way it should. It’s only by testing it out in an incremental way, monitoring the data movement, as well as how employees are using the policies, systems and plans, that you’ll be able to ascertain whether that system is right for the business.

IT security no longer lies just with anti-malware or virus software. The significant advances in IT have brought with them substantial amounts of information and knowledge sharing through data. While this has seen a momentous boost in productivity, knowledge, and ideas for many companies, it has also increased the risk of important information getting into the wrong hands. Data Loss Prevention is an essential part of any company’s security policy and, with these five steps, you will be able to achieve a strategy and a plan that works for your company.

Data Loss Disasters: Are You Covered In An Emergency?

data loss preventionThe dreaded crash, the blue screen, or the security breach, brings on a familiar feeling of terror to every computer user. For small to medium sized businesses who are increasingly relying on software and cloud-based solutions to boost their company’s productivity, the stakes are much higher when this happens. The issue with the increase in IT solutions is that this also needs to be coupled with an increase in data security, particularly in the case of an emergency, and this doesn’t seem to be happening with SMBs. According to The National Archives & Records Administration in Washington, 43% of companies with no data recovery and business continuity plan actually go out of business following a major data loss.

While this covers all data loss, and not just internal threats such as accidental or malicious leaking, it is still a startling figure and one that can be easily addressed with a Data Loss Prevention (DLP) strategy. Any good plan should always incorporate an emergency scenario and that is what we will be discussing today, how to cover yourself in a data loss emergency.

Clear communication
This should be one of the most important features of any emergency response plan. When things go wrong people panic, people try to cover up and people inevitably do not take the most rational and responsible course of action. By ensuring that your emergency DLP plan is simple and succinct, and is clearly communicated to all staff in a way that they can easily action, you’ll help to ensure that employees take the right action.

Back it up
Knowing the risks is the first step to appreciating just how important data backup is. There are the ‘real life’ physical threats such as vandalism, fires and floods, and even power surges which affect thousands of computers every year. Then, of course, there are the not so physical threats such as cyberattacks and ransomware. With so many ways for an emergency data loss to occur, backing up files is crucial to prevent data loss in these situations, and always the easiest solution if it does occur.

Backup again. And again
Automate the backup to ensure that nothing goes to chance and that it occurs on a regular basis. Then find a separate server in an off-site location that will prevent data loss if your entire internal system is compromised. Again, it’s always easier to be able to recover the data from a backup, than from a crash.

Decent security
Your emergency response plan should employ or align with security professionals, largely to prevent the ever-present threat of cyberattack. Security professionals will be able to continually change multi-layer encryption and changing algorithms as part of their prevention plan, but they will also need to constantly update and review the emergency routine as part of this.

Given that most of us have experienced a computer crash in our lifetimes, we all know that emergencies happen. With the increasing threat of cyberattack, these emergencies are now much more widespread than ever before. By treating emergency data loss like it’s a reality, you’ll be able to create an environment where data is sufficiently backed up, and where an emergency response plan is as up to date and impenetrable as possible, and clearly communicated to staff so that it actually works.

5 Common Misconceptions About Data Loss Prevention Debunked

In an age where sensitive information lives in clouds and on endpoints, instead of behind lock and key, Data Loss Prevention has become big business. That infamous saying ‘at the click of a button’ now has to be a carefully monitored click to ensure that critical information isn’t shared with the outside world, either maliciously or by sheer human error. DLP can be a confusing area of the technology industry, not to be confused with its anti-virus counterparts, so we’re here to debunk some of the most common misconceptions people have around DLP:

The threat is from the outside
The ‘which is worse’ debate is hotly contested between inside vs outside threats, with the likes of Intel suggesting that internal actors were responsible for 43% of a company’s data loss, and half of this activity considered malicious, half accidental. Regardless of which statistical report you believe, internal threats make up a huge amount of a company’s data loss, particularly as internal threats have greater access to this data. They shouldn’t be ignored to focus on the, often perceived as more dangerous, outside threats.

Ready-to-wear solutions
Outside threats have held huge significance in our lives over the years – of any technological breach, outside threats are the ones that take up the most space in our news media, and what we absorb from the internet. Because of this, some company’s approach DLP from an ‘outside threat perspective.’ That is, they talk in the language of patches, firewalls and anti-malware. DLP needs a different approach because it is not a piece of software. The exciting thing about DLP is that it is an all-encompassing, working strategy fitted to your company, rather than an out-of-the-box, download it and hope it works software solution.

Call the IT department
Similar to our last point, there can be a misconception around who should be running a DLP strategy within a company. While DLP incorporates many technological elements to it, thinking that it should be an IT responsibility is along the same lines as treating DLP like it is simply software. To truly get the most out of a DLP strategy, it needs buy-in from all corners of the company. The threat is from the inside, therefore all those on the inside must be on-board with minimizing it, in order for it to work. How to do it? Delegate responsibility to its relevant skillset. Certainly pass over the specific technological aspects to the IT team, but also think of creative ways that leaders and communications specialists can communicate direction and action points to all staff.

Productivity grind
We have all experienced the dreaded words ‘new strategy’ at certain times in our career to be synonymous with ‘new admin’. It’s a common misconception that Data Loss Prevention will be time-consuming and add unnecessary frustration to a staff member’s already busy day. It’s crucial that we debunk this one as it is what will inevitably derail that buy-in from all staff members. DLP has been in the marketplace for a significant enough amount of time that its systems and protocols are fine-tuned and highly personalised. Professionals can look at a company and tailor a solution that’s convenient and efficient in requiring authorization only where it is needed. The key to this is, of course, how DLP strategy is implemented at the start. If policies clearly outline the levels of authorization, this clears up any risk of blanket rules applying across companies and slowing things down.

Too big to handle
For many small companies, DLP can seem overwhelming and the question is often raised as to whether it is really necessary for a small business to implement. The risk of data loss applies to all companies, big or small, so the question should be framed more around how sensitive the information is and how catastrophic it would be, should it be leaked. If the risk is high enough for either, then DLP shouldn’t be considered a solution that is too large for a small company. Because DLP is a series of policies and protocols, as well as the technological aspect, it can be applied incrementally. What is the area of a company that is most at risk? Set up DLP procedures around that data only and move on to the next important set of documents when you can.

While none of us want to believe that the employees who work for us, or alongside us, are capable of maliciously leaking sensitive data, the reality is that they are, as well as leaking it by accidental means. The Data Loss Protection marketplace looks to combat this with an holistic approach that involves more than just software and IT teams – it’s a company-wide program that, whose ownership firmly lies in the hands of the people who use it, not the technology itself.

2016: Data Breach Statistics, Year until 10/19/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted as of October 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.


August 26, 2016 – County of Sacramento, California, issued a statement that an unknown number of records with personal data were exposed due to an error in the online automated application for Emergency Medical Service license. The information included name, address, social security number, driver’s license, phone number, date of birth of the applicants. Although there has been no report of misuse of PII, yet the county offered one year credit monitoring services of Experian to the affected people as a precaution.

Source: California Attorney General


September 26, 2016 – One worker at Yale- New Haven Hospital and her friend were arrested for illegally procuring classified personal information of at least 20 near death patients and using the stolen data to obtain credit cards, becoming beneficiaries in their insurances among other planned crimes. This had been going on for two years before they were caught. A year’s credit monitoring has been offered to the victims.

Source: Media: News 3

August 12, 2016 – Bon Secours Health System disclosed that R-C Healthcare Management, a third-party vendor managing their Medicare and Medicaid reimbursement, accidentally left patients’ files accessible over the internet while updating network settings. About 665,000 records containing patient name, health insurer’s name, health insurance identification number, social security number and some health information was exposed to the general public. A forensic investigator was hired to correctly identify people that were affected by this breach and then informed about the incident. 435,000 were from Virginia and the rest were from Kentucky and South Carolina. No misuse of the exposed data has been reported so far.

Source: Media:


September 22, 2016 – Premier America Credit Union, California, reported that a departing employee sent an account list containing name, address and maybe social security and/or employer Identification number to his personal email address for most likely solicitation purposes in future. The employee was reminded of his obligations and company regulations and advised not to use any of this information for any purpose. The management further offered complimentary one year credit monitoring services of Experian to the victims.

Source: California Attorney General
August 8, 2016 – 7-Eleven reported that in June 2016 during a regular maintenance cycle some of the franchisees received the records of employees other than their own franchisee’s employees. The exposed information contained name, address, phone number and social security number of 7,820 employees. The correction was completed within 5 days. 7-Eleven offered 12 months of First Watch Technologies’ professional identity monitoring service to the victims in addition to $1,000,000.00 in identity theft insurance with no deductible.

Source: California Attorney General

Major Insider Data Breaches in Government Sector in 2015-16

In our last post, we talked about insider threats being faced by government organizations.

Today, we are sharing examples of data loss incidents that have affected government sector because of insiders. Though sporadic in nature, they give a deeper insight on how vulnerable the government is.

  • In June 2016, The Washington State Liquor and Cannabis Board stated that the personal information of marijuana license applicants was released in response to a public record request. The exposed information included social security numbers, tax and financial information, attorney-client privileged information for an unknown number of records. The License Control Board had accidentally sent in the PII along with the requested information.
  • Virginia State Corporation Commission suspects that a former contractor made copies of PII for an unknown number of people whose license had either expired or lapsed between 1979 and 2004. This came into light in June 2016.
  • In April 2016, the FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of affected people on a personal portable device. When the breach was detected, the employee was contacted, who immediately returned the device and signed an affidavit stating that the information was not used for any purpose.
  • In February 2016, Washington State Health Authority (HCA) notified that 91,000 records of Apple Health (Medicaid) clients were accessed without proper authorization by an employee. Social security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees but as a precaution, free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident happened.
  • County of San Diego confirmed in January 2016 that the classified records of all employees were sent to Wells Fargo as opposed to only those records who were set up for health savings accounts, HSA. Consequently, the bank set up HAS for all the employees. The county and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.
  • In October 2015, the Vacaville Housing Authority (VHA) notified affected individuals that one of their employees unintentionally sent an email to a person with an attachment containing their names and social security numbers. The receiver immediately informed VHA about the lapse and they deleted the email from the person’s computer. As a precaution, VHA has offered free credit monitoring service to affected customers for 12 months.

A 2016 U.S. Government Cybersecurity Report by SecurityScorecard reported the following:

  • Government sector has the lowest security score as compared to retail, transportation, healthcare and other sectors
  • NASA is at the bottom of 600 government organizations, followed by US Department of State, IT systems of Connecticut, Pennsylvania, and Washington.
  • Three areas where government organizations struggle with security are – Malware Infections, Network Security and Software Patching

While government organizations are enhancing their cyber security strategies, there are still many risks that they need to address. A wholistic view of their strengths and weaknesses will enable them to implement the right solution and take proactive measures aimed at addressing the risks posed by internal threats.

12 Million Records Breached by May 2016

*The ITRC tracks seven categories of data loss methods:Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information:Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Since our last report in February on statistical data, 327 data breaches affecting 10 million+ records have been reported.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted between February and May 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.


11 April, 2016 – FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of the affected people on a personal portable device. FDIC uses technology to track downloads to portable devices. On being detected, the employee was contacted, who in turn, immediately returned the device and signed an affidavit stating that the information was not used for any purpose.

Source: Washington Post


February 2, 2016 – Hawaii Medical Service Association (HMSA) disclosed that they accidentally sent 10,800 letters to wrong addresses instead of the rightful owners. Luckily, the letters did not have any sensitive data but only information about how these patients can better manage the ailment they are suffering from. The affected members were contacted telling them of the mistake and answering any questions they might have.



March 15, 2016 – Laborers Funds Administrative Office of Northern California, reported that an undisclosed number of records had been compromised due to a computer error. Classified information of not only members but also their dependents was accidentally emailed to a fund member instead of the IRS. The office does not believe that the information has been misused but they have offered a one year free credit monitoring to all the affected people.

Source: California Attorney General

March 7, 2016 – Turner Construction, San Diego, California, stated that an undisclosed number of records with classified information were breached as an email containing sensitive information was accidentally sent out to an unauthorized party. The company has since taken many steps to mitigate the threat. Kroll, an ID monitoring service, has been engaged to provide free monitoring to all the affected people for ten years. The services include Credit Monitoring, Web Watcher, Public Persona, Quick Cash Scan, $1 Million Identity Theft Insurance, Identity Consultation, and Identity Restoration.

Source: Maryland Attorney General


16 May, 2016 – Poway Unified School, California inadvertently released data of about 36,444 students and their parents to one parent who had requested information related to her name only. The information included children’s names, nicknames, addresses, phone numbers, hearing and vision exam results, dates of birth, language fluency, academic test results and occupation of parents. It did not list the social security numbers. The exposed data falls under protected information under the Family Educational Rights and Privacy Act and the school could risk losing federal funding. The data contained information of about 70,000 people.

Source: San Diego Union Tribune

25 January, 2016 – California Virtual Academies (CAVA), California informed its registered users on December 9, 2015 that their data storage system is prone to data breach. CAVA, within hours, was able to locate the vulnerability and contain it by securing the system. Since then, it has been established that unauthorized access was limited to the data security researcher who had initially notified CAVA. Users have been urged to check their personal accounts, change security settings online and read information provided on credit and identity protection.

Source: California Attorney General

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.


In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.


It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Best Practices in Securing Healthcare Data


Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.


Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.


Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.