Tag Archives: encryption

Best Practices in Securing Healthcare Data

 

Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

Cyberinsurance

Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.

Conclusion

Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.

Data Loss Prevention: Protection Beyond the Antivirus

Installing antivirus is no more adequate unless organizations have taken proactive actions and implemented other end-point security solutions to protect data loss arising from internal and
external threats. This traditional end-point security provision was sufficient in yesteryears when cyber-attacks were simpler and few. With the ever-changing technology and advancement in the nature of cyber-attacks, the antivirus as a security measure alone will not hold the fort for a long time.

Corporate data is mostly digital now. And sensitive data is accessed over multiple devices and networks. Telecommuting is rapidly growing and is favored in both private and governmental organizations, prompting employees to bring their own devices. Unfortunately, antivirus software is perceived to be the default security mechanism expected to protect against most IT threats. This, in turn, can be disastrous as it gives IT administrators a false sense of security, making critical data loss a harsh reality. IT administrators, therefore, need additional forms of protection such as end-to-end encryption and data loss prevention ((DLP) solutions.

What should an organization do to protect its critical data? We have some recommendations for organizations to consider in order to safeguard themselves against vulnerabilities of data loss:

  • Administer multiple layers of security instead of implementing just the antivirus.
  • Keep business continuity in mind while installing the endpoint security tool.
  • Encrypt data whether it is static or in transit.
  • Constantly monitor data coming in and leaving endpoints of the network.
  • Define user roles clearly, so employees are aware of who can access what kind of information.
  • Provide regular training to the workforce about security measures that need to be followed at all times.
  • Have a robust backup and risk mitigation plan ready in case of a breach.
  • Implement device management/ monitoring as an essential practice, particularly with the BYOD culture becoming a key workplace trend.
  • Install zero-day malware detection/analysis and content-aware DLP solutions.

These recommendations are the fundamentals to a strong IT security strategy. With antivirus no longer being the magic potion to deal with all threats, it is time organizations start implementing a more robust solution that encompasses various techniques aimed as data loss prevention.

Email Encryption – Not So Complex Anymore

In today’s time, when technology has taken control over almost everything in life from home to business, educational institutes, government agencies, doctor offices etc., the question arises as to how secure your data. With data breaches on the rise, data protection has become a hot topic.

How do you protect data ‘at rest’ and data ‘in transit’? How can you protect against the threat of espionage, hacktivism, spyware, or insider negligence? Encryption comes into play at this juncture. In recent years, there have been numerous reports of confidential data such as customers’ personal records being exposed through loss or theft of laptops or backup drives and data being breached when transmitted across networks by unauthorized users.

One of the proven techniques is to use algorithms for the purpose of encrypting data. The system encrypts the information contained on hard drives, disk arrays and SAN storage using an innovative, sophisticated encryption method to securely protect data stored on servers and on backup media.

Encryption protects stored information whenever physical control of the media is impossible, whether moving data to cloud, or in the case of hard drive loss. The permanent encryption of a file is a reliable way to protect any information it contains wherever the file physically resides.

For technical reasons, an encryption scheme uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients.To access encrypted data, the keys are a must. An unauthorized interceptor cannot access data without this key. The key can be either vendor-managed key or be a customer managed key.

Zecurion Zserver offers an excellent solution in this context. It takes advantage of complex cryptographic techniques to protect data stored on servers, SAN and NAS storages, magnetic tapes and optical disks. With unique media encryption capabilities, it protects data in use, storage and transport. Its system is designed with a balance between ease-of-use and the strongest available control levels by allowing administrators to decide when data is encrypted and decrypted through the Zserver Enterprise Key Management Server (EKMS). Zserver uses proven encryption algorithms with key lengths up to 512 bits (AES, XTS-AES). The adaptive multithreaded encryption, the system uses can significantly increase the speed of data encryption on multiprocessor and multicore systems.

EKMS empowers the customer completely. It may make the physical location of the files less relevant, since no party can decrypt the data if the customer has chosen to withdraw access to the encryption keys. In this way, the customer has the total control on whom to give the access to the data. The solution enables customers to manage the keys that encrypt and decrypt their data. EKMS gives customers their own key layer, and sole control over the management of the encryption keys used to protect their data in the cloud. It is up to the customers to properly manage the keys to avoid any interruption of data-sharing or collaboration with their own customers and partners.

All in all, data protection is very vital to avoid any kind of loss whether the breach is intentional or just a human error. You can research the type that best suits your needs, but you should make sure that you have your data protected.

Weak Random Numbers Are Achilles Heel for Encryption

There have been some revelations circulating that researchers have determined that a very small percentage of public keys used for encryption are inherently weak. Bruce Schneier, a respected cryptologist and Chief Security Technology Office of BT, says in a blog post that the issue is almost certainly the result of a flawed random number generator.

Schneier explains, “This shouldn’t come as a surprise. One of the hardest parts of cryptography is random number generation. It’s really easy to write a lousy random number generator, and it’s not at all obvious that it is lousy.”

Schneier goes on to address the issue of what impact  this has in terms of real-world security, and the encryption keys being used today:

What is the security risk? There’s some, but it’s hard to know how much. We can assume that the bad guys can replicate this experiment and find the weak keys. But they’re random, so it’s hard to know how to monetize this attack. Maybe the bad guys will get lucky and one of the weak keys will lead to some obvious way to steal money, or trade secrets, or national intelligence. Maybe.

The random number generator (RNG) forms the foundation for creating keys, so any RNG that is in any way predicatble weakens the security of the whole system.

Time Is Running Out

I know you are busy spending time with family, enjoying the holidays, and not even thinking about business, or protecting your data — but time is running out.

Zecurion is offering special discount pricing on our award-winning data loss prevention and encryption products through the end of the year. Is your data adequately protected? Do you have the right tools in place to enable you to exercise some control over how and where your sensitive data goes without getting in the way of productivity?

You simply purchase the one-year support agreement, and we’ll throw in the product license for free. It is an 80 percent savings off the normal price. You owe it to yourself — and the employees, customers, vendors, and others that trust you with sensitive data — to take advantage of this offer before the ball drops at midnight on December 31.

Your 2012 will be much happier if you have the peace of mind that comes with knowing your data is protected. Happy New Year!

Data Breaches Cost More than Data Protection

Tony Bradley, Chief Marketing Officer for Zecurion, recently joined host Tom D’Auria on the IMI-TechTalk radio show to talk about data protection. The daily headlines of data being stolen, compromised, and exposed suggests that many organizations either don’t understand the risks, or fail to implement adequate protection. Often, those decisions are driven by dollars–organizations simply feel they can’t afford data loss prevention (DLP) or data encryption technologies that could prevent data breaches.

Unfortunately, many of those businsses end up learning the hard way that this approach is penny wise but pound foolish. Saving a few dollars in the short term can have significant repurcussions when it costs the company exponentially more to recover from a data breach incident. You can listen to the entire IMI-TechTalk show by playing the recorded version from the IMI-TechTalk blog site.

If Bad Guys Steal Your Key, It’s Time to Change the Lock

Earlier this year the network at RSA Security was breached and information related to SecurID authentication tokens was compromised. Since then, security experts have been waiting to see what the fallout would be, and now we know.

Lockheed-Martin revealed that its networks were targeted by attackers. The defense contractor has not specifically stated that the compromised RSA SecurID tokens were a factor, but clues support that conclusion. Thankfully, Lockheed-Martin was able to very quickly detect and identify the attack, and take swift action to protect data so that no sensitive information was compromised.

The situation basically amounts to knowing that a thief stole the keys to your house, but then not bothering to change the locks and hoping nothing will happen. In this analogy, Lockheed-Martin apparently had some well-trained attack dogs on the other side of the door to prevent intrusion. But, many companies of all sizes rely on RSA SecurID tokens, and not all of them have the security skills or resources of Lockheed-Martin.

Don’t just sit with your fingers crossed hoping the bad guys won’t show up. Change the locks. Make sure that the compromised RSA SecurID tokens can not be used to gain access to your network, and make sure you have tools in place to detect suspicious activity and prevent sensitive information from leaving the network.

Don’t Let Your Company Join the Data Breach Epidemic

I know I sound like a broken record, but it’s not my fault. You can’t go online, turn on the TV, or pick up a newspaper without seeing news of some major data breach exposing sensitive data on millions of users. Why?

Don’t get me wrong. I understand that there is no security silver bullet. Given an attacker with enough time, skill, and dedication, there is no server or network fortified such that it can’t be hacked. In fact, I think security administrators should keep the mindset that it is a matter of when, not if, a server will be hacked. But, as I have pointed out previously in this blog, a server breach does not have to be a data breach.

I wrote a consumer-oriented article detailing how individual users can take steps to try and protect their own data and shield it from being exposed by the companies they have entrusted it to. But, IT admins and security administrators also need to take proactive steps to prevent data from being compromised, and keep their own organization out of the headlines.

Data breaches are expensive. Really expensive. Never mind the fact that a data breach on your watch could cost you your job. Do yourself a favor. Save your organization the hassle and the money, and help preserve your job security by contacting Zecurion and finding out just how easy it is to protect your data and prevent your company from becoming a data breach epidemic statistic. Wouldn’t you rather be a hero than a fall guy?

Why You Should Use Self-Encrypting Drives

Laptops and external hard drives are lost or stolen just about every hour of every day. It could be from an office, a car, a home, sitting at a coffee shop, hanging out in an airport terminal waiting for a flight, forgetting a bag in a taxi–it doesn’t really matter how it happens. The problem is that those laptops and drives typically contain 250GB or more of data–much of which might be sensitive or confidential in nature.

The whole point of the laptop and portable storage is to be able to be productive on the go, so it is not a practical solution to try to just ban the storage of such data on laptops or portable drives. Some workers need that data to do their jobs.

However, “locking down” the laptop with a username and password for logging in to the operating system does not protect the data. There are a thousand ways for a resourceful hacker to bypass most traditional protection and access the data contained on the drive itself.

Zecurion’s Zlock is an effective means of enforcing data policies, and minimizing the exposure of sensitive information on removable media, and Zecurion’s Zserver Suite–Zserver Storage and Zserver Backup–are great tools for encrypting and protecting data at rest on servers and backup media, but you also need to protect data on laptops and portable storage devices. There are a variety of solutions for encrypting the data. Microsoft Windows has BitLocker and BitLocker To Go for encrypting data. There are also open source tools like TrueCrypt, or secure drives like the Aegis Padlock.

You might need to resort to those tools, though–or you can consider them as an additional layer of security. The self-encrypting drive is quickly evolving from a niche premium to a mainstream commodity. The advantage of the self-encrypting drive is that the hardware-based encryption has little impact on performance, and the fact that the keys are generated and stored locally reduces the administrative overhead.

Bottom line–with self-encrypting drives becoming an established standard, there is no excuse for data on laptops and portable storage devices to be unprotected.

No Excuse for Lightning to Strike Twice at Health Net

There is a saying something to the effect of “Fool me once, shame on you. Fool me twice, shame on me.” Well–shame on Health Net for getting hit with its second massive breach of customer data in as many years. Thanks to nine unecnrypted drives getting “lost” during a move to a new data center, Health Net has potentially exposed sensitive data on 1.9 million customers.

Ericka Chickowski notes in an article on Dark Reading that, “According to the most recent Ponemon Institute figures, the average data breach costs healthcare organizations $345 per records. Using those numbers, this breach could cost Health Net upward of $655 million when all is said and done.”

I get it. On some level I understand that security is an expense and requires effort, and that it is easy to assume that security incidents and data breaches only happen to other companies. It is easy to rationalize gambling with sensitive customer data and assume that having information lost or stolen is about as likely as getting struck by lightning.

But, there isn’t really any excuse for getting struck by lightning twice. Health Net should have learned its lesson the first time around and taken steps to proactively encrypt and protect data on server drives and backup media. A solution from Zecurion would have cost Health Net a fraction of a percent of that estimated $655 million in damages from the data breach–virtually nothing in the grand scheme of things.

Don’t assume that lightning can’t strike at your organization. Your data, and the personal information of your customers, deserve better protection than keeping your fingers crossed and hoping for the best.