Category: Email Encryption

22 Jan 2017

Healthcare Security in Critical Condition

Are healthcare organizations more vulnerable to data breaches than other industries?

Healthcare organizations (69 percent) and their third-party business associate (BA) partners (63 percent) certainly seem to feel they have a target on their backs, according to Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.  However, knowledge hasn’t necessarily led to preventative action in many healthcare firms or the BAs that support them. Data breaches in healthcare continue to put patient data at risk and are becoming increasingly costly and frequent. According to Ponemon estimates, data breaches could have already costed the healthcare industry $6.2 billion.

While many of the breaches reported by survey respondents were small, containing fewer than 500 records, nearly 90 percent of healthcare organizations taking part in the study reported they were victim to a data breach over the past two years, and 45 percent had more than five data breaches during that same period. Ponemon estimates that the average cost of a data breach for healthcare organizations over the past two years was more than $2.2 million, while the costs to BAs was more than $1 million. The top stolen files: medical files, billing and insurance records, and payment details, putting patients not only at risk for exposing personal details, but also for financial identity theft.

What’s evident from the data is that employee negligence and mishandling of sensitive patient data is still a huge cause for concern; according to Verizon’s Data Breach Digest, 20 percent of data beaches reported in healthcare are from inside privilege and misuses. In the Ponemon report, 69 percent of health organization respondents cited “negligent or careless employees” as the type of security incident that worries them the most, compared with 45 percent for cyber attackers and 30 percent for insecure mobile devices.

At BAs, negligent or careless employees was cited by 53 percent of respondents as their most feared security incident. Healthcare organizations may be overly worried, as only 36 percent of healthcare organizations named unintentional employee action as a breach cause.  However, the numbers aligned as well for BAs, as 55 percent of BAs named unintentional employee action as a breach cause.

According to a second report from Ponemon and Thales, which tracked extensive usage of encryption solutions for 10 industry sectors over three years, healthcare and pharmaceutical organizations have seen the largest jump in use of encryption solutions, with 40 percent of organizations now reporting encryption use. However, the same report also shows that the least likely data type organizations overall encrypt (at 21 percent) is health-related information, quite a surprising result given the regulatory requirements, sensitivity of the data, and the recent high-profile data breaches in healthcare.

Despite the increased frequency of breaches, and the rising costs to deal with the aftermath, half of these organizations still feel they lack the funding and resources to manage data breaches. The intent is there, as most companies have reevaluated their security practices and have implemented policies and procedures designed to curtail breaches. Those practices—however well intentioned—seem to be doing little to stop breaches from occurring.

For many organizations, it comes down to budget restraints; the majority of both healthcare organizations and BAs feel their organization:

  • Has not invested in the technologies necessary to mitigate a data breach
  • Has not hired enough skilled IT security practitioners
  • Has not adequately funded or provided resources for the incident response process

Healthcare organizations report budgets have decreased since last year (10 percent of respondents) or stayed the same (52 percent). The scenario is similar for BAs: 11 percent reported decreases and 50 percent the budget stayed the same.

Based on these reports, healthcare security is in critical condition. Breaches are happening frequently and are costing both healthcare organizations and BAs more. According to the Ponemon report, accountability for the data breach incident response process is dispersed throughout the organization, however, both healthcare organizations (30 percent) and business associates (41 percent) say IT is the function most accountable for the data breach response process. But who is responsible for stopping these breaches before a response is required?

CIOs and CISOs need to continue to push the envelope in their organization on breach prevention, escalating it to become a key business priority. They can start by putting their policies and procedures under a microscope, and locating where the black hole is when it comes to putting those policies and procedures into practice with employees. The next step is investing in encryption technology to prevent breaches, not just in insurance policies for when they occur.

If you would like to find out how to ensure your critical communication touch points are protected, the additional content listed below may be of interest.

  • Download our REPORT    Do You Trust Email?
  • Read our MARKET REPORT     Enterprise Encryption and Authentication Usage
  • Read our REPORT    Fraudsters, Hackers, and Thieves

By Chris Peel, ‎VP Engineering, Echoworx

23 Nov 2016

Encryption, the best way to protect data from hackers

It’s no secret that today’s cyber criminals are heavily funded and technically astute – creating more methods to hack into organizations than individuals and businesses can keep up with. Because of their ever changing, advanced and growing capabilities, private organizations and governments must protect all possible gateways to information in our digital-driven society. To keep the data sent via email safe, email encryption remains the best protection in today’s cybersecurity landscape.

Smarter devices mean new vulnerabilities
The evolving technology landscape has created challenges for businesses trying to stay ahead of the curve. As the workforce becomes increasingly mobile and digital, organizations are opening new digital communication and commerce channels to meet employee and business needs. But as new devices are connected to the network, and thus become connected to confidential information, risks to data privacy will appear. These new devices and potential vulnerabilities create opportunities for hackers to infiltrate personal and professional networks at vulnerable entry points.

Companies must have a solution that is focused solely on encryption if they are to tackle today’s rapidly changing technology landscape. Encryption can be tailored to meet a company’s specific IT policies, compliance requirements and user needs to ensure that critical communication touch points are protected whether on mobile or desktop, keeping organizations’ information safe. Encryption allows businesses to innovate while leveraging new technologies, ensuring that sensitive data remains secure.

Securing confidential information – in transit and at rest
Vast volumes of confidential company, customer and employee data passes through business networks every day. Companies in regulated industries represent a treasure trove for cyber criminals as they hold mounds of confidential information including biometrics, health records, financial transactions, inventory tracking, climate controls, and even digital keys. For example, to properly track medical records for HIPAA compliance, there is often personal information attached to communications that can be exploited by hackers.

To ensure that this confidential information is protected, email security solutions are often overlooked in favor of network firewalls or file server security. As a result, message interception has become more frequent – putting information at risk. Email encryption solutions that are content aware are critical to combating hackers targeting corporate email data. Content aware encryption solutions can be configured to automatically scan email content and attachments based on a company’s security policies – providing a user-friendly experience for employees and peace of mind for IT management. Encryption is crucial to ensuring that this confidential information remains private and secure – while emails are in transit and at rest.

Key to citizen privacy and security
Beyond the business benefits, encryption is also key to citizen privacy and security. But, as governments adapt to crime in the digital age, we have seen them continue to push for ways to weaken one of our best protections, encryption, with master keys or back doors to encrypted information. Encrypting sensitive information is just as important as locking your home when you leave. But would you hide a master key for your home right on its perimeter? Encryption back doors are essentially leaving a key for hackers to discover for easy entry.

Encrypted data is only as secure as the keys used by the system that locked them. If the keys are compromised by hackers, negligence or other means, or entry ways are made available via backdoors, then any data that’s encrypted can be decrypted. Ultimately, an entrance into encrypted information, whether meant for the government or an IT executive, is an entrance for everyone, including cyber criminals. Encryption is critical to the security of data and ensuring that citizens maintain their privacy, and management of keys is an essential piece of the puzzle.

As adversary tactics continue to grow and evolve, citizens and companies must feel confident that their data – from private information to intellectual property – is secure. Encryption is critical for protecting confidential data from today’s growing, fast-moving, and ever-changing cyber threats. And to remove pathways for hackers to exploit, we must maintain that back doors are not created, and all keys are properly managed. By applying encryption to email and other data, organizations can ensure that hackers have no way to access data that they discover or intercept.

If you would like to find out more ways to ensure your critical communication touch points are protected, the additional content listed below may be of interest.

  • Download our REPORT    Do You Trust Email?
  • Watch our DEMO     B2C Encryption Protection
  • Read our REPORT    Fraudsters, Hackers, and Thieves

By Kai Cheung, VP Architecture at Echoworx

21 Nov 2016

How to Better Protect Office 365, Help Secure Your Sensitive Data

Are you one of the many organizations that have decided to move on to Office 365? If so then you must have made this decision for a variety of comprehensive business ins and outs including cost savings, infrastructure simplification, and flexibility. While there is no doubt that such a decision is sound and will quickly provide a noticeable return on the investment, given the nature of the cyberspace, it also makes your company susceptible to cyber exploits.

Although I imagine and understand that privacy may not be a top priority for your deployment, but I believe that it soon will be. It is needless to mention the reasons to secure sensitive communications, whether that is with your customers, employees within your organization or with other organizations you deal with. Securing Personally Identifiable Information (PII) is something that every organization is required to be concerned about, especially when communicating via email.

Regardless the industry, there are many rules that govern the use of PII across the globe such as HIPPA (the Health Insurance Portability and Accountability Act), PIPEDA (the Personal Information Protection and Electronic Data Act), as well as the EU’s Data Protection Directive. These rules mandate companies to protect the personal information of its users/customers.

Now the question is, can Office 365 provide the appropriate level of protection for sensitive email communication? The answer is yes.

However, there is a “but” and the “but” is – the encryption capability within Office 365 is neither robust nor easy to use. Ease of use has a direct correlation to the willingness of the sender and recipient to readily adopt encryption in communications. Ultimately, the frustration caused by the complexity and inflexibility of encryption technology, leads to user to giving up on it. Unfortunately, this is a reality in many organizations.

Trusting Office 365 with my sensitive data

But, there is a silver lining. There are robust (and simple) ways to handle sensitive communication which don’t include having to rely upon what comes with the standard versions of Office 365. I encourage you to examine whether Microsoft’s native capabilities are sufficient for your company’s security and privacy. If you do, you will determine that there are indeed security gaps in the software. You should then examine third-party alternatives. This will help ensure the capability to effectively implement policies that are required to strengthen your business processes.

I regularly hear from IT professionals and business leaders that securing communications through encryption is a complicated and inflexible process. Imagine having a simplified option for a sender and recipient to facilitate sensitive email communications. Isn’t that an ideal image?

Simplicity equates to adoption; adoption equates to compliance, and compliance eliminates the potential of your organization’s name appearing in the news for all the wrong reasons. Can your Office 365 environment give you the simplicity and the flexibility to ensure the adoption and adherence of encryption protocols in multiple use case scenarios?

I assume you wouldn’t be reading this article if it didn’t have any limitations.

Some of the things that you should consider when evaluating the encryption capability within Office 365 include:

  1. New recipients must provide sensitive information to create a Microsoft account to then read an encrypted message, or receive a one-time password sent in clear text;
  2. When encrypted messages are sent via the Office Message Encryption (OME) Viewer app or the encryption portal, the sending email address is Office365@messaging.microsoft.com;
  3. Encryption options do not include S/MIME, PGP, Ad hoc encryption or Portal-based encryption;
  4. Users cannot track the usage of documents;
  5. Users cannot revoke access to documents;
  6. Android and IOS devices require access via a downloadable viewer (OME viewer app).

The registration process for new recipients (referenced in point 1 above) involves a 9 step process in order to get an account, and if you don’t want a Microsoft account, your options are even more limited. The only real alternative is to ask for a one-time password that is sent in clear text, which is not something I would call secure. There has to be a better alternative, and preferably one which would also seamlessly integrate the encryption solution with the mobile experience, because do we really need another app to view an encrypted email?

Now, if privacy is a priority within your organization, I comprehend that you need an enhanced encryption capability as an add-on to Office365 – one that makes encryption easy. That is to say, an encryption platform that gives you the flexibility to vary the encryption process for differing use case scenarios – a platform that comes with policy templates that are industry specific.

When sending an encrypted email there may be a need, based on the type of information and the needs of the recipient, to have a shared passphrase, a system generated verification code or even no password. How about leveraging open authentication to have the recipient use passwords they already trust from sites such as Linkedin, Facebook or Twitter? Think about having the capability to use text messaging to create a two-factor authentication process for communications.

When you look at the many use case scenarios that you will implement to send specific information to specific recipients, the limitations within Office 365 become clear. What happens when you need to enable an encryption delivery method not supported through Office 365? Encrypted Portal and PDF and two delivery methods that are being used a great deal by companies across many industry verticals – will you just ignore these?

And what about branding? There is very little flexibility to brand your encrypted communications with Office 365. As with any communication outside of your organization, it should represent your brand. Again, you must look to an add-on capability to ensure you have the ability to reinforce the brand of your company.

When addressing the secure email communications requirement, many organizations will need something more than what comes standard with Office 365 and flexibility will ensure your encryption compliance processes are adopted and adhered to.

You have deployed Office 365 and now it is the time to think about how you will secure communications. This is one area where it is critical to be proactive and not reactive, for, a reactive approach could lead to undesirable outcomes. Why not think about an email encryption solution that is cloud based, pervasive across the web, mobile, and desktop, policy template driven and fully integrated with Office 365?

Hopefully my article has provided you with substantial knowledge and provoked some ideas on how to enhance your Office 365 deployment to effectively deal with the ongoing need to secure sensitive email communications.

If you would like to find out more about how to avoid missteps in the implementation of your compliance process and sure ways encryption can better protect Office 365, the additional content listed below may be of interest.

  • Watch our ON-DEMAND DEMO    OneWorld | Office 365 E-mail Encryption Comparison
  • Download our SOLUTION SHEET     Why OneWorld with Office 365?
  • Read our WHITE PAPER     Making the Business Case for Office 365

By Randy Lenaghan, VP Sales Echoworx

15 Nov 2016

Cyberattack Impacts, Deeper and Less Visible Than You Suspect

Cybersecurity is one of the most debated issues in any organization. Although the need to immunize your company from all kinds of cyberattacks remains urgent, the full impact of a cyber incident is still largely unproven.

Recently I read an article by Deloitte which talked about how difficult it is for executives to gauge the impact of cyberattacks on their companies because they aren’t really aware of the work and effort that’s put into making a company cyber secure, or of the consequences of not doing so until it’s too late.

The DNC hack was the biggest election hack in the US history. Every other day WikiLeaks is busy making public the “private” conversations that took place within the DNC networks. These private conversations spread like wildfire on social media. Cyberattacks such as the one against the DNC are not uncommon. Every other day, there is a breach after breach, just look at the Yahoo data breach, Anthem medical records breach, and so on.

Emails are used for corporate communications, including classified communications, every day. Sadly, even after all these widely public incidents and demonstrated lessons, a lot of companies still shy away from using encryption. The reasons range from the complexity of the software to overconfidence in the minimal probability of a cyberattack against them. But guess what? No one is secure. No matter how big or how small a company is.

Emails being the bedrock of the internet, need to be and deserve to be shielded. The costs and impacts of a data breach and cyberattacks include:

  • Notification costs: All necessary activities required to report the breach to appropriate personnel within a specified period.
  • Breach response costs: All activities required to notify data subjects with a letter, telephone call, email or general notice that personal information was lost or stolen.
  • The cost of providing credit-monitoring services for at least a year.
  • Reputational damage.
  • Loss of business.
  • Negative publicity: Extensive media coverage, further damaging the organization’s reputation.
  • Attorney fees and litigation
  • Increase in insurance premium
  • Devaluation of trade name
  • Loss of intellectual property (IP)

It’s in your hands to protect your company’s privacy. And the time to act is now.

If you would like to find out more about the most significant cybersecurity risks and sure ways encryption can mitigate them, the additional content listed below may be of interest.

  • Download our REPORT  | How Much Do You Trust Email?
  • Watch our DEMO  | OneWorld B2C Encryption Protection
  • Read our COVERAGE  | Email security: These steps can stop the hackers

By Chris Grossi, Echoworx