Category: Data Privacy

22 Jan 2017

Healthcare Security in Critical Condition

Are healthcare organizations more vulnerable to data breaches than other industries?

Healthcare organizations (69 percent) and their third-party business associate (BA) partners (63 percent) certainly seem to feel they have a target on their backs, according to Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.  However, knowledge hasn’t necessarily led to preventative action in many healthcare firms or the BAs that support them. Data breaches in healthcare continue to put patient data at risk and are becoming increasingly costly and frequent. According to Ponemon estimates, data breaches could have already costed the healthcare industry $6.2 billion.

While many of the breaches reported by survey respondents were small, containing fewer than 500 records, nearly 90 percent of healthcare organizations taking part in the study reported they were victim to a data breach over the past two years, and 45 percent had more than five data breaches during that same period. Ponemon estimates that the average cost of a data breach for healthcare organizations over the past two years was more than $2.2 million, while the costs to BAs was more than $1 million. The top stolen files: medical files, billing and insurance records, and payment details, putting patients not only at risk for exposing personal details, but also for financial identity theft.

What’s evident from the data is that employee negligence and mishandling of sensitive patient data is still a huge cause for concern; according to Verizon’s Data Breach Digest, 20 percent of data beaches reported in healthcare are from inside privilege and misuses. In the Ponemon report, 69 percent of health organization respondents cited “negligent or careless employees” as the type of security incident that worries them the most, compared with 45 percent for cyber attackers and 30 percent for insecure mobile devices.

At BAs, negligent or careless employees was cited by 53 percent of respondents as their most feared security incident. Healthcare organizations may be overly worried, as only 36 percent of healthcare organizations named unintentional employee action as a breach cause.  However, the numbers aligned as well for BAs, as 55 percent of BAs named unintentional employee action as a breach cause.

According to a second report from Ponemon and Thales, which tracked extensive usage of encryption solutions for 10 industry sectors over three years, healthcare and pharmaceutical organizations have seen the largest jump in use of encryption solutions, with 40 percent of organizations now reporting encryption use. However, the same report also shows that the least likely data type organizations overall encrypt (at 21 percent) is health-related information, quite a surprising result given the regulatory requirements, sensitivity of the data, and the recent high-profile data breaches in healthcare.

Despite the increased frequency of breaches, and the rising costs to deal with the aftermath, half of these organizations still feel they lack the funding and resources to manage data breaches. The intent is there, as most companies have reevaluated their security practices and have implemented policies and procedures designed to curtail breaches. Those practices—however well intentioned—seem to be doing little to stop breaches from occurring.

For many organizations, it comes down to budget restraints; the majority of both healthcare organizations and BAs feel their organization:

  • Has not invested in the technologies necessary to mitigate a data breach
  • Has not hired enough skilled IT security practitioners
  • Has not adequately funded or provided resources for the incident response process

Healthcare organizations report budgets have decreased since last year (10 percent of respondents) or stayed the same (52 percent). The scenario is similar for BAs: 11 percent reported decreases and 50 percent the budget stayed the same.

Based on these reports, healthcare security is in critical condition. Breaches are happening frequently and are costing both healthcare organizations and BAs more. According to the Ponemon report, accountability for the data breach incident response process is dispersed throughout the organization, however, both healthcare organizations (30 percent) and business associates (41 percent) say IT is the function most accountable for the data breach response process. But who is responsible for stopping these breaches before a response is required?

CIOs and CISOs need to continue to push the envelope in their organization on breach prevention, escalating it to become a key business priority. They can start by putting their policies and procedures under a microscope, and locating where the black hole is when it comes to putting those policies and procedures into practice with employees. The next step is investing in encryption technology to prevent breaches, not just in insurance policies for when they occur.

If you would like to find out how to ensure your critical communication touch points are protected, the additional content listed below may be of interest.

  • Download our REPORT    Do You Trust Email?
  • Read our MARKET REPORT     Enterprise Encryption and Authentication Usage
  • Read our REPORT    Fraudsters, Hackers, and Thieves

By Chris Peel, ‎VP Engineering, Echoworx

06 Jan 2017

A Welcome Reset for Citizen Privacy

Canada’s Public Consultation on National Security 

The notion that we are being watched digitally has, seemingly overnight, become something many people now accept as a fact of life in the modern, post-Snowden world. Much of the news around citizen privacy, as always, has been focused on the US, but are we on the sidelines? Canada is an active participant in the five-eyes program, has rolled out the now politically toxic Bill C-51, and as members of NATO, NORAD, and enough acronyms to fill an alphabet soup, we are very much an active player. Not to mention how connected we are on a personal level to the greater world. I may be Canadian, but I hold no illusions about my data – I exist online, along with my purchasing and travel behavior, web searches, e-mail and social media conversations, what TV shows I watch, and very often my location, on countless servers around the world – and the same goes for you. The more interesting question, now that extra-legal surveillance has become the de facto standard, is how have governments reacted and where, policy wise, do we go from here?

Both the US and UK have decided to go one way, attempting to drag extra-legal surveillance into the realm of legitimacy. In the US, choosing to have Edward Snowden continue to be a persona non grata, the FBI attempting to use the All Writs Act to compel Apple to write software that would break security features, the accepted use of Stingray devices on a local level, and the list goes on. The UK as well has been mulling over legislation of the draft Investigatory Powers bill that would compel internet service providers, telecom companies, and other services you rely on to turn in information about your habits without a warrant. Canada, in its own right, has made some concerning moves to the dark side. C-51, for instance, was a worrying enough debacle that the Liberals needed to reaffirm that yes, they do, in fact, still believe in The Charter. More recently this summer, the Canadian Association of Chiefs of Police began vocally calling for the power to get people’s phone passwords through the course of an investigation.

But it appears as if we’ve been afforded the opportunity for a reset. The Canadian government has opened up several public comment periods this year surrounding national security, and specifically how it will adapt to investigations in the digital age. This is an encouraging step to allow citizens’ concerns to be heard and offers the opportunity to make improvements to Canada’s national security laws and regulations, namely C-51. And while it takes two to tango, and some citizens are hesitant about the effectiveness of such consultations and the government’s reply, it is the responsibility of our democracy to respond and adjust, in an accommodating way to the public, as that is their hallmark.

Thankfully, the voice of resistance and, in this case, reason, continues to get louder and more forceful around the globe when it comes to issues of privacy versus security. Apple was willing to stare down the government rather than publicly compromise the security of their users. Alex Stamos, former CISO of Yahoo, resigned when he learned of a secret program whereby the government could search the e-mail of all Yahoo email users, in real time, without a warrant required. With the public consultation, we too have the opportunity to voice our objection to these larger trends towards the invasion of citizens’ lives and lowering the barriers to violating privacy.

So I, along with hundreds of others in the Canadian security industry, took part in the public comment period the government had devoted to national security. Hopefully you did the same. This was an opportunity to defend our fundamental rights and reset our legislation on citizen privacy.

Now, we sit back and wait to see how, in the face of an incredible amount of technological power, this government decides to treat its citizens – as an information mine to be exploited, or as the country’s most precious resource to be protected. We will be watching.

By Jacob Ginsberg, Senior Director, Echoworx

08 Dec 2016

Brexit, Snooper’s Charter…IT Dystopia?

Wondering why I am writing about the UK political scene? Well, because it has far-reaching implications on the privacy and security of our digital data and communications. A combination of Brexit and the passing of the Investigatory Powers Bill (IP Bill) could potentially stop the transfer of data between the UK and EU.

The General Data Protection Regulation (GDPR) is expected to come into force for EU member states early 2018. Although the result of Brexit will see the UK leaving the European Union, UK businesses will still be bound by EU regulations when handling the data of EU citizens. Meanwhile, any UK-based business that trades in the EU is not idly waiting for the politicians. Jacob Ginsberg, senior director at Echoworx, explains it this way, “Much as the US did, any corporation that wants to do business in the EU must build a “safe harbor” framework. ”

The UK businesses will either have to adhere to GDPR terms or fall behind the competition.”
– Jacob Ginsberg, Senior Director Products, Echoworx

Snooper’s Charter, a call to weaken encryption

Sustained trade, as well as the exchange of personal data, depends on compliance with the GDPR, or UK data protection standards which are equivalent in their scope. Sadly, the UK doesn’t have any such data protection standards in place. In fact, seems quite the opposite. Recently, the House of Lords passed the IP Bill, also known as the “Snooper’s Charter” into law.

This highly debated law provides a new framework to govern the use and oversight of investigatory powers by law enforcement and intelligence agencies. This bill will give the government the power of mass interception and mass surveillance—forcing communications service providers to store all digital communications and web browsing history for 12 months.

Basically, the government is looking to weaken encryption to gain easier access to the private data of businesses and citizens to help them tackle terrorism and online crime. The issue with this approach is either we have strong encryption- or no encryption. I’m going to paraphrase Benjamin Franklin here – who once said, those who would trade privacy for a bit of security deserve neither privacy nor security. Creating a backdoor for law enforcement will effectively open the door to other, possibly malicious, parties.

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” – Benjamin Franklin

Ask any CISO or security expert, and they will say companies should move their data to a secure cloud. But unfortunately, security people aren’t on the board of business decision makers.  Reduction in customer confidence and reputation damage are expensive factors to keep in mind. “During a time of unprecedented cyber-crime, organizations cannot afford to lower the standards of privacy and data protection because the risk to business and reputation is too high.”  added Ginsberg.

A recent survey I read by KPMG revealed that 76% of CEOs are considering leaving the UK. Still, the question remains, what can companies do to protect the privacy of data while ensuring that they are not outside the legal bounds of UK law?

Jurisdictional security may be your answer.

Jurisdictional security is fast becoming a top priority for our European customers. Encryption is an essential element of securing any electronic communication.  It’s time businesses get a handle on where their data resides and what laws their data is subject to.  For those businesses with a UK presence, there are very real financial and operational implications of incoming UK-based policy.

In response to the UK’s impending departure from the EU, Echoworx opened data storage centers in Ireland on Amazon Web Servies (AWS). Utilizing AWS means that we are no longer restricted by physical environments or the high-maintenance of an on-premise IT infrastructure. It puts us in a far better position to focus all our attention on maintaining the highest levels of customer service, while still supporting our customers’ needs for better and more secure communication with the outside world.

Companies need to act fast, as customers need reassurance that the security and privacy of their data can be maintained and to avoid churn to a more secure competitor.  There is a lot of confusion over the exit of the UK from the EU, all companies should ensure they are compliant with the GDPR before it hits in 2018.

If you would like to find out more about enabling jurisdictional security or about our AWS implementation, reach out to the experts at Echoworx.

By Alex Loo, VP Opeations at Echoworx

23 Nov 2016

Encryption, the best way to protect data from hackers

It’s no secret that today’s cyber criminals are heavily funded and technically astute – creating more methods to hack into organizations than individuals and businesses can keep up with. Because of their ever changing, advanced and growing capabilities, private organizations and governments must protect all possible gateways to information in our digital-driven society. To keep the data sent via email safe, email encryption remains the best protection in today’s cybersecurity landscape.

Smarter devices mean new vulnerabilities
The evolving technology landscape has created challenges for businesses trying to stay ahead of the curve. As the workforce becomes increasingly mobile and digital, organizations are opening new digital communication and commerce channels to meet employee and business needs. But as new devices are connected to the network, and thus become connected to confidential information, risks to data privacy will appear. These new devices and potential vulnerabilities create opportunities for hackers to infiltrate personal and professional networks at vulnerable entry points.

Companies must have a solution that is focused solely on encryption if they are to tackle today’s rapidly changing technology landscape. Encryption can be tailored to meet a company’s specific IT policies, compliance requirements and user needs to ensure that critical communication touch points are protected whether on mobile or desktop, keeping organizations’ information safe. Encryption allows businesses to innovate while leveraging new technologies, ensuring that sensitive data remains secure.

Securing confidential information – in transit and at rest
Vast volumes of confidential company, customer and employee data passes through business networks every day. Companies in regulated industries represent a treasure trove for cyber criminals as they hold mounds of confidential information including biometrics, health records, financial transactions, inventory tracking, climate controls, and even digital keys. For example, to properly track medical records for HIPAA compliance, there is often personal information attached to communications that can be exploited by hackers.

To ensure that this confidential information is protected, email security solutions are often overlooked in favor of network firewalls or file server security. As a result, message interception has become more frequent – putting information at risk. Email encryption solutions that are content aware are critical to combating hackers targeting corporate email data. Content aware encryption solutions can be configured to automatically scan email content and attachments based on a company’s security policies – providing a user-friendly experience for employees and peace of mind for IT management. Encryption is crucial to ensuring that this confidential information remains private and secure – while emails are in transit and at rest.

Key to citizen privacy and security
Beyond the business benefits, encryption is also key to citizen privacy and security. But, as governments adapt to crime in the digital age, we have seen them continue to push for ways to weaken one of our best protections, encryption, with master keys or back doors to encrypted information. Encrypting sensitive information is just as important as locking your home when you leave. But would you hide a master key for your home right on its perimeter? Encryption back doors are essentially leaving a key for hackers to discover for easy entry.

Encrypted data is only as secure as the keys used by the system that locked them. If the keys are compromised by hackers, negligence or other means, or entry ways are made available via backdoors, then any data that’s encrypted can be decrypted. Ultimately, an entrance into encrypted information, whether meant for the government or an IT executive, is an entrance for everyone, including cyber criminals. Encryption is critical to the security of data and ensuring that citizens maintain their privacy, and management of keys is an essential piece of the puzzle.

As adversary tactics continue to grow and evolve, citizens and companies must feel confident that their data – from private information to intellectual property – is secure. Encryption is critical for protecting confidential data from today’s growing, fast-moving, and ever-changing cyber threats. And to remove pathways for hackers to exploit, we must maintain that back doors are not created, and all keys are properly managed. By applying encryption to email and other data, organizations can ensure that hackers have no way to access data that they discover or intercept.

If you would like to find out more ways to ensure your critical communication touch points are protected, the additional content listed below may be of interest.

  • Download our REPORT    Do You Trust Email?
  • Watch our DEMO     B2C Encryption Protection
  • Read our REPORT    Fraudsters, Hackers, and Thieves

By Kai Cheung, VP Architecture at Echoworx