Category Archives: Uncategorized

DLP Strategies to Maintain HIPAA Compliance

Data loss protection (DLP) for compliance is the process of ensuring that sensitive data is not breached through its accidental or intentional release. Patient information is some of the most sensitive information about any individual. With so much of it being stored electronically, it is essential that steps are taken to protect the privacy and maintain HIPAA compliance.

In the US this can mean both civil suits and large fines, sometimes up to $250,000 for the individual responsible. The compliance protocols state that any breach that occurs involving sensitive data that was not protected (encrypted) must be reported to the Department of Health and Human Services.

What is HIPAA compliance?

HIPAA stands for the Health Insurance Portability and Accountability Act. It’s the law of the United States that is designed to ensure anyone handling sensitive patient information is protecting it and taking reasonable preventative measures to avoid its release. It sits alongside the HITECH Act, which raises the penalties around the release of electronic health information. We’ll be concentrating primarily on the Security Rule of HIPAA in this article, as it relates to electronic health information, but it’s important to be aware of the additional laws that come with health data.

What is the Security Rule

The Security Rule is the part of the Act that electronic protected health information – the creation, maintenance and movement of this kind of data. The key information relating to the Security Rule is to:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce.

How to become compliant

A good DLP strategy essentially covers these things through software integration, plans and processes that are easy for healthcare professionals to use in their day-to-day jobs without slowing them down from their crucial role.

Everything from access control of who can actually see, modify and send sensitive information, through to encryption and other techniques when it comes to the downloading, uploading, sending and receiving of data.

Auditing, monitoring and scaling the process is also meant to be considered by healthcare institutions. This means constantly assessing all data and how sensitive it is, monitoring its movement to ensure there aren’t breaches which haven’t been considered with advancing technology, and ensuring that the DLP strategy is always growing and adapting to protect sensitive data.

Essentially, lawmakers are looking to ensure that healthcare professionals are taking due care, not only with patient safety during treatment, but also when they are dealing with patient information – from their health data to their Social Security Numbers. If you follow the preventative strategies above, you greatly reduce the risk of prosecution.

10 Considerations for Implementing a Data Loss Prevention (DLP) Solution

Recently, industry analysts have noticed a massive resurgence in the demand for DLP solutions. In light of the growing need for DLP solutions, organizations will need to remain vigilant to a defense-in-depth framework. There must be a balance between security and usability as well as a trade-off between threat probability and ramification. Appropriate DLP practices are more important now than ever, and this trend will continue well into 2017 and beyond. That said, with data breach incidents looming large across the globe, enterprises today first need to consider all the aspects and issues before implementing a DLP solution.

So what really must be considered for implementing the best DLP solution?

DLP solutions are designed to reduce the risks related to information loss by proactively locating and controlling sensitive data. Answering the following questions in detail will help organizations implement a foolproof DLP solution to protect their sensitive data and evaluate the approach followed by a DLP solution provider:

  • What types of data should I monitor and control?
  • What actions can I take to reduce data-related risks?
  • How can I achieve this without impacting business as usual and in a cost-effective manner?
  • Does the DLP solution address a complete range of global policies that meet my compliance and corporate-security needs?
  • Does the provider:
    • Partner with infrastructure vendors to embed DLP classification technology and policies across all elements of the infrastructure?
    • Integrate with third party controls for enforcement and with SIEM vendors to provide a single pane of glass for incident management?
    • Use a common management policy and classification framework to manage policies and incidents?

10 Key Considerations

The following 10 key considerations cover sufficient ground for organizations seeking to implement a DLP solution:

  1. Understand and identify how your sensitive data are handled—DLP is a content-centered data-protection technology that relies heavily on the proper identification and classification of sensitive data and concomitant handling within an organization. This facilitates the creation and implementation of a comprehensive data-protection strategy.
  2. Assess and analyze the need to implement a DLP solution—The “go/no-go” decision should be based on an objective risk-based assessment and analysis of the following: the data that the organization wants to protect, the security risk based on current and future security architecture, total cost, cost of data loss, total cost of implementation and management, and value-added benefits of introducing DLP.
  3. Identify and involve representatives from across the board to understand the need—The team that decides the need for establishing DLP policies must have a representative from each team to develop the requisite corporate policies (senior management), perform risk assessments (risk management), identify recent security events (IT security, legal, compliance management), and ad hoc threats/concerns. This will improve understanding of organizational and business requirements, thereby helping cover more ground for implementing the DLP system.
  4. Break decision-making and implementation of the solution into phases—Before implementing the solution, the benefits and operational impact must be understood and accepted by the organization. Only then can the organization plan to implement the solution piece by piece to avoid disruption of regular functioning. There should be sufficient checkpoints to track changes and implementation of the new system.
  5. Test the implementation in a small unit before going full scale—Policy testing in controlled environments helps understand the effectiveness of the policy and its potential impact on the business before wider deployment. Phased implementation will surely help lower the impact on performance and promote a positive user experience. The DLP infrastructure and the network capacity must also be planned adequately to minimize impact on the business.
  6. Create meaningful DLP policies and policy-management processes—After the typical DLP activities have been identified, it is imperative to create relevant and meaningful policies to monitor or block (prevent) sensitive data from leaving an organization’s network. Review processes and periodic policy modifications (to combat new risks) must form a robust, controlled process.
  7. Set up an effective response mechanism—Response rules and alerts must be defined and configured to respond in a particular way for specific events. An event review team with adequate knowledge of business risk should review critical events (in detail) with care. Furthermore, this team should take appropriate actions in a timely manner following established procedures to comply with policies, laws and regulations. Doing so prevents a negative impact to the business.
  8. Gather data for proper analysis and reporting— DLP policies trigger events that usually provide critical insight on where, when, and how the sensitive data are stored and handled within the organization. This can then be related to specific policies, departments, regions, and trends. Event profiles and trends, along with periodic reporting and its meaningful analysis (using the right metrics, patterns, and trends), help improve control practices and modify policies.
  9. Security and compliance measures must be in place— As a DLP system may collect data that are personal in nature or business sensitive, it is critical to have strict adherence to data-privacy laws and regulations of the countries in which the data are collected. Based on the scope of implementation, appropriate measures, such as employee notification and consent, must be taken (if required). The DLP team should be part of the corporate security-governance structure and work closely with other security teams to ensure data protection.
  10. Make way for legitimate sharing of data—Data sharing and cross-sectional data flow of business information is the lifeline of most organizations. Now, although organizations have to protect loss or leakage of sensitive data, they must ensure that DLP solutions do not hinder legitimate data flow inside or outside the organization This point is critical, for, if overlooked, the hindrance of legitimate data flow may lead to severe losses. Hence, there must be a team in place to review the business benefits of DLP on an ongoing basis and also verify its impact on legitimate data flow within the organization.

A comprehensive and integrated DLP solution must provide reasonable controls to protect data loss from internal sources. Management must ensure that proper measures are in place to protect sensitive corporate digital assets, including IP as well as personal and financial data. Additionally, a successful implementation of a DLP solution for large organizations requires systematic planning and execution considering the aspects discussed in this post.

2016: Data Breach Statistics

 

The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

The year 2016, till now, has witnessed 980 data breaches affecting 35 million plus records. The highest number of records breached has been in the Medical/ Healthcare sector, at more than 15 million records, as per the report from Identity Theft Resource Center.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

November 23, 2016 – The Navy reported that PII of 134,386 sailors was compromised from a contractor’s laptop.  Hewlett Packard Enterprise Services, through which the contractor was hired, said that no information had been misused. However, it reported that data containing names and Social Security Numbers was accessed by an unknown number of people. The investigation is ongoing and will take a few weeks before identifying those affected and next steps.

Source: Navy Times

October 28, 2016 – A breach at the Office of the Comptroller of Currency resulted in leakage of sensitive information of more than 10,000 employees. It was found that a former employee had unintentionally downloaded the information. There is no evidence on any information being misused in any way. The incident was reported to Congress as required by law.

Source: Wall Street Journal

Healthcare

November 30, 2016 – Emblem Health has notified that its subsidiary company, Group Health Inc. (GHI), had an accidental breach wherein an unknown number of records were exposed. The disclosed information contained the Health Insurance Claim Number (HICN) which mirrors the Social Security Number. So far, there has been no report of any kind of misuse of leaked information. As a precaution, the affected members have been offered free professional identity monitoring service for 24 months, in addition to a 24-hour dedicated helpline and $1,000,000.00 in identity theft insurance through AllClear ID.

Source: California Attorney General

Education

December 2, 2016 – San Jose Evergreen Community College District (SJECCD), California, reported that an employee accidentally uploaded a file containing the PII of an unknown number of students on the SJECCD website. The information could be accessed if search strings were run on the site. Upon learning about the mistake, the file was immediately removed from the server. Though there is no immediate report of any misuse, the management has offered complimentary one year credit monitoring services of AllClear ID to affected students.

Source: California Attorney General

How to Select the Right Encryption Solution

In today’s fast-moving and fast-changing world, coupled with the influx of smart devices and IoT, securing data and protecting it from falling into malicious hands has become extremely challenging, complex, and necessary. The workplace no longer adheres to a typical 9-to-5 routine. Technology has created the ability to work remotely from anywhere and at any time through laptops, tablets, smartphones, etc. The gates to breaches have thus significantly increased in number, resulting in greater need to use encryption, scaling to not just a computer but to the numerous smart devices that are constantly used to access data.

Ponemon Institute conducted a survey and came up with the most prominent drivers that propel industries to consider encryption as a defense against data breaches.

We saw in one of our previous blogs how the number of breach incidents has risen to staggering heights this year. IT experts collectively agree that encryption is the key solution to this humongous problem, but it has to be the right type of encryption that is applied to the industry. A thorough knowledge of current tools and technologies that are prevailing in the market is very important before implementing any type of encryption. A customized encryption solution, apt for the said enterprise, will not only protect the loss of data but also save time and money. Now, what is the criteria for determining the type of encryption solution suitable for the enterprise? The following points will answer this question.

  1. Basic Requirements – A Must

The encryption solution should meet the following basic requirements:

  • Encryption should be automated, simple for end users to comply with, and provide non-disruptive protection.
  • There should be a robust access authentication of users, resulting in appropriate access to the data by authorized users only. The encryption should also have a provision for regular checks on user access control for validity.
  • It should be able to protect wide array of smart devices across multiple platforms such as Windows, Mac, and Android. Most smart devices already offer some kind of base protection, but this might not be sufficient for big enterprises dealing with highly sensitive data.
  • Type of encryption will also further depend on the type of data that has to be protected. This could be data in motion, data at rest, or data in use. The company might require full-disk encryption or just file encryption.
  • The need for managing the encryption keys must be assessed – can it be done by the IT department itself or should the services of a vendor be considered.
  • Another characteristic is that the encryption implemented should grow as the enterprise expands. The growing demands of the company should not hamper the prevailing encryption or render it ineffective.
  • The encryption should be such that if the data were to fall into the hands of hackers, it would be deemed incomprehensible and useless.
  1. Encryption Key – Vendor-managed or Customer-managed

An encryption vendor-managed key or a customer managed key scheme uses a pseudo-random encryption key generated by an algorithm. An unauthorized interceptor cannot access the data without this key. Customer managed key (CMK) empowers the customer completely as it makes physical location of the files less relevant, since no party can decrypt the data if the customer has chosen to withdraw access to the encryption keys.

  1. Key Management

Managing the keys is another important aspect in encryption. Depending on how big the organization is, there could be a large number of keys that need to be managed uniformly and tracked constantly. Towards this, Zecurion Zserver secures and protects confidential information at the processing and storage level on corporate servers. The Zserver Enterprise Key Management Server (EKMS) minimizes administrative overhead for encryption by generating, storing, managing, and automatically loading encryption keys across the enterprise.

According to a report by CSC, “While individuals are responsible for most data creation (70 percent), 80 percent of all data is stored by enterprises.” Encryption may not be the silver bullet to thwart data breaches completely, but is a necessary step towards mitigating the accidental or deliberate loss of critical and sensitive data. Enterprises, both small and large, should make it a mandatory requirement  and implement encryption company-wide.

Mobility and Security Go Hand-in-Hand

“By the end of 2017, market demand for mobile app development services will grow at least five times faster than internal IT.” Gartner

The reason for Gartner’s prediction of a fast growing industry is that more and more organizations across multiple sectors are adopting the bring-your-own-device (BYOD) culture. With most functionalities going digital, many employees have started to use their mobile devices not only for communicating with their peers but also for storing and accessing business-critical data on and off company premises. While this has added a lot of ease and reduced time to respond, it has invariably led to a laundry list of issues, especially regarding security.

The Vulnerabilities

While organizations are worried sick about hackers stealing critical data, they have come to realize that often the enemy lies within. Employees who can access business data over their smart devices may—knowingly or unknowingly—share critical data with competitors or simply lose their devices that may have accessible data. Such data in the wrong hands may prove to be very costly.

These problems have made employers lose sleep, worrying and fretting about the safety of their data. Even though these problems may be resolved by a seamless implementation and integration of a robust security system with firewalls and servers that allow communication via mobile devices, there are still many security threats that loom large.

Banking and financial sectors along with organizations dealing with security need to be the most careful about such events, and must try to curtail losses ASAP. As per SafeNet’s Breach Level Index, “…not all breaches are reported and many, especially those involving insiders, may go unnoticed or take a long time be discovered.” Furthermore, regardless of the number of incidents, SafeNet’s report claims that insiders account for more than half of the actual information lost.

The more the time taken for the realization that crucial data has been compromised due to an internal threat, the more severe the losses will be, which may be monetary or related to loss of reputation. Both could eventually lead to loss of a customer base.

When it comes to insiders, “ignorant users” are known to be the biggest threat. However, almost 70% of IP thefts are committed by disgruntled, grudge-bearing employees or by employees that are looking for monetary gains. Emails are another common method by which employees can steal data. With all the company data now available on their smart phones there is a huge security concern with these employees. With the explosion of social media—Twitter, Facebook, Instagram, and every other new information-sharing app—in addition to their heightened the accessibility by almost all employees, it is very difficult to control what critical information is being made public.

Apart from this, a lot of organizations are shifting toward storing (sometimes critical) data online using cloud-based platforms. In case such data is breached and is made public, it may result in enormous losses.

With organizations allowing external hard-disks and USB access to employees, this may in fact turn out to be the easiest means of data theft in the electronic format unless it is controlled and supervised. Coming to the more physical aspect of data theft, unsupervised printouts seem to be an obvious choice.

What Is Needed?

Mobile DLP helps prevent data leakage from mobile devices and safeguards unencrypted information. It acts as a gatekeeper to control confidential information from compromised and unauthorized access by routing the traffic through a corporate virtual private network (VPN) server.

Mobile DLP also allows access restriction for applications. The solution can help enforce a restriction on usage of select applications by blacklisting them or exceptionally allowing some applications to users by whitelisting them based on user business requirements and approvals.

Further, mobile devices connected to the corporate network can be monitored for voice chat activities through control of HTTP/HTTPS and can also log all outgoing text as well as multimedia messages to prevent data leakage. DLP solutions act like control centers for sensitive data, user profiles and device information.

With enhanced security and business flexibility, Mobile DLP offers the perfect combination required for securing data on mobile devices. Protecting the 3Cs—content, credentials, and configurations—is an essential element of any data security strategy and Mobile DLP helps address all the possible channels for vulnerabilities.

Is the Hospitality Industry in Danger?

Long back in 2005, Meyers and Mills had said that using biometric technologies could improve hotel security and enhance the ability to recognize criminal activities. Fast forward to 2016 and we are seeing that the hospitality sector has become an easy prey for cyber criminals.

The leap in technology has made it easy for the hospitality industry to gather a lot of personal
data about customers that has helped them increase sales and profit margins. A recent report by Sabre Hospitality Solutions confirms that the proper use of Big Data generated can give a ‘definitive market edge’ to hoteliers.

It’s Green for the Hackers!

This has also made it easy for hackers to commit financial crimes at a larger scale. While hackers attack smaller enterprises as they usually have systems that can be easily breached, they hack into bigger franchises for gaining access to a global database. Especially for the hospitality sector, this is due to day-to-day operations of the industry involving online reservations, card-based transactions, and rewards programs. This generates a humongous database of user data that, if exposed to the wrong hands, will create havoc in personal and financial lives.

Criminals across the globe try to hack into hotel networks to rob credit card details of guests. In essence, they are trying to target thousands of cardholders together. Not only do hotels may have vulnerable systems, they may be able to detect a breach long after it has occurred. An average time as per Trustwave Spider Labs is 173.5 days.

Cybercrime is a huge risk that hotels must deal with on a regular basis. Social engineering attacks such as phishing and Advanced Persistent Threats (APT’s) are the most dangerous types of cyber-attacks as they can bypass the current security setup. Hotel Wi-Fi networks therefore need to be secure, with built-in wireless intrusion prevention and detection for enhanced security.

Sample this: As per the 2015 Trustwave Global Security Report, the global hospitality industry now sits on top of the three industries most frequently targeted by hackers.

The Challenge

This challenge of data security and safety also increases the liability of the hospitality industry as any security breach may lead to heavy financial losses (legal), loss of brand and reputation, and also loss of customer loyalty. This will lead to financial instability and failure in the long run.

Repercussions of a Security Breach

Hotels have to spend through their nose if there’s a breach of private data. The areas where the cash will flow usually cover legal processing, fines, penalties, forensic investigation expenses, credit monitoring, business interruption losses, and hiring PR professionals to help control damage and save reputation. Additional costs are required towards recovering lost data and fixing the actual cause of breach.

Several organizations that analyse security and data breach trends cite hospitality as the ‘single most vulnerable industry’. Thus, IT leaders in hospitality are making data security their number one priority.

There are Ways to Stop This Loss

Most states today have privacy laws for issuing notifications if anyone’s personal or financial information is compromised, lost, or stolen. To add on, there are multiple practices that support data loss prevention (DLP), such as the Payment Card Industry Data Security Standard (PCIDSS) that ensures ‘that all companies that process, store, or transmit credit card information maintain a secure environment’. Practices such as PCIDSS if implemented properly, can help control a lot of such incidents.

Hotels of any size must secure their network to protect hotel operations and guests’ data. They must also annually review their information technology to proactively respond to threats. To save themselves from the fate that even the likes of Hilton, Marriott, Mandarin Oriental etc. could not avoid, hotels need to employ the best security experts that can suggest digital encryption strategies about point of sale (POS) terminals, data servers and internal networks.

Image Credit: Rawpixel.com/ Adobe Stock

Why Is Proactive Data Loss Prevention So Important?

Per Capita Cost for Data Breaches in the Education Sector is One of the Highest

Did you know that the per capita cost for data breaches in the education sector is one of the highest? And that the impact of a data breach in schools is on the higher side as compared to the colleges, as the former accounts for more than 66 percent of total per capita spending on education?

Many small schools have a lot of data but a limited capacity to deal with huge sets of data. The systems in place are generally based on open architecture for easy access of information between students, teachers and administrative staff. This makes it more imperative to have a sophisticated data loss prevention tool to prevent data breaches from happening as a result of human error or by accident. Below are some of the key statistics, compiled from various organizations to give an insight on the impact of data breaches on the education sector. school-desks-305953_1280

  1. Education sector’s per capita costs for data breaches, as reported by Ponemon in May 2014, is $259 which is the third highest per capita cost after healthcare ($316) and transportation ($286). This cost is substantially above than the overall mean of all industries i.e. $201. These include breaches caused by criminal attack, system glitch and human error.
  1. The probability of data breach involving more than 10,000 records for the education sector is expected to be 0.211. Public and retail companies are more vulnerable to breaches followed by educational institutes as per the Ponemon report.
  1. Approximately one third of a total data breaches reported by colleges and institutions, from 2005-2013, can be attributed to intentional or unintentional data leakage by employee or associated personnel, as reported by EDUCAUSE Center for Analysis and Research (ECAR).
  1. The education sector has witnessed 727 breaches as per Privacy Rights Clearinghouse (PRC) database from 2005-2014. Out of this, 73 percent of breaches have known impacted records data totaling 14.5 million records with an average of 27,509 records per breach whereas the impact of compromised data is not known for the remaining 27 percent of data breaches.
  1. It is the only sector with the second largest number of data breaches from 2005-2014 whereas the number of records exposed is the lowest (approximately 1 percent of total records exposed). This can be attributed to non-reporting or wrong reporting of breach cases by institutes to safeguard their reputation and branding.
  1. As per the survey conducted by Halock last year, more than 50% of the institutes surveyed allowed data access over unencrypted and unprotected email environment. The lack of proper data loss prevention solution can be considered as the major factor of data breaches over such unsecured networks.

Sources: US Government Spending, EDUCAUSE Center for Analysis and Research (ECAR), Capital News, Privacy Rights Clearinghouse (PRC), Ponemon Institute